diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 89eeea7716..16a10bcb81 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -6,11 +6,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md",
-"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np",
-"redirect_document_id": true
-},
-{
"source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure",
"redirect_document_id": true
@@ -631,8 +626,8 @@
"redirect_document_id": true
},
{
-"source_path": "windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md",
-"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity",
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md",
+"redirect_url": "windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3",
"redirect_document_id": true
},
{
@@ -726,96 +721,196 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/controlled-folders",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders-exploit-guard",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-windows-defender",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/event-views",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-exploit-guard",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/graphics.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/graphics",
"redirect_document_id": true
@@ -826,11 +921,21 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/network-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/prerelease.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/prerelease",
"redirect_document_id": true
@@ -841,13 +946,18 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations",
"redirect_document_id": true
},
{
-"source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md",
-"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np",
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations",
"redirect_document_id": true
},
{
@@ -856,6 +966,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection",
+"redirect_document_id": false
+},
+{
"source_path": "windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection",
"redirect_document_id": true
@@ -1006,11 +1121,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md",
-"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue",
-"redirect_document_id": true
-},
-{
"source_path": "windows/security/threat-protection/windows-defender-atp/configuration-score.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
"redirect_document_id": true
@@ -1611,12 +1721,22 @@
"redirect_document_id": true
},
{
+"source_path": "windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/use-apis",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/use-apis.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/preferences-setup",
"redirect_document_id": true
},
@@ -1696,6 +1816,16 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/response-actions.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection",
"redirect_document_id": true
@@ -1811,11 +1941,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md",
-"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp",
-"redirect_document_id": true
-},
-{
"source_path": "windows/security/threat-protection/windows-defender-atp/troubleshoot-overview.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview",
"redirect_document_id": true
@@ -3076,11 +3201,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md",
-"redirect_url": "/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security",
-"redirect_document_id": true
-},
-{
"source_path": "windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md",
"redirect_url": "/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard",
"redirect_document_id": true
@@ -3121,6 +3241,16 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md",
+"redirect_url": "/windows/security/threat-protection/device-guard/memory-integrity",
+"redirect_document_id": true
+},
+{
"source_path": "windows/device-security/device-guard/steps-to-deploy-windows-defender-application-control.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy",
"redirect_document_id": true
@@ -4411,6 +4541,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md",
+"redirect_url": "/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity",
+"redirect_document_id": true
+},
+{
"source_path": "windows/device-security/get-support-for-security-baselines.md",
"redirect_url": "/windows/security/threat-protection/get-support-for-security-baselines",
"redirect_document_id": true
@@ -9631,6 +9766,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md",
+"redirect_url": "/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security",
+"redirect_document_id": true
+},
+{
"source_path": "windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus",
"redirect_document_id": true
@@ -12036,11 +12176,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md",
-"redirect_url": "/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection",
-"redirect_document_id": true
-},
-{
"source_path": "windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md",
"redirect_url": "/windows/device-security/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies",
"redirect_document_id": true
@@ -12161,11 +12296,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md",
-"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity",
-"redirect_document_id": true
-},
-{
"source_path": "windows/keep-secure/requirements-for-deploying-applocker-policies.md",
"redirect_url": "/windows/device-security/applocker/requirements-for-deploying-applocker-policies",
"redirect_document_id": true
@@ -12191,11 +12321,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md",
-"redirect_url": "/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection",
-"redirect_document_id": true
-},
-{
"source_path": "windows/keep-secure/restore-files-and-directories.md",
"redirect_url": "/windows/device-security/security-policy-settings/restore-files-and-directories",
"redirect_document_id": true
@@ -14446,11 +14571,6 @@
"redirect_document_id": true
},
{
-"source_path":"windows/security/threat-protection/windows-defender-atp/use-apis.md",
-"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/use-apis",
-"redirect_document_id": false
-},
-{
"source_path":"windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp",
"redirect_document_id": false
@@ -14796,6 +14916,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/get-started.md",
+"redirect_url": "/windows/security/threat-protection/index.md",
+"redirect_document_id": true
+},
+{
"source_path": "windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis",
"redirect_document_id": false
@@ -14861,9 +14986,9 @@
"redirect_document_id": true
},
{
-"source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md",
-"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow",
-"redirect_document_id": true
+ "source_path": "windows/security/threat-protection/windows-defender-atp/api-microsoft-flow.md",
+ "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow",
+ "redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md",
@@ -14871,8 +14996,8 @@
"redirect_document_id": true
},
{
-"source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md",
-"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token",
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/api-power-bi",
"redirect_document_id": true
},
{
@@ -14956,11 +15081,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/security/threat-protection/windows-defender-atp/incidents-queue.md",
-"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/incidents-queue",
-"redirect_document_id": true
-},
-{
"source_path": "windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis",
"redirect_document_id": false
@@ -15041,6 +15161,31 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-atp/incidents-queue.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/incidents-queue",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp",
+"redirect_document_id": true
+},
+{
+"source_path":"windows/security/threat-protection/windows-defender-atp/use-apis.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/use-apis",
+"redirect_document_id": false
+},
+{
"source_path": "windows/security/threat-protection/windows-defender-atp/user-alert-windows-defender-advanced-threat-protection-new.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/user",
"source_path": "windows/deployment/planning/windows-10-fall-creators-deprecation.md",
@@ -15063,18 +15208,23 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-indicators",
+"redirect_document_id": false
+},
+{
"source_path": "windows/security/threat-protection/windows-defender-atp/manage-indicators-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/manage-indicators",
"redirect_document_id": true
},
{
-"source_path": "windows/deployment/windows-10-enterprise-subscription-activation.md",
-"redirect_url": "/windows/deployment/windows-10-subscription-activation",
-"redirect_document_id": true
+"source_path": "windows/security/threat-protection/windows-defender-atp/manage-indicators.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list",
+"redirect_document_id": false
},
{
-"source_path": "windows/security/threat-protection/windows-defender-atp/manage-indicators.md",
-"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-indicators",
+"source_path": "windows/deployment/windows-10-enterprise-subscription-activation.md",
+"redirect_url": "/windows/deployment/windows-10-subscription-activation",
"redirect_document_id": true
},
{
diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
index c90d6b1c59..15560fccc7 100644
--- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
@@ -171,13 +171,13 @@ You can determine which zones or domains are used for data collection, using Pow
**To set up data collection using a domain allow list**
- - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
>**Important** Wildcards, like \*.microsoft.com, aren’t supported.
**To set up data collection using a zone allow list**
- - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
>**Important** Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
diff --git a/browsers/internet-explorer/TOC.md b/browsers/internet-explorer/TOC.md
index 0fed701c19..c2812cb730 100644
--- a/browsers/internet-explorer/TOC.md
+++ b/browsers/internet-explorer/TOC.md
@@ -1,188 +1,188 @@
-#[IE11 Deployment Guide for IT Pros](ie11-deploy-guide/index.md)
+# [IE11 Deployment Guide for IT Pros](ie11-deploy-guide/index.md)
-##[Change history for the Internet Explorer 11 (IE11) Deployment Guide](ie11-deploy-guide/change-history-for-internet-explorer-11.md)
+## [Change history for the Internet Explorer 11 (IE11) Deployment Guide](ie11-deploy-guide/change-history-for-internet-explorer-11.md)
-##[System requirements and language support for Internet Explorer 11](ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md)
+## [System requirements and language support for Internet Explorer 11](ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md)
-##[List of updated features and tools - Internet Explorer 11 (IE11)](ie11-deploy-guide/updated-features-and-tools-with-ie11.md)
+## [List of updated features and tools - Internet Explorer 11 (IE11)](ie11-deploy-guide/updated-features-and-tools-with-ie11.md)
-##[Install and Deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/install-and-deploy-ie11.md)
-###[Customize Internet Explorer 11 installation packages](ie11-deploy-guide/customize-ie11-install-packages.md)
-####[Using IEAK 11 to create packages](ie11-deploy-guide/using-ieak11-to-create-install-packages.md)
-####[Create packages for multiple operating systems or languages](ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md)
-####[Using .INF files to create packages](ie11-deploy-guide/using-inf-files-to-create-install-packages.md)
-###[Choose how to install Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-install-ie11.md)
-####[Install Internet Explorer 11 (IE11) - System Center 2012 R2 Configuration Manager](ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md)
-####[Install Internet Explorer 11 (IE11) - Windows Server Update Services (WSUS)](ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md)
-####[Install Internet Explorer 11 (IE11) - Microsoft Intune](ie11-deploy-guide/install-ie11-using-microsoft-intune.md)
-####[Install Internet Explorer 11 (IE11) - Network](ie11-deploy-guide/install-ie11-using-the-network.md)
-####[Install Internet Explorer 11 (IE11) - Operating system deployment systems](ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md)
-####[Install Internet Explorer 11 (IE11) - Third-party tools](ie11-deploy-guide/install-ie11-using-third-party-tools.md)
-###[Choose how to deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-deploy-ie11.md)
-####[Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)](ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md)
-####[Deploy Internet Explorer 11 using software distribution tools](ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md)
-###[Virtualization and compatibility with Internet Explorer 11](ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md)
+## [Install and Deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/install-and-deploy-ie11.md)
+### [Customize Internet Explorer 11 installation packages](ie11-deploy-guide/customize-ie11-install-packages.md)
+#### [Using IEAK 11 to create packages](ie11-deploy-guide/using-ieak11-to-create-install-packages.md)
+#### [Create packages for multiple operating systems or languages](ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md)
+#### [Using .INF files to create packages](ie11-deploy-guide/using-inf-files-to-create-install-packages.md)
+### [Choose how to install Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-install-ie11.md)
+#### [Install Internet Explorer 11 (IE11) - System Center 2012 R2 Configuration Manager](ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md)
+#### [Install Internet Explorer 11 (IE11) - Windows Server Update Services (WSUS)](ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md)
+#### [Install Internet Explorer 11 (IE11) - Microsoft Intune](ie11-deploy-guide/install-ie11-using-microsoft-intune.md)
+#### [Install Internet Explorer 11 (IE11) - Network](ie11-deploy-guide/install-ie11-using-the-network.md)
+#### [Install Internet Explorer 11 (IE11) - Operating system deployment systems](ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md)
+#### [Install Internet Explorer 11 (IE11) - Third-party tools](ie11-deploy-guide/install-ie11-using-third-party-tools.md)
+### [Choose how to deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-deploy-ie11.md)
+#### [Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)](ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md)
+#### [Deploy Internet Explorer 11 using software distribution tools](ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md)
+### [Virtualization and compatibility with Internet Explorer 11](ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md)
-##[Collect data using Enterprise Site Discovery](ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md)
+## [Collect data using Enterprise Site Discovery](ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md)
-##[Enterprise Mode for Internet Explorer 11 (IE11)](ie11-deploy-guide/enterprise-mode-overview-for-ie11.md)
-###[Tips and tricks to manage Internet Explorer compatibility](ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md)
-###[Enterprise Mode and the Enterprise Mode Site List](ie11-deploy-guide/what-is-enterprise-mode.md)
-###[Set up Enterprise Mode logging and data collection](ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md)
-###[Turn on Enterprise Mode and use a site list](ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md)
-###[Enterprise Mode schema v.2 guidance](ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md)
-###[Enterprise Mode schema v.1 guidance](ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md)
-###[Check for a new Enterprise Mode site list xml file](ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md)
-###[Turn on local control and logging for Enterprise Mode](ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md)
-###[Use the Enterprise Mode Site List Manager](ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md)
-####[Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
-####[Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
-####[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
-####[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
-####[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md)
-####[Fix validation problems using the Enterprise Mode Site List Manager](ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md)
-####[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
-####[Save your site list to XML in the Enterprise Mode Site List Manager](ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md)
-####[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md)
-####[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md)
-####[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
-####[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
-###[Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md)
-####[Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md)
-#####[Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md)
-#####[Add employees to the Enterprise Mode Site List Portal](ie11-deploy-guide/add-employees-enterprise-mode-portal.md)
-####[Workflow-based processes for employees using the Enterprise Mode Site List Portal](ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md)
-#####[Create a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/create-change-request-enterprise-mode-portal.md)
-#####[Verify your changes using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md)
-#####[Approve a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md)
-#####[Schedule approved change requests for production using the Enterprise Mode Site List Portal](ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md)
-#####[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md)
-#####[View the apps currently on the Enterprise Mode Site List](ie11-deploy-guide/view-apps-enterprise-mode-site-list.md)
-#####[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md)
-###[Using IE7 Enterprise Mode or IE8 Enterprise Mode](ie11-deploy-guide/using-enterprise-mode.md)
-###[Fix web compatibility issues using document modes and the Enterprise Mode site list](ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md)
-###[Remove sites from a local Enterprise Mode site list](ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md)
-###[Remove sites from a local compatibility view list](ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md)
-###[Turn off Enterprise Mode](ie11-deploy-guide/turn-off-enterprise-mode.md)
+## [Enterprise Mode for Internet Explorer 11 (IE11)](ie11-deploy-guide/enterprise-mode-overview-for-ie11.md)
+### [Tips and tricks to manage Internet Explorer compatibility](ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md)
+### [Enterprise Mode and the Enterprise Mode Site List](ie11-deploy-guide/what-is-enterprise-mode.md)
+### [Set up Enterprise Mode logging and data collection](ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md)
+### [Turn on Enterprise Mode and use a site list](ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md)
+### [Enterprise Mode schema v.2 guidance](ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md)
+### [Enterprise Mode schema v.1 guidance](ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md)
+### [Check for a new Enterprise Mode site list xml file](ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md)
+### [Turn on local control and logging for Enterprise Mode](ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md)
+### [Use the Enterprise Mode Site List Manager](ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md)
+#### [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
+#### [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
+#### [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
+#### [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
+#### [Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md)
+#### [Fix validation problems using the Enterprise Mode Site List Manager](ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md)
+#### [Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
+#### [Save your site list to XML in the Enterprise Mode Site List Manager](ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md)
+#### [Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md)
+#### [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md)
+#### [Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
+#### [Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
+### [Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md)
+#### [Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md)
+##### [Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md)
+##### [Add employees to the Enterprise Mode Site List Portal](ie11-deploy-guide/add-employees-enterprise-mode-portal.md)
+#### [Workflow-based processes for employees using the Enterprise Mode Site List Portal](ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md)
+##### [Create a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/create-change-request-enterprise-mode-portal.md)
+##### [Verify your changes using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md)
+##### [Approve a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md)
+##### [Schedule approved change requests for production using the Enterprise Mode Site List Portal](ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md)
+##### [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md)
+##### [View the apps currently on the Enterprise Mode Site List](ie11-deploy-guide/view-apps-enterprise-mode-site-list.md)
+##### [View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md)
+### [Using IE7 Enterprise Mode or IE8 Enterprise Mode](ie11-deploy-guide/using-enterprise-mode.md)
+### [Fix web compatibility issues using document modes and the Enterprise Mode site list](ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md)
+### [Remove sites from a local Enterprise Mode site list](ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md)
+### [Remove sites from a local compatibility view list](ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md)
+### [Turn off Enterprise Mode](ie11-deploy-guide/turn-off-enterprise-mode.md)
-##[Group Policy and Internet Explorer 11 (IE11)](ie11-deploy-guide/group-policy-and-ie11.md)
-###[Group Policy management tools](ie11-deploy-guide/group-policy-objects-and-ie11.md)
-####[Group Policy and the Group Policy Management Console (GPMC)](ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md)
-####[Group Policy and the Local Group Policy Editor](ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md)
-####[Group Policy and Advanced Group Policy Management (AGPM)](ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md)
-####[Group Policy and Windows Powershell](ie11-deploy-guide/group-policy-windows-powershell-ie11.md)
-####[Group Policy and Shortcut Extensions](ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md)
-###[New group policy settings for Internet Explorer 11](ie11-deploy-guide/new-group-policy-settings-for-ie11.md)
-###[Set the default browser using Group Policy](ie11-deploy-guide/set-the-default-browser-using-group-policy.md)
-###[ActiveX installation using group policy](ie11-deploy-guide/activex-installation-using-group-policy.md)
-###[Group Policy and compatibility with Internet Explorer 11](ie11-deploy-guide/group-policy-compatibility-with-ie11.md)
-###[Group policy preferences and Internet Explorer 11](ie11-deploy-guide/group-policy-preferences-and-ie11.md)
-###[Administrative templates and Internet Explorer 11](ie11-deploy-guide/administrative-templates-and-ie11.md)
-###[Enable and disable add-ons using administrative templates and group policy](ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md)
+## [Group Policy and Internet Explorer 11 (IE11)](ie11-deploy-guide/group-policy-and-ie11.md)
+### [Group Policy management tools](ie11-deploy-guide/group-policy-objects-and-ie11.md)
+#### [Group Policy and the Group Policy Management Console (GPMC)](ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md)
+#### [Group Policy and the Local Group Policy Editor](ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md)
+#### [Group Policy and Advanced Group Policy Management (AGPM)](ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md)
+#### [Group Policy and Windows Powershell](ie11-deploy-guide/group-policy-windows-powershell-ie11.md)
+#### [Group Policy and Shortcut Extensions](ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md)
+### [New group policy settings for Internet Explorer 11](ie11-deploy-guide/new-group-policy-settings-for-ie11.md)
+### [Set the default browser using Group Policy](ie11-deploy-guide/set-the-default-browser-using-group-policy.md)
+### [ActiveX installation using group policy](ie11-deploy-guide/activex-installation-using-group-policy.md)
+### [Group Policy and compatibility with Internet Explorer 11](ie11-deploy-guide/group-policy-compatibility-with-ie11.md)
+### [Group policy preferences and Internet Explorer 11](ie11-deploy-guide/group-policy-preferences-and-ie11.md)
+### [Administrative templates and Internet Explorer 11](ie11-deploy-guide/administrative-templates-and-ie11.md)
+### [Enable and disable add-ons using administrative templates and group policy](ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md)
-##[Manage Internet Explorer 11](ie11-deploy-guide/manage-ie11-overview.md)
-###[Auto detect settings Internet Explorer 11](ie11-deploy-guide/auto-detect-settings-for-ie11.md)
-###[Auto configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-configuration-settings-for-ie11.md)
-###[Auto proxy configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md)
+## [Manage Internet Explorer 11](ie11-deploy-guide/manage-ie11-overview.md)
+### [Auto detect settings Internet Explorer 11](ie11-deploy-guide/auto-detect-settings-for-ie11.md)
+### [Auto configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-configuration-settings-for-ie11.md)
+### [Auto proxy configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md)
-##[Troubleshoot Internet Explorer 11 (IE11)](ie11-deploy-guide/troubleshoot-ie11.md)
-###[Setup problems with Internet Explorer 11](ie11-deploy-guide/setup-problems-with-ie11.md)
-###[Install problems with Internet Explorer 11](ie11-deploy-guide/install-problems-with-ie11.md)
-###[Problems after installing Internet Explorer 11](ie11-deploy-guide/problems-after-installing-ie11.md)
-###[Auto configuration and auto proxy problems with Internet Explorer 11](ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md)
-###[User interface problems with Internet Explorer 11](ie11-deploy-guide/user-interface-problems-with-ie11.md)
-###[Group Policy problems with Internet Explorer 11](ie11-deploy-guide/group-policy-problems-ie11.md)
-###[.NET Framework problems with Internet Explorer 11](ie11-deploy-guide/net-framework-problems-with-ie11.md)
-###[Enhanced Protected Mode problems with Internet Explorer](ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md)
-###[Fix font rendering problems by turning off natural metrics](ie11-deploy-guide/turn-off-natural-metrics.md)
-###[Intranet problems with Internet Explorer 11](ie11-deploy-guide/intranet-problems-and-ie11.md)
-###[Browser cache changes and roaming profiles](ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md)
+## [Troubleshoot Internet Explorer 11 (IE11)](ie11-deploy-guide/troubleshoot-ie11.md)
+### [Setup problems with Internet Explorer 11](ie11-deploy-guide/setup-problems-with-ie11.md)
+### [Install problems with Internet Explorer 11](ie11-deploy-guide/install-problems-with-ie11.md)
+### [Problems after installing Internet Explorer 11](ie11-deploy-guide/problems-after-installing-ie11.md)
+### [Auto configuration and auto proxy problems with Internet Explorer 11](ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md)
+### [User interface problems with Internet Explorer 11](ie11-deploy-guide/user-interface-problems-with-ie11.md)
+### [Group Policy problems with Internet Explorer 11](ie11-deploy-guide/group-policy-problems-ie11.md)
+### [.NET Framework problems with Internet Explorer 11](ie11-deploy-guide/net-framework-problems-with-ie11.md)
+### [Enhanced Protected Mode problems with Internet Explorer](ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md)
+### [Fix font rendering problems by turning off natural metrics](ie11-deploy-guide/turn-off-natural-metrics.md)
+### [Intranet problems with Internet Explorer 11](ie11-deploy-guide/intranet-problems-and-ie11.md)
+### [Browser cache changes and roaming profiles](ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md)
-##[Out-of-date ActiveX control blocking](ie11-deploy-guide/out-of-date-activex-control-blocking.md)
-###[Blocked out-of-date ActiveX controls](ie11-deploy-guide/blocked-out-of-date-activex-controls.md)
+## [Out-of-date ActiveX control blocking](ie11-deploy-guide/out-of-date-activex-control-blocking.md)
+### [Blocked out-of-date ActiveX controls](ie11-deploy-guide/blocked-out-of-date-activex-controls.md)
-##[Deprecated document modes and Internet Explorer 11](ie11-deploy-guide/deprecated-document-modes.md)
+## [Deprecated document modes and Internet Explorer 11](ie11-deploy-guide/deprecated-document-modes.md)
-##[What is the Internet Explorer 11 Blocker Toolkit?](ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md)
-###[Internet Explorer 11 delivery through automatic updates](ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
-###[Internet Explorer 11 Blocker Toolkit FAQ](ie11-faq/faq-ie11-blocker-toolkit.md)
+## [What is the Internet Explorer 11 Blocker Toolkit?](ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md)
+### [Internet Explorer 11 delivery through automatic updates](ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
+### [Internet Explorer 11 Blocker Toolkit FAQ](ie11-faq/faq-ie11-blocker-toolkit.md)
-##[Missing Internet Explorer Maintenance settings for Internet Explorer 11](ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md)
+## [Missing Internet Explorer Maintenance settings for Internet Explorer 11](ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md)
-##[Missing the Compatibility View Button](ie11-deploy-guide/missing-the-compatibility-view-button.md)
+## [Missing the Compatibility View Button](ie11-deploy-guide/missing-the-compatibility-view-button.md)
-##[Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013](ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md)
+## [Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013](ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md)
-#[IE11 Frequently Asked Questions (FAQ) Guide for IT Pros](ie11-faq/faq-for-it-pros-ie11.md)
+# [IE11 Frequently Asked Questions (FAQ) Guide for IT Pros](ie11-faq/faq-for-it-pros-ie11.md)
-#[Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](ie11-ieak/index.md)
-##[What IEAK can do for you](ie11-ieak/what-ieak-can-do-for-you.md)
-##[Internet Explorer Administration Kit (IEAK) information and downloads](ie11-ieak/ieak-information-and-downloads.md)
-##[Before you start using IEAK 11](ie11-ieak/before-you-create-custom-pkgs-ieak11.md)
-###[Hardware and software requirements for IEAK 11](ie11-ieak/hardware-and-software-reqs-ieak11.md)
-###[Determine the licensing version and features to use in IEAK 11](ie11-ieak/licensing-version-and-features-ieak11.md)
-###[Security features and IEAK 11](ie11-ieak/security-and-ieak11.md)
-###[File types used or created by IEAK 11](ie11-ieak/file-types-ieak11.md)
-###[Tasks and references to consider before creating and deploying custom packages using IEAK 11](ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md)
-###[Create the build computer folder structure using IEAK 11](ie11-ieak/create-build-folder-structure-ieak11.md)
-###[Set up auto detection for DHCP or DNS servers using IEAK 11](ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md)
-###[Use proxy auto-configuration (.pac) files with IEAK 11](ie11-ieak/proxy-auto-config-examples.md)
-###[Customize the toolbar button and Favorites List icons using IEAK 11](ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md)
-###[Use the uninstallation .INF files to uninstall custom components](ie11-ieak/create-uninstall-inf-files-for-custom-components.md)
-###[Add and approve ActiveX controls using the IEAK 11](ie11-ieak/add-and-approve-activex-controls-ieak11.md)
-###[Register an uninstall app for custom components using IEAK 11](ie11-ieak/register-uninstall-app-ieak11.md)
-###[Customize Automatic Search for Internet Explorer using IEAK 11](ie11-ieak/customize-automatic-search-for-ie.md)
-###[Create multiple versions of your custom package using IEAK 11](ie11-ieak/create-multiple-browser-packages-ieak11.md)
-###[Before you install your package over your network using IEAK 11](ie11-ieak/prep-network-install-with-ieak11.md)
-###[Use the RSoP snap-in to review policy settings](ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md)
-###[IEAK 11 - Frequently Asked Questions](ie11-faq/faq-ieak11.md)
-###[Troubleshoot custom package and IEAK 11 problems](ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md)
+# [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](ie11-ieak/index.md)
+## [What IEAK can do for you](ie11-ieak/what-ieak-can-do-for-you.md)
+## [Internet Explorer Administration Kit (IEAK) information and downloads](ie11-ieak/ieak-information-and-downloads.md)
+## [Before you start using IEAK 11](ie11-ieak/before-you-create-custom-pkgs-ieak11.md)
+### [Hardware and software requirements for IEAK 11](ie11-ieak/hardware-and-software-reqs-ieak11.md)
+### [Determine the licensing version and features to use in IEAK 11](ie11-ieak/licensing-version-and-features-ieak11.md)
+### [Security features and IEAK 11](ie11-ieak/security-and-ieak11.md)
+### [File types used or created by IEAK 11](ie11-ieak/file-types-ieak11.md)
+### [Tasks and references to consider before creating and deploying custom packages using IEAK 11](ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md)
+### [Create the build computer folder structure using IEAK 11](ie11-ieak/create-build-folder-structure-ieak11.md)
+### [Set up auto detection for DHCP or DNS servers using IEAK 11](ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md)
+### [Use proxy auto-configuration (.pac) files with IEAK 11](ie11-ieak/proxy-auto-config-examples.md)
+### [Customize the toolbar button and Favorites List icons using IEAK 11](ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md)
+### [Use the uninstallation .INF files to uninstall custom components](ie11-ieak/create-uninstall-inf-files-for-custom-components.md)
+### [Add and approve ActiveX controls using the IEAK 11](ie11-ieak/add-and-approve-activex-controls-ieak11.md)
+### [Register an uninstall app for custom components using IEAK 11](ie11-ieak/register-uninstall-app-ieak11.md)
+### [Customize Automatic Search for Internet Explorer using IEAK 11](ie11-ieak/customize-automatic-search-for-ie.md)
+### [Create multiple versions of your custom package using IEAK 11](ie11-ieak/create-multiple-browser-packages-ieak11.md)
+### [Before you install your package over your network using IEAK 11](ie11-ieak/prep-network-install-with-ieak11.md)
+### [Use the RSoP snap-in to review policy settings](ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md)
+### [IEAK 11 - Frequently Asked Questions](ie11-faq/faq-ieak11.md)
+### [Troubleshoot custom package and IEAK 11 problems](ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md)
-##[Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](ie11-ieak/ieak11-wizard-custom-options.md)
-###[Use the File Locations page in the IEAK 11 Wizard](ie11-ieak/file-locations-ieak11-wizard.md)
-###[Use the Platform Selection page in the IEAK 11 Wizard](ie11-ieak/platform-selection-ieak11-wizard.md)
-###[Use the Language Selection page in the IEAK 11 Wizard](ie11-ieak/language-selection-ieak11-wizard.md)
-###[Use the Package Type Selection page in the IEAK 11 Wizard](ie11-ieak/pkg-type-selection-ieak11-wizard.md)
-###[Use the Feature Selection page in the IEAK 11 Wizard](ie11-ieak/feature-selection-ieak11-wizard.md)
-###[Use the Automatic Version Synchronization page in the IEAK 11 Wizard](ie11-ieak/auto-version-sync-ieak11-wizard.md)
-###[Use the Custom Components page in the IEAK 11 Wizard](ie11-ieak/custom-components-ieak11-wizard.md)
-###[Use the Internal Install page in the IEAK 11 Wizard](ie11-ieak/internal-install-ieak11-wizard.md)
-###[Use the User Experience page in the IEAK 11 Wizard](ie11-ieak/user-experience-ieak11-wizard.md)
-###[Use the Browser User Interface page in the IEAK 11 Wizard](ie11-ieak/browser-ui-ieak11-wizard.md)
-###[Use the Search Providers page in the IEAK 11 Wizard](ie11-ieak/search-providers-ieak11-wizard.md)
-###[Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md)
-###[Use the Accelerators page in the IEAK 11 Wizard](ie11-ieak/accelerators-ieak11-wizard.md)
-###[Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard](ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md)
-###[Use the Browsing Options page in the IEAK 11 Wizard](ie11-ieak/browsing-options-ieak11-wizard.md)
-###[Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard](ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md)
-###[Use the Compatibility View page in the IEAK 11 Wizard](ie11-ieak/compat-view-ieak11-wizard.md)
-###[Use the Connection Manager page in the IEAK 11 Wizard](ie11-ieak/connection-mgr-ieak11-wizard.md)
-###[Use the Connection Settings page in the IEAK 11 Wizard](ie11-ieak/connection-settings-ieak11-wizard.md)
-###[Use the Automatic Configuration page in the IEAK 11 Wizard](ie11-ieak/auto-config-ieak11-wizard.md)
-###[Use the Proxy Settings page in the IEAK 11 Wizard](ie11-ieak/proxy-settings-ieak11-wizard.md)
-###[Use the Security and Privacy Settings page in the IEAK 11 Wizard](ie11-ieak/security-and-privacy-settings-ieak11-wizard.md)
-###[Use the Add a Root Certificate page in the IEAK 11 Wizard](ie11-ieak/add-root-certificate-ieak11-wizard.md)
-###[Use the Programs page in the IEAK 11 Wizard](ie11-ieak/programs-ieak11-wizard.md)
-###[Use the Additional Settings page in the IEAK 11 Wizard](ie11-ieak/additional-settings-ieak11-wizard.md)
-###[Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard](ie11-ieak/wizard-complete-ieak11-wizard.md)
+## [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](ie11-ieak/ieak11-wizard-custom-options.md)
+### [Use the File Locations page in the IEAK 11 Wizard](ie11-ieak/file-locations-ieak11-wizard.md)
+### [Use the Platform Selection page in the IEAK 11 Wizard](ie11-ieak/platform-selection-ieak11-wizard.md)
+### [Use the Language Selection page in the IEAK 11 Wizard](ie11-ieak/language-selection-ieak11-wizard.md)
+### [Use the Package Type Selection page in the IEAK 11 Wizard](ie11-ieak/pkg-type-selection-ieak11-wizard.md)
+### [Use the Feature Selection page in the IEAK 11 Wizard](ie11-ieak/feature-selection-ieak11-wizard.md)
+### [Use the Automatic Version Synchronization page in the IEAK 11 Wizard](ie11-ieak/auto-version-sync-ieak11-wizard.md)
+### [Use the Custom Components page in the IEAK 11 Wizard](ie11-ieak/custom-components-ieak11-wizard.md)
+### [Use the Internal Install page in the IEAK 11 Wizard](ie11-ieak/internal-install-ieak11-wizard.md)
+### [Use the User Experience page in the IEAK 11 Wizard](ie11-ieak/user-experience-ieak11-wizard.md)
+### [Use the Browser User Interface page in the IEAK 11 Wizard](ie11-ieak/browser-ui-ieak11-wizard.md)
+### [Use the Search Providers page in the IEAK 11 Wizard](ie11-ieak/search-providers-ieak11-wizard.md)
+### [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md)
+### [Use the Accelerators page in the IEAK 11 Wizard](ie11-ieak/accelerators-ieak11-wizard.md)
+### [Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard](ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md)
+### [Use the Browsing Options page in the IEAK 11 Wizard](ie11-ieak/browsing-options-ieak11-wizard.md)
+### [Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard](ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md)
+### [Use the Compatibility View page in the IEAK 11 Wizard](ie11-ieak/compat-view-ieak11-wizard.md)
+### [Use the Connection Manager page in the IEAK 11 Wizard](ie11-ieak/connection-mgr-ieak11-wizard.md)
+### [Use the Connection Settings page in the IEAK 11 Wizard](ie11-ieak/connection-settings-ieak11-wizard.md)
+### [Use the Automatic Configuration page in the IEAK 11 Wizard](ie11-ieak/auto-config-ieak11-wizard.md)
+### [Use the Proxy Settings page in the IEAK 11 Wizard](ie11-ieak/proxy-settings-ieak11-wizard.md)
+### [Use the Security and Privacy Settings page in the IEAK 11 Wizard](ie11-ieak/security-and-privacy-settings-ieak11-wizard.md)
+### [Use the Add a Root Certificate page in the IEAK 11 Wizard](ie11-ieak/add-root-certificate-ieak11-wizard.md)
+### [Use the Programs page in the IEAK 11 Wizard](ie11-ieak/programs-ieak11-wizard.md)
+### [Use the Additional Settings page in the IEAK 11 Wizard](ie11-ieak/additional-settings-ieak11-wizard.md)
+### [Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard](ie11-ieak/wizard-complete-ieak11-wizard.md)
-##[Using Internet Settings (.INS) files with IEAK 11](ie11-ieak/using-internet-settings-ins-files.md)
-###[Use the Branding .INS file to create custom branding and setup info](ie11-ieak/branding-ins-file-setting.md)
-###[Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar](ie11-ieak/browsertoolbars-ins-file-setting.md)
-###[Use the CabSigning .INS file to review the digital signatures for your apps](ie11-ieak/cabsigning-ins-file-setting.md)
-###[Use the ConnectionSettings .INS file to review the network connections for install](ie11-ieak/connectionsettings-ins-file-setting.md)
-###[Use the CustomBranding .INS file to specify the custom branding location](ie11-ieak/custombranding-ins-file-setting.md)
-###[Use the ExtRegInf .INS file to specify installation files and mode](ie11-ieak/extreginf-ins-file-setting.md)
-###[Use the FavoritesEx .INS file for your Favorites icon and URLs](ie11-ieak/favoritesex-ins-file-setting.md)
-###[Use the HideCustom .INS file to hide GUIDs](ie11-ieak/hidecustom-ins-file-setting.md)
-###[Use the ISP_Security .INS file to add your root certificate](ie11-ieak/isp-security-ins-file-setting.md)
-###[Use the Media .INS file to specify your install media](ie11-ieak/media-ins-file-setting.md)
-###[Use the Proxy .INS file to specify a proxy server](ie11-ieak/proxy-ins-file-setting.md)
-###[Use the Security Imports .INS file to import security info](ie11-ieak/security-imports-ins-file-setting.md)
-###[Use the URL .INS file to use an auto-configured proxy server](ie11-ieak/url-ins-file-setting.md)
+## [Using Internet Settings (.INS) files with IEAK 11](ie11-ieak/using-internet-settings-ins-files.md)
+### [Use the Branding .INS file to create custom branding and setup info](ie11-ieak/branding-ins-file-setting.md)
+### [Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar](ie11-ieak/browsertoolbars-ins-file-setting.md)
+### [Use the CabSigning .INS file to review the digital signatures for your apps](ie11-ieak/cabsigning-ins-file-setting.md)
+### [Use the ConnectionSettings .INS file to review the network connections for install](ie11-ieak/connectionsettings-ins-file-setting.md)
+### [Use the CustomBranding .INS file to specify the custom branding location](ie11-ieak/custombranding-ins-file-setting.md)
+### [Use the ExtRegInf .INS file to specify installation files and mode](ie11-ieak/extreginf-ins-file-setting.md)
+### [Use the FavoritesEx .INS file for your Favorites icon and URLs](ie11-ieak/favoritesex-ins-file-setting.md)
+### [Use the HideCustom .INS file to hide GUIDs](ie11-ieak/hidecustom-ins-file-setting.md)
+### [Use the ISP_Security .INS file to add your root certificate](ie11-ieak/isp-security-ins-file-setting.md)
+### [Use the Media .INS file to specify your install media](ie11-ieak/media-ins-file-setting.md)
+### [Use the Proxy .INS file to specify a proxy server](ie11-ieak/proxy-ins-file-setting.md)
+### [Use the Security Imports .INS file to import security info](ie11-ieak/security-imports-ins-file-setting.md)
+### [Use the URL .INS file to use an auto-configured proxy server](ie11-ieak/url-ins-file-setting.md)
-##[IExpress Wizard for Windows Server 2008 R2 with SP1](ie11-ieak/iexpress-wizard-for-win-server.md)
-###[IExpress Wizard command-line options](ie11-ieak/iexpress-command-line-options.md)
-###[Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md)
+## [IExpress Wizard for Windows Server 2008 R2 with SP1](ie11-ieak/iexpress-wizard-for-win-server.md)
+### [IExpress Wizard command-line options](ie11-ieak/iexpress-command-line-options.md)
+### [Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index aaabccc9ae..12049fdcb9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -1,482 +1,483 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
-author: dansimp
-ms.prod: ie11
-ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Collect data using Enterprise Site Discovery
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-# Collect data using Enterprise Site Discovery
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7 with Service Pack 1 (SP1)
-
-Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.
-
->**Upgrade Readiness and Windows upgrades**
->You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
-
-
-## Before you begin
-Before you start, you need to make sure you have the following:
-
-- Latest cumulative security update (for all supported versions of Internet Explorer):
-
- 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**.
-
- 
-
- 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
-
- 
-
- 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
-
-- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including:
-
- - Configuration-related PowerShell scripts
-
- - IETelemetry.mof file
-
- - Sample System Center 2012 report templates
-
- You must use System Center 2012 R2 Configuration Manager or later for these samples to work.
-
-Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts.
-
-## What data is collected?
-Data is collected on the configuration characteristics of IE and the sites it browses, as shown here.
-
-|Data point |IE11 |IE10 |IE9 |IE8 |Description |
-|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------|
-|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. |
-|Domain | X | X | X | X |Top-level domain of the browsed site. |
-|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. |
-|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. |
-|Document mode reason | X | X | | |The reason why a document mode was set by IE. |
-|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. |
-|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. |
-|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. |
-|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. |
-|Number of visits | X | X | X | X |Number of times a site has been visited. |
-|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. |
-
-
->**Important** By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
-
-### Understanding the returned reason codes
-The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection.
-
-#### DocMode reason
-The codes in this table can tell you what document mode was set by IE for a webpage. These codes only apply to Internet Explorer 10 and Internet Explorer 11.
-
-|Code |Description |
-|-----|------------|
-|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.|
-|4 |Page is using an X-UA-compatible meta tag. |
-|5 |Page is using an X-UA-compatible HTTP header. |
-|6 |Page appears on an active **Compatibility View** list. |
-|7 |Page is using native XML parsing. |
-|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. |
-|9 |Page state is set by the browser mode and the page's DOCTYPE.|
-
-#### Browser state reason
-The codes in this table can tell you why the browser is in its current state. Also called “browser mode”. These codes only apply to Internet Explorer 10 and Internet Explorer 11.
-
-|Code |Description |
-|-----|------------|
-|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. |
-|2 |Site appears on an active **Compatibility View** list, created in Group Policy. |
-|3 |Site appears on an active **Compatibility View** list, created by the user. |
-|4 |Page is using an X-UA-compatible tag. |
-|5 |Page state is set by the **Developer** toolbar. |
-|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. |
-|7 |Site appears on the Microsoft **Compatibility View (CV)** list. |
-|8 |Site appears on the **Quirks** list, created in Group Policy. |
-|11 |Site is using the default browser. |
-
-#### Zone
-The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings. These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.
-
-|Code |Description |
-|-----|------------|
-|-1 |Internet Explorer is using an invalid zone. |
-|0 |Internet Explorer is using the Local machine zone. |
-|1 |Internet Explorer is using the Local intranet zone. |
-|2 |Internet Explorer is using the Trusted sites zone. |
-|3 |Internet Explorer is using the Internet zone. |
-|4 |Internet Explorer is using the Restricted sites zone. |
-
-## Where is the data stored and how do I collect it?
-The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend:
-
-- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer.
-
-- **XML file**. Any agent that works with XML can be used.
-
-## WMI Site Discovery suggestions
-We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company.
-
-On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:
250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB
-
->**Important** The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
-
-## Getting ready to use Enterprise Site Discovery
-Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options:
-
-- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
--OR-
-- Collect your hardware inventory using the MOF Editor with a .MOF import file.
--OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
-
-### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges
-You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes.
-
->**Important** You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output.
-
-**To set up Enterprise Site Discovery**
-
-- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460).
-
-### WMI only: Set up your firewall for WMI data
-If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps:
-
-**To set up your firewall**
-
-1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**.
-
-2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**.
-
-3. Restart your computer to start collecting your WMI data.
-
-## Use PowerShell to finish setting up Enterprise Site Discovery
-You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery).
-
->**Important** The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device.
-
-- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process.
-
-- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process.
-
-**To set up data collection using a domain allow list**
-
- - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
-
- >**Important** Wildcards, like \*.microsoft.com, aren’t supported.
-
-**To set up data collection using a zone allow list**
-
- - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
-
- >**Important** Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
-
-## Use Group Policy to finish setting up Enterprise Site Discovery
-You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery).
-
->**Note** All of the Group Policy settings can be used individually or as a group.
-
- **To set up Enterprise Site Discovery using Group Policy**
-
-- Open your Group Policy editor, and go to these new settings:
-
- |Setting name and location |Description |Options |
- |---------------------------|-------------|---------|
- |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |
**On.** Turns on WMI recording.
**Off.** Turns off WMI recording.
|
- |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |
**XML file path.** Including this turns on XML recording.
**Blank.** Turns off XML recording.
|
- |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:
0 – Restricted Sites zone 0 – Internet zone 0 – Trusted Sites zone 0 – Local Intranet zone 0 – Local Machine zone
**Example 1:** Include only the Local Intranet zone
Binary representation: *00010*, based on:
0 – Restricted Sites zone 0 – Internet zone 0 – Trusted Sites zone 1 – Local Intranet zone 0 – Local Machine zone
**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones
Binary representation: *10110*, based on:
1 – Restricted Sites zone 0 – Internet zone 1 – Trusted Sites zone 1 – Local Intranet zone 1 – Local Machine zone |
- |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:
microsoft.sharepoint.com outlook.com onedrive.com timecard.contoso.com LOBApp.contoso.com |
-
-### Combining WMI and XML Group Policy settings
-You can use both the WMI and XML settings individually or together:
-
-**To turn off Enterprise Site Discovery**
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
Off
-
-
-
Turn on Site Discovery XML output
-
Blank
-
-
-
-**Turn on WMI recording only**
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
On
-
-
-
Turn on Site Discovery XML output
-
Blank
-
-
-
-**To turn on XML recording only**
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
Off
-
-
-
Turn on Site Discovery XML output
-
XML file path
-
-
-
-To turn on both WMI and XML recording
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
On
-
-
-
Turn on Site Discovery XML output
-
XML file path
-
-
-
-## Use Configuration Manager to collect your data
-After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:
-
-- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
--OR-
-- Collect your hardware inventory using the MOF Editor with a .MOF import file.
--OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
-
-### Collect your hardware inventory using the MOF Editor while connected to a client device
-You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices.
-
- **To collect your inventory**
-
-1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
-
- 
-
-2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
-
-3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
-
- 
-
-4. Select the check boxes next to the following classes, and then click **OK**:
-
- - IESystemInfo
-
- - IEURLInfo
-
- - IECountInfo
-
-5. Click **OK** to close the default windows.
-Your environment is now ready to collect your hardware inventory and review the sample reports.
-
-### Collect your hardware inventory using the MOF Editor with a .MOF import file
-You can collect your hardware inventory using the MOF Editor and a .MOF import file.
-
- **To collect your inventory**
-
-1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
-
-2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**.
-
-3. Pick the inventory items to install, and then click **Import**.
-
-4. Click **OK** to close the default windows.
-Your environment is now ready to collect your hardware inventory and review the sample reports.
-
-### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
-You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
-
-**To collect your inventory**
-
-1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `\inboxes\clifiles.src\hinv` directory.
-
-2. Add this text to the end of the file:
-
- ```
- [SMS_Report (TRUE),
- SMS_Group_Name ("IESystemInfo"),
- SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"),
- Namespace ("root\\\\cimv2\\\\IETelemetry") ]
- Class IESystemInfo: SMS_Class_Template
- {
- [SMS_Report (TRUE), Key ]
- String SystemKey;
- [SMS_Report (TRUE) ]
- String IEVer;
- };
-
- [SMS_Report (TRUE),
- SMS_Group_Name ("IEURLInfo"),
- SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"),
- Namespace ("root\\\\cimv2\\\\IETelemetry") ]
- Class IEURLInfo: SMS_Class_Template
- {
- [SMS_Report (TRUE), Key ]
- String URL;
- [SMS_Report (TRUE) ]
- String Domain;
- [SMS_Report (TRUE) ]
- UInt32 DocMode;
- [SMS_Report (TRUE) ]
- UInt32 DocModeReason;
- [SMS_Report (TRUE) ]
- UInt32 Zone;
- [SMS_Report (TRUE) ]
- UInt32 BrowserStateReason;
- [SMS_Report (TRUE) ]
- String ActiveXGUID[];
- [SMS_Report (TRUE) ]
- UInt32 CrashCount;
- [SMS_Report (TRUE) ]
- UInt32 HangCount;
- [SMS_Report (TRUE) ]
- UInt32 NavigationFailureCount;
- [SMS_Report (TRUE) ]
- UInt32 NumberOfVisits;
- [SMS_Report (TRUE) ]
- UInt32 MostRecentNavigationFailure;
- };
-
- [SMS_Report (TRUE),
- SMS_Group_Name ("IECountInfo"),
- SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"),
- Namespace ("root\\\\cimv2\\\\IETelemetry") ]
- Class IECountInfo: SMS_Class_Template
- {
- [SMS_Report (TRUE), Key ]
- String CountKey;
- [SMS_Report (TRUE) ]
- UInt32 CrashCount;
- [SMS_Report (TRUE) ]
- UInt32 HangCount;
- [SMS_Report (TRUE) ]
- UInt32 NavigationFailureCount;
- };
- ```
-
-3. Save the file and close it to the same location.
- Your environment is now ready to collect your hardware inventory and review the sample reports.
-
-## View the sample reports with your collected data
-The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data.
-
-### SCCM Report Sample – ActiveX.rdl
-Gives you a list of all of the ActiveX-related sites visited by the client computer.
-
-
-
-### SCCM Report Sample – Site Discovery.rdl
-Gives you a list of all of the sites visited by the client computer.
-
-
-
-## View the collected XML data
-After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like:
-
-``` xml
-
-
- [dword]
- [dword]
- [dword]
-
-
- [string]
-
- [guid]
-
- [dword]
- [dword]
- [dword]
- [dword]
- [dword]
- [dword]
- [dword]
- [dword]
- [string]
- [dword]
-
- …
- …
-
-```
-You can import this XML data into the correct version of the Enterprise Mode Site List Manager, automatically adding the included sites to your Enterprise Mode site list.
-
-**To add your XML data to your Enterprise Mode site list**
-
-1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**.
-
- 
-
-2. Go to your XML file to add the included sites to the tool, and then click **Open**. Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
-
-3. Click **OK** to close the **Bulk add sites to the list** menu.
-
-## Turn off data collection on your client devices
-After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off.
-
-**To stop collecting data, using PowerShell**
-
-- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1 –IEFeatureOff`.
-
- >**Note** Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer.
-
-
-**To stop collecting data, using Group Policy**
-
-1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**.
-
-2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location.
-
-### Delete already stored data from client computers
-You can completely remove the data stored on your employee’s computers.
-
-**To delete all existing data**
-
-- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands:
-
- - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo`
-
- - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo`
-
- - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo`
-
- - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'`
-
-## Related topics
-* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562)
-* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md)
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
+author: dansimp
+ms.prod: ie11
+ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Collect data using Enterprise Site Discovery
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+# Collect data using Enterprise Site Discovery
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7 with Service Pack 1 (SP1)
+
+Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.
+
+>**Upgrade Readiness and Windows upgrades**
+>You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
+
+
+## Before you begin
+Before you start, you need to make sure you have the following:
+
+- Latest cumulative security update (for all supported versions of Internet Explorer):
+
+ 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**.
+
+ 
+
+ 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
+
+ 
+
+ 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
+
+- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including:
+
+ - Configuration-related PowerShell scripts
+
+ - IETelemetry.mof file
+
+ - Sample System Center 2012 report templates
+
+ You must use System Center 2012 R2 Configuration Manager or later for these samples to work.
+
+Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts.
+
+## What data is collected?
+Data is collected on the configuration characteristics of IE and the sites it browses, as shown here.
+
+|Data point |IE11 |IE10 |IE9 |IE8 |Description |
+|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------|
+|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. |
+|Domain | X | X | X | X |Top-level domain of the browsed site. |
+|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. |
+|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. |
+|Document mode reason | X | X | | |The reason why a document mode was set by IE. |
+|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. |
+|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. |
+|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. |
+|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. |
+|Number of visits | X | X | X | X |Number of times a site has been visited. |
+|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. |
+
+
+>**Important** By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
+
+### Understanding the returned reason codes
+The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection.
+
+#### DocMode reason
+The codes in this table can tell you what document mode was set by IE for a webpage. These codes only apply to Internet Explorer 10 and Internet Explorer 11.
+
+|Code |Description |
+|-----|------------|
+|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.|
+|4 |Page is using an X-UA-compatible meta tag. |
+|5 |Page is using an X-UA-compatible HTTP header. |
+|6 |Page appears on an active **Compatibility View** list. |
+|7 |Page is using native XML parsing. |
+|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. |
+|9 |Page state is set by the browser mode and the page's DOCTYPE.|
+
+#### Browser state reason
+The codes in this table can tell you why the browser is in its current state. Also called “browser mode”. These codes only apply to Internet Explorer 10 and Internet Explorer 11.
+
+|Code |Description |
+|-----|------------|
+|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. |
+|2 |Site appears on an active **Compatibility View** list, created in Group Policy. |
+|3 |Site appears on an active **Compatibility View** list, created by the user. |
+|4 |Page is using an X-UA-compatible tag. |
+|5 |Page state is set by the **Developer** toolbar. |
+|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. |
+|7 |Site appears on the Microsoft **Compatibility View (CV)** list. |
+|8 |Site appears on the **Quirks** list, created in Group Policy. |
+|11 |Site is using the default browser. |
+
+#### Zone
+The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings. These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.
+
+|Code |Description |
+|-----|------------|
+|-1 |Internet Explorer is using an invalid zone. |
+|0 |Internet Explorer is using the Local machine zone. |
+|1 |Internet Explorer is using the Local intranet zone. |
+|2 |Internet Explorer is using the Trusted sites zone. |
+|3 |Internet Explorer is using the Internet zone. |
+|4 |Internet Explorer is using the Restricted sites zone. |
+
+## Where is the data stored and how do I collect it?
+The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend:
+
+- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer.
+
+- **XML file**. Any agent that works with XML can be used.
+
+## WMI Site Discovery suggestions
+We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company.
+
+On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:
250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB
+
+>**Important** The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
+
+## Getting ready to use Enterprise Site Discovery
+Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options:
+
+- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
+-OR-
+- Collect your hardware inventory using the MOF Editor with a .MOF import file.
+-OR-
+- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+
+### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges
+You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes.
+
+>**Important** You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output.
+
+**To set up Enterprise Site Discovery**
+
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460).
+
+### WMI only: Set up your firewall for WMI data
+If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps:
+
+**To set up your firewall**
+
+1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**.
+
+2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**.
+
+3. Restart your computer to start collecting your WMI data.
+
+## Use PowerShell to finish setting up Enterprise Site Discovery
+You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery).
+
+>**Important** The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device.
+
+- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process.
+
+- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process.
+
+**To set up data collection using a domain allow list**
+
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
+
+ >**Important** Wildcards, like \*.microsoft.com, aren’t supported.
+
+**To set up data collection using a zone allow list**
+
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
+
+ >**Important** Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
+
+## Use Group Policy to finish setting up Enterprise Site Discovery
+You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery).
+
+>**Note** All of the Group Policy settings can be used individually or as a group.
+
+ **To set up Enterprise Site Discovery using Group Policy**
+
+- Open your Group Policy editor, and go to these new settings:
+
+ |Setting name and location |Description |Options |
+ |---------------------------|-------------|---------|
+ |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |
**On.** Turns on WMI recording.
**Off.** Turns off WMI recording.
|
+ |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |
**XML file path.** Including this turns on XML recording.
**Blank.** Turns off XML recording.
|
+ |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:
0 – Restricted Sites zone 0 – Internet zone 0 – Trusted Sites zone 0 – Local Intranet zone 0 – Local Machine zone
**Example 1:** Include only the Local Intranet zone
Binary representation: *00010*, based on:
0 – Restricted Sites zone 0 – Internet zone 0 – Trusted Sites zone 1 – Local Intranet zone 0 – Local Machine zone
**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones
Binary representation: *10110*, based on:
1 – Restricted Sites zone 0 – Internet zone 1 – Trusted Sites zone 1 – Local Intranet zone 1 – Local Machine zone |
+ |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:
microsoft.sharepoint.com outlook.com onedrive.com timecard.contoso.com LOBApp.contoso.com |
+
+### Combining WMI and XML Group Policy settings
+You can use both the WMI and XML settings individually or together:
+
+**To turn off Enterprise Site Discovery**
+
+
+
Setting name
+
Option
+
+
+
Turn on Site Discovery WMI output
+
Off
+
+
+
Turn on Site Discovery XML output
+
Blank
+
+
+
+**Turn on WMI recording only**
+
+
+
Setting name
+
Option
+
+
+
Turn on Site Discovery WMI output
+
On
+
+
+
Turn on Site Discovery XML output
+
Blank
+
+
+
+**To turn on XML recording only**
+
+
+
Setting name
+
Option
+
+
+
Turn on Site Discovery WMI output
+
Off
+
+
+
Turn on Site Discovery XML output
+
XML file path
+
+
+
+To turn on both WMI and XML recording
+
+
+
Setting name
+
Option
+
+
+
Turn on Site Discovery WMI output
+
On
+
+
+
Turn on Site Discovery XML output
+
XML file path
+
+
+
+## Use Configuration Manager to collect your data
+After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:
+
+- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
+-OR-
+- Collect your hardware inventory using the MOF Editor with a .MOF import file.
+-OR-
+- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+
+### Collect your hardware inventory using the MOF Editor while connected to a client device
+You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices.
+
+ **To collect your inventory**
+
+1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
+
+ 
+
+2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
+
+3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
+
+ 
+
+4. Select the check boxes next to the following classes, and then click **OK**:
+
+ - IESystemInfo
+
+ - IEURLInfo
+
+ - IECountInfo
+
+5. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports.
+
+### Collect your hardware inventory using the MOF Editor with a .MOF import file
+You can collect your hardware inventory using the MOF Editor and a .MOF import file.
+
+ **To collect your inventory**
+
+1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
+
+2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**.
+
+3. Pick the inventory items to install, and then click **Import**.
+
+4. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports.
+
+### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
+
+**To collect your inventory**
+
+1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `\inboxes\clifiles.src\hinv` directory.
+
+2. Add this text to the end of the file:
+
+ ```
+ [SMS_Report (TRUE),
+ SMS_Group_Name ("IESystemInfo"),
+ SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"),
+ Namespace ("root\\\\cimv2\\\\IETelemetry") ]
+ Class IESystemInfo: SMS_Class_Template
+ {
+ [SMS_Report (TRUE), Key ]
+ String SystemKey;
+ [SMS_Report (TRUE) ]
+ String IEVer;
+ };
+
+ [SMS_Report (TRUE),
+ SMS_Group_Name ("IEURLInfo"),
+ SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"),
+ Namespace ("root\\\\cimv2\\\\IETelemetry") ]
+ Class IEURLInfo: SMS_Class_Template
+ {
+ [SMS_Report (TRUE), Key ]
+ String URL;
+ [SMS_Report (TRUE) ]
+ String Domain;
+ [SMS_Report (TRUE) ]
+ UInt32 DocMode;
+ [SMS_Report (TRUE) ]
+ UInt32 DocModeReason;
+ [SMS_Report (TRUE) ]
+ UInt32 Zone;
+ [SMS_Report (TRUE) ]
+ UInt32 BrowserStateReason;
+ [SMS_Report (TRUE) ]
+ String ActiveXGUID[];
+ [SMS_Report (TRUE) ]
+ UInt32 CrashCount;
+ [SMS_Report (TRUE) ]
+ UInt32 HangCount;
+ [SMS_Report (TRUE) ]
+ UInt32 NavigationFailureCount;
+ [SMS_Report (TRUE) ]
+ UInt32 NumberOfVisits;
+ [SMS_Report (TRUE) ]
+ UInt32 MostRecentNavigationFailure;
+ };
+
+ [SMS_Report (TRUE),
+ SMS_Group_Name ("IECountInfo"),
+ SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"),
+ Namespace ("root\\\\cimv2\\\\IETelemetry") ]
+ Class IECountInfo: SMS_Class_Template
+ {
+ [SMS_Report (TRUE), Key ]
+ String CountKey;
+ [SMS_Report (TRUE) ]
+ UInt32 CrashCount;
+ [SMS_Report (TRUE) ]
+ UInt32 HangCount;
+ [SMS_Report (TRUE) ]
+ UInt32 NavigationFailureCount;
+ };
+ ```
+
+3. Save the file and close it to the same location.
+ Your environment is now ready to collect your hardware inventory and review the sample reports.
+
+## View the sample reports with your collected data
+The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data.
+
+### SCCM Report Sample – ActiveX.rdl
+Gives you a list of all of the ActiveX-related sites visited by the client computer.
+
+
+
+### SCCM Report Sample – Site Discovery.rdl
+Gives you a list of all of the sites visited by the client computer.
+
+
+
+## View the collected XML data
+After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like:
+
+``` xml
+
+
+ [dword]
+ [dword]
+ [dword]
+
+
+ [string]
+
+ [guid]
+
+ [dword]
+ [dword]
+ [dword]
+ [dword]
+ [dword]
+ [dword]
+ [dword]
+ [dword]
+ [string]
+ [dword]
+
+ …
+ …
+
+```
+You can import this XML data into the correct version of the Enterprise Mode Site List Manager, automatically adding the included sites to your Enterprise Mode site list.
+
+**To add your XML data to your Enterprise Mode site list**
+
+1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**.
+
+ 
+
+2. Go to your XML file to add the included sites to the tool, and then click **Open**. Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
+
+3. Click **OK** to close the **Bulk add sites to the list** menu.
+
+## Turn off data collection on your client devices
+After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off.
+
+**To stop collecting data, using PowerShell**
+
+- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1 –IEFeatureOff`.
+
+ >**Note** Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer.
+
+
+**To stop collecting data, using Group Policy**
+
+1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**.
+
+2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location.
+
+### Delete already stored data from client computers
+You can completely remove the data stored on your employee’s computers.
+
+**To delete all existing data**
+
+- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands:
+
+ - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo`
+
+ - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo`
+
+ - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo`
+
+ - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'`
+
+## Related topics
+* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562)
+* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md)
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index e93450be88..25226f2ad0 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -1,54 +1,54 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune.
-author: lomayor
-ms.prod: ie11
-ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: lomayor
-title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Install Internet Explorer 11 (IE11) using Microsoft Intune
-Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805).
-
-## Adding and deploying the IE11 package
-You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune.
-
- **To add the IE11 package**
-
-1. From the Microsoft Intune administrator console, start the Microsoft Intune Software Publisher.
-
-2. Add your IE11 package as either an external link or as a Windows installer package (.exe or .msi).
-
-For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
-
- **To automatically deploy and install the IE11 package**
-
-1. From the Microsoft Intune administrator console, start and run through the Deploy Software wizard.
-
-2. Deploy the package to any of your employee computers that are managed by Microsoft Intune.
-
-3. After the package is on your employee's computers, the installation process runs, based on what you set up in your wizard.
-
-For more info about this, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
-
- **To let your employees install the IE11 package**
-
-1. Install the package on your company's Microsoft Intune site, marking it as **Available** for the appropriate groups.
-
-2. Any employee in the assigned group can now install the package.
-
-For more info about this, see [Update apps using Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301808)
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune.
+author: lomayor
+ms.prod: ie11
+ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616
+ms.reviewer:
+manager: dansimp
+ms.author: lomayor
+title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Install Internet Explorer 11 (IE11) using Microsoft Intune
+Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805).
+
+## Adding and deploying the IE11 package
+You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune.
+
+ **To add the IE11 package**
+
+1. From the Microsoft Intune administrator console, start the Microsoft Intune Software Publisher.
+
+2. Add your IE11 package as either an external link or as a Windows installer package (.exe or .msi).
+
+For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
+
+ **To automatically deploy and install the IE11 package**
+
+1. From the Microsoft Intune administrator console, start and run through the Deploy Software wizard.
+
+2. Deploy the package to any of your employee computers that are managed by Microsoft Intune.
+
+3. After the package is on your employee's computers, the installation process runs, based on what you set up in your wizard.
+
+For more info about this, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
+
+ **To let your employees install the IE11 package**
+
+1. Install the package on your company's Microsoft Intune site, marking it as **Available** for the appropriate groups.
+
+2. Any employee in the assigned group can now install the package.
+
+For more info about this, see [Update apps using Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301808)
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
index efbae636fc..a3c0045275 100644
--- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
@@ -1,35 +1,35 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package.
-author: lomayor
-ms.prod: ie11
-ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: lomayor
-title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Platform Selection page in the IEAK 11 Wizard
-The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package.
-
-**To use the Platform Selection page**
-
-1. Pick the operating system and architecture for the devices on which you’re going to install the custom package.
-You must create individual packages for each supported operating system.
-**Note** To keep your settings across several operating system packages, you can specify the same destination folder. Then, after running the wizard, you can reuse the resulting .ins file. Any additional changes to the .ins file are saved. For more info about using .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). For more info about adding in your .ins file, see [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md).
-
-2. Click **Next** to go to the [Language Selection](language-selection-ieak11-wizard.md) page or **Back** to go to the [File Locations](file-locations-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package.
+author: lomayor
+ms.prod: ie11
+ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218
+ms.reviewer:
+manager: dansimp
+ms.author: lomayor
+title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the Platform Selection page in the IEAK 11 Wizard
+The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package.
+
+**To use the Platform Selection page**
+
+1. Pick the operating system and architecture for the devices on which you’re going to install the custom package.
+You must create individual packages for each supported operating system.
+**Note** To keep your settings across several operating system packages, you can specify the same destination folder. Then, after running the wizard, you can reuse the resulting .ins file. Any additional changes to the .ins file are saved. For more info about using .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). For more info about adding in your .ins file, see [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md).
+
+2. Click **Next** to go to the [Language Selection](language-selection-ieak11-wizard.md) page or **Back** to go to the [File Locations](file-locations-ieak11-wizard.md) page.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
index a4d2c384bb..8b0ff1ece4 100644
--- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
@@ -1,39 +1,39 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services.
-author: lomayor
-ms.prod: ie11
-ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: lomayor
-title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Programs page in the IEAK 11 Wizard
-The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer.
-
-**Important** The customizations you make on this page only apply to Internet Explorer for the desktop.
-
-**To use the Programs page**
-
-1. Determine whether you want to customize your connection settings. You can pick:
-
- - **Do not customize Program Settings.** Pick this option if you don’t want to set program associations for your employee’s devices.
-OR-
-
- - **Import the current Program Settings.** Pick this option to import the program associations from your device and use them as the preset for your employee’s program settings.
**Note** If you want to change any of your settings, you can click **Modify Settings** to open the **Internet Properties** box, click **Set associations**, and make your changes.
-
-2. Click **Next** to go to the [Additional Settings](additional-settings-ieak11-wizard.md) page or **Back** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services.
+author: lomayor
+ms.prod: ie11
+ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc
+ms.reviewer:
+manager: dansimp
+ms.author: lomayor
+title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the Programs page in the IEAK 11 Wizard
+The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer.
+
+**Important** The customizations you make on this page only apply to Internet Explorer for the desktop.
+
+**To use the Programs page**
+
+1. Determine whether you want to customize your connection settings. You can pick:
+
+ - **Do not customize Program Settings.** Pick this option if you don’t want to set program associations for your employee’s devices.
-OR-
+
+ - **Import the current Program Settings.** Pick this option to import the program associations from your device and use them as the preset for your employee’s program settings.
**Note** If you want to change any of your settings, you can click **Modify Settings** to open the **Internet Properties** box, click **Set associations**, and make your changes.
+
+2. Click **Next** to go to the [Additional Settings](additional-settings-ieak11-wizard.md) page or **Back** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page.
+
+
+
+
+
+
+
+
+
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index 36cbb30a09..fe85d293be 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -1,36 +1,45 @@
-# [Microsoft HoloLens](index.md)
-# [What's new in HoloLens](hololens-whats-new.md)
-# [Set up HoloLens](hololens-setup.md)
+# [HoloLens overview](index.md)
+# [Hololens status](hololens-status.md)
-# Deploy HoloLens in a commercial environment
+# Get started with HoloLens (gen 1)
+## [Start your HoloLens (1st gen) for the first time](hololens-start.md)
+## [Install localized version of HoloLens](hololens-install-localized.md)
+
+# Get started with HoloLens in commercial environments
## [Overview and deployment planning](hololens-requirements.md)
+## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)
## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
+## [Set up ring based updates for HoloLens](hololens-updates.md)
+## [Manage custom enterprise apps](hololens-install-apps.md)
+## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
-# Device Management
-## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)
-## [Install localized version of HoloLens](hololens-install-localized.md)
-## [Manage updates to HoloLens](hololens-updates.md)
-## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md)
-## [Use the HoloLens Clicker](hololens-clicker.md)
-## [Restart, reset, or recover the HoloLens](hololens-restart-recover.md)
-## [Restart or recover the HoloLens clicker](hololens-clicker-restart-recover.md)
+# Navigating Windows Holographic
+## [Windows Mixed Reality home](holographic-home.md)
+## [Voice and Cortana](hololens-cortana.md)
+## [Find and save files](hololens-find-and-save-files.md)
+## [Create, share, and view photos and video](holographic-photos-and-video.md)
+
+# Accessories and connectivity
+## [Connect to Bluetooth and USB-C devices](hololens-connect-devices.md)
+## [Restart or recover the HoloLens (1st gen) clicker](hololens-clicker-restart-recover.md)
+## [Connect to a network](hololens-network.md)
+## [Use HoloLens offline](hololens-offline.md)
# Application Management
-## [Install apps on HoloLens](hololens-install-apps.md)
## [Share HoloLens with multiple people](hololens-multiple-users.md)
-## [Cortana on HoloLens](hololens-cortana.md)
## [Get apps for HoloLens](hololens-get-apps.md)
## [Use apps on HoloLens](hololens-use-apps.md)
## [Use HoloLens offline](hololens-offline.md)
## [Spaces on HoloLens](hololens-spaces-on-hololens.md)
+## [How HoloLens stores data for spaces](hololens-spaces.md)
+
+# Recovery and troubleshooting
+## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md)
+## [Restart, reset, or recover the HoloLens](hololens-restart-recover.md)
# User/Access Management
## [Set up single application access](hololens-kiosk.md)
-## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
-## [How HoloLens stores data for spaces](hololens-spaces.md)
-## [Find and save files](hololens-find-and-save-files.md)
# [Insider preview for Microsoft HoloLens](hololens-insider.md)
# [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
-
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index b886719944..a228d800c0 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -50,11 +50,6 @@ New or changed topic | Description
--- | ---
Insider preview for Microsoft HoloLens | New (topic retired on release of Windows 10, version 1809)
-## June 2018
-
-New or changed topic | Description
---- | ---
-[HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md#pin) | Added instructions for creating a sign-in PIN.
## May 2018
@@ -86,12 +81,6 @@ New or changed topic | Description
--- | ---
[Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | New
-## May 2017
-
-| New or changed topic | Description |
-| --- | --- |
-| [Microsoft HoloLens in the enterprise: requirements](hololens-requirements.md) | Changed title to **Microsoft HoloLens in the enterprise: requirements and FAQ**, added questions and answers in new [FAQ section](hololens-requirements.md#faq-for-hololens) |
-
## January 2017
| New or changed topic | Description |
diff --git a/devices/hololens/holographic-home.md b/devices/hololens/holographic-home.md
new file mode 100644
index 0000000000..576866ca2c
--- /dev/null
+++ b/devices/hololens/holographic-home.md
@@ -0,0 +1,90 @@
+---
+title: Navigate the Windows Mixed Reality home
+description: Navigate the Windows Mixed Reality home in Windows Holographic.
+ms.assetid: 742bc126-7996-4f3a-abb2-cf345dff730c
+ms.date: 08/07/2019
+keywords: hololens
+ms.prod: hololens
+ms.sitesec: library
+author: scooley
+ms.author: scooley
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Navigate the Windows Mixed Reality home
+
+## [Navigating MR Home](https://docs.microsoft.com/en-us/windows/mixed-reality/navigating-the-windows-mixed-reality-home)
+
+## Use the Start menu
+
+The **Start** menu on HoloLens is where you'll open apps and get to the HoloLens camera.
+
+Wherever you are in HoloLens, you can always open the **Start** menu by using the [bloom gesture](https://support.microsoft.com/help/12644/hololens-use-gestures) on HoloLens (1st gen) or tapping your wrist on HoloLens 2. Usually, you'll use it once to get to **Start**, but sometimes you might need to use it twice.
+
+> [!TIP]
+> When the **Start** menu is open, use the start gesture to hide it again.
+
+At the top of the **Start** menu, you'll see status indicators for Wi-Fi, battery, and volume, plus a clock. The tiles are your pinned apps. To talk to Cortana, select her tile, or just say "Hey Cortana" from anywhere on HoloLens. At the bottom you'll find the photo and video icons, which open the camera app.
+
+To see the rest of your apps, select **All apps**. To get back to **Start** from the **All apps** list, select **Pinned apps**.
+
+## Use apps on HoloLens
+
+Apps on HoloLens use either 2D view or holographic view. Apps with 2D view look like windows, and apps with holographic view surround you and become the only app you see.
+
+### Open apps
+
+You'll find your apps either pinned to **Start** or in the **All apps** list. To get to the **All apps** list, use the bloom gesture to go to **Start**, then select **All apps**.
+
+On **Start** or in the **All apps** list, select an app. It will open in a good position for viewing.
+
+>[!NOTE]
+>- Up to three 2D app windows can be active at a time. You can open more, but only three will remain active.
+>- Each open app can have one active window at a time, except Microsoft Edge, which can have up to three.
+>- If you're having problems with apps, make sure there's enough light in your space, and walk around so HoloLens has a current scan. If you keep having trouble, see [HoloLens and holograms: FAQ](https://support.microsoft.com/help/13456/hololens-and-holograms-faq) for more info.
+
+## Move, resize, and rotate apps
+
+Moving and resizing apps on HoloLens works a bit differently than it does on a PC. Instead of dragging the app, you'll use your gaze, along with a [gesture](https://support.microsoft.com/help/12644/hololens-use-gestures) or the [clicker](hololens-clicker.md). You can also rotate an app window in 3D space.
+
+> [!TIP]
+> Rearrange apps using your voice—gaze at an app and say "Face me," "Bigger," or "Smaller." Or have Cortana move an app for you: say "Hey Cortana, move <*app name*> here."
+
+### Move an app
+
+Gaze at the app, and then do one of the following.
+
+- Tap and hold to select the app. Move your hand to position the app, and raise your finger to place it.
+
+- Select **Adjust**, tap and hold, and move your hand to position the app. Raise your finger to place it, then select **Done**.
+- Select **Adjust**, click and hold the clicker, and move your hand to position the app. Release the clicker, then select **Done**.
+
+> [!TIP]
+> If you drop apps when you move them, make sure to keep your hand in the gesture frame by following it with your gaze.
+
+### Resize an app
+
+Gaze at the app, and then do one of the following.
+
+- Gaze at a corner or edge of an app window, and tap and hold. Move your hand to change the app's size, and raise your finger when you're done.
+
+- Select **Adjust**. Gaze at one of the blue squares at the corners of the app, tap and hold, then move your hand to resize the app. Raise your finger to release it, then select **Done**.
+- Select **Adjust**. Gaze at one of the blue squares at the corners of the app, click and hold the clicker, then move your hand to resize the app. Release the clicker, then select **Done**.
+
+> [!TIP]
+> In Adjust mode, you can move or resize any hologram.
+
+### Rotate an app
+
+Gaze at the app, and tap and hold with both hands to select it. Rotate the app by keeping one hand steady and moving your other hand around it. When you're done, raise both index fingers.
+
+## Close apps
+
+To close an app that uses 2D view, gaze at it, then select **Close**.
+
+To close an app that uses holographic view, use the bloom gesture to leave holographic view, then select **Close**.
+
+## Pin apps
+
+Keep your favorite apps handy by pinning them to **Start**. In the **All apps** list, gaze at an app to highlight it. Tap and hold until the menu appears, then select **Pin**. To unpin an app, gaze at the app on **Start**, then tap and hold and select **Unpin**.
diff --git a/devices/hololens/holographic-photos-and-video.md b/devices/hololens/holographic-photos-and-video.md
new file mode 100644
index 0000000000..25e8d4a104
--- /dev/null
+++ b/devices/hololens/holographic-photos-and-video.md
@@ -0,0 +1,42 @@
+---
+title: Create, share, and view photos and video
+description: Create, share, and view photos and video
+ms.assetid: 1b636ec3-6186-4fbb-81b2-71155aef0593
+keywords: hololens
+ms.prod: hololens
+ms.sitesec: library
+author: Teresa-Motiv
+ms.author: v-tea
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 8/12/19
+ms.reviewer:
+manager: jarrettr
+appliesto:
+- Hololens (1st gen)
+---
+
+# Create, share, and view photos and video
+
+Use your HoloLens to take photos and videos that capture the holograms you've placed in your world.
+
+To sync your photos and videos to OneDrive, open the OneDrive app and select **Settings** > **Camera upload**, and then turn on **Camera upload**.
+
+## Take a photo
+
+Use the [bloom](https://support.microsoft.com/help/12644/hololens-use-gestures) gesture to go to **Start**, then select **Photo**. Use gaze to position the photo frame, then air tap to take the picture. The picture will be saved to your collection in the Photos app.
+
+Want to snap a quick pic? Press the volume up and volume down buttons at the same time. [Where are the buttons?](https://support.microsoft.com/help/12649/hololens-whats-in-the-box)
+
+## Take a video
+
+Use the bloom gesture to go to **Start**, then select **Video**. Use gaze to position the video frame, then air tap to start recording. To stop recording, use bloom once. The video will be saved to your collection in the Photos app.
+
+To start recording more quickly, press and hold the volume up and volume down buttons simultaneously until a 3-second countdown begins. To stop recording, tap both buttons.
+
+> [!TIP]
+> You can always have Cortana take a photo or a video for you. Just say "Hey Cortana, take a photo" or "Hey Cortana, take a video." [What else can I say to Cortana?](hololens-cortana.md)
+
+[Take + share photos and video with Mixed reality capture](https://docs.microsoft.com/en-us/windows/mixed-reality/mixed-reality-capture)
+
+[Find and view your photos](https://docs.microsoft.com/en-us/windows/mixed-reality/see-your-photos)
diff --git a/devices/hololens/hololens-clicker-restart-recover.md b/devices/hololens/hololens-clicker-restart-recover.md
index 81c7ffc704..25e49740c9 100644
--- a/devices/hololens/hololens-clicker-restart-recover.md
+++ b/devices/hololens/hololens-clicker-restart-recover.md
@@ -16,6 +16,8 @@ ms.localizationpriority: medium
# Restart or recover the HoloLens clicker
+[Clicker recovery](https://support.microsoft.com/en-us/help/15555)
+
Here are some things to try if the HoloLens clicker is unresponsive or isn’t working well.
## Restart the clicker
diff --git a/devices/hololens/hololens-connect-devices.md b/devices/hololens/hololens-connect-devices.md
new file mode 100644
index 0000000000..c702921e14
--- /dev/null
+++ b/devices/hololens/hololens-connect-devices.md
@@ -0,0 +1,46 @@
+---
+title: Connect to Bluetooth and USB-C devices
+description: This guide walks through connecting to Bluetooth and USB-C devices and accessories.
+ms.assetid: 01af0848-3b36-4c13-b797-f38ad3977e30
+ms.prod: hololens
+ms.sitesec: library
+author: Teresa-Motiv
+ms.author: v-tea
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 8/12/19
+manager: jarrettr
+appliesto:
+- HoloLens (1st gen)
+- HoloLens 2
+---
+
+# Connect devices and accessories
+
+## Pair Bluetooth devices
+
+Pair a Bluetooth mouse and keyboard with HoloLens, then use them to interact with holograms and to type anywhere you'd use the holographic keyboard. Pair the HoloLens [clicker](hololens-clicker.md) for a different way to interact with HoloLens.
+
+> [!NOTE]
+> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may appear as available in HoloLens settings, but aren't supported. [Learn more](http://go.microsoft.com/fwlink/p/?LinkId=746660).
+
+### Pair a Bluetooth keyboard or mouse
+
+1. Turn on your keyboard or mouse and make it discoverable. The way you make it discoverable depends on the device. Check the device or visit the manufacturer's website to learn how.
+
+1. Go to **Start**, then select **Settings**.
+1. Select **Devices** and make sure Bluetooth is on. When you see the device name, select **Pair** and follow the instructions.
+
+### Pair the clicker
+
+1. Use the bloom gesture to go to **Start**, then select **Settings**.
+
+1. Select **Devices** and make sure Bluetooth is on.
+1. Use the tip of a pen to press and hold the clicker's pairing button until the status light blinks white. Make sure to hold the button down until the light starts blinking. [Where's the pairing button?](hololens-clicker.md)
+1. On the pairing screen, select **Clicker** > **Pair**.
+
+## Connect USB-C devices
+
+## Connect to Miracast
+
+> Applies to HoloLens 2 only.
diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md
index dfe9539b1b..03ad75f637 100644
--- a/devices/hololens/hololens-cortana.md
+++ b/devices/hololens/hololens-cortana.md
@@ -2,26 +2,63 @@
title: Cortana on HoloLens
description: Cortana can help you do all kinds of things on your HoloLens
ms.assetid: fd96fb0e-6759-4dbe-be1f-58bedad66fed
-ms.reviewer: jarrettrenshaw
-ms.date: 07/01/2019
-manager: v-miegge
+ms.date: 08/14/2019
keywords: hololens
ms.prod: hololens
ms.sitesec: library
author: v-miegge
ms.author: v-miegge
ms.topic: article
+manager: jarrettr
ms.localizationpriority: medium
---
-# Cortana on HoloLens
+# Use your voice with HoloLens
+
+You can use your voice to do many of the same things you do with gestures on HoloLens, like taking a quick photo or opening an app.
+
+## Voice commands
+
+Get around HoloLens faster with these basic commands. If you turn Cortana off, "Hey Cortana" voice commands won't be available, but you'll still be able to use the following built-in voice commands.
+
+**Select**. Use this instead of air tap. Gaze at a hologram, then say "Select."
+
+**Go to start**. Say "Go to Start" anytime to bring up the **Start** menu. Or when you're in an immersive app, say "Go to Start" to get to the quick actions menu.
+
+**Move this**. Instead of air tapping and dragging an app, say "Move this" and use gaze to move it.
+
+**Face me**. Gaze at a hologram, and then say "Face me" to turn it your way.
+
+**Bigger/Smaller**. Gaze at a hologram, and then say "Bigger" or "Smaller" to resize it.
+
+Many buttons and other elements on HoloLens also respond to your voice—for example, **Adjust** and **Close** on the app bar. To find out if a button is voice-enabled, rest your gaze on it for a moment. If it is, you'll see a voice tip.
+
+## Dictation mode
+
+Tired of typing? Switch to dictation mode any time the holographic keyboard is active. Select the microphone icon to get started, or say "Start dictating." To stop dictating, select **Done** or say "Stop dictating." To delete what you just dictated, say "Delete that."
+
+> [!NOTE]
+> You need an Internet connection to use dictation mode.
+
+HoloLens dictation uses explicit punctuation, meaning that you say the name of the punctuation you want to use. For instance, you might say "Hey **comma** what are you up to **question mark**."
+
+Here are the punctuation keywords you can use:
+
+- Period, comma, question mark, exclamation point/exclamation mark
+- New line/new paragraph
+- Semicolon, colon
+- Open quote(s), close quote(s)
+- Hashtag, smiley/smiley face, frowny, winky
+- Dollar, percent
+
+Sometimes it's helpful to spell out things like email addresses. For instance, to dictate example@outlook.com, you'd say "E X A M P L E at outlook dot com."
+
+## Do more with Cortana
Cortana can help you do all kinds of things on your HoloLens, from searching the web to shutting down your device. To get her attention, select Cortana on Start or say "Hey Cortana" anytime.
-## What do I say to Cortana
-
Here are some things you can try saying (remember to say "Hey Cortana" first):
- What can I say?
@@ -44,7 +81,8 @@ Here are some things you can try saying (remember to say "Hey Cortana" first):
- Tell me a joke.
>[!NOTE]
->- Some Cortana features you're used to from Windows on your PC or phone (for example, reminders and notifications) aren't supported in Microsoft HoloLens Development Edition. Cortana on HoloLens is English only, and the Cortana experience may vary among regions.
->- Cortana is on the first time you use HoloLens. You can turn her off in Cortana's settings. In the All apps list, select Cortana > Settings. Then turn off Cortana can give you suggestions, ideas, reminders, alerts, and more.
+>
+>- Some Cortana features you're used to from Windows on your PC or phone (for example, reminders and notifications) aren't supported in Microsoft HoloLens Development Edition. Cortana on HoloLens is English-only, and the Cortana experience may vary among regions.
+>- Cortana is on the first time you use HoloLens. You can turn her off in Cortana's settings. In the **All apps** list, select **Cortana > Settings**. Then turn off Cortana can give you suggestions, ideas, reminders, alerts, and more.
>- If Cortana isn't responding to "Hey Cortana," go to Cortana's settings and check to make sure she's on.
->- If you turn Cortana off, "Hey Cortana" voice commands won't be available, but you'll still be able to use other commands (like "Select" and "Place").
+>- If you turn Cortana off, "Hey Cortana" voice commands won't be available, but you'll still be able to use other commands (such as "Select" and "Place").
diff --git a/devices/hololens/hololens-find-and-save-files.md b/devices/hololens/hololens-find-and-save-files.md
index ba459eff13..e147ac2845 100644
--- a/devices/hololens/hololens-find-and-save-files.md
+++ b/devices/hololens/hololens-find-and-save-files.md
@@ -16,6 +16,9 @@ ms.localizationpriority: medium
# Find and save files on HoloLens
+Add content from [Find and save files](https://docs.microsoft.com/en-us/windows/mixed-reality/saving-and-finding-your-files)
+
+
Files you create on HoloLens, including Office documents, photos, and videos, are saved to your HoloLens. To view and manage them, you can use the File Explorer app on HoloLens or File Explorer on your PC. To sync photos and other files to the cloud, use the OneDrive app on HoloLens.
## View files on HoloLens
diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md
index c4f9c80521..7ff737a027 100644
--- a/devices/hololens/hololens-install-apps.md
+++ b/devices/hololens/hololens-install-apps.md
@@ -1,16 +1,15 @@
---
-title: Install apps on HoloLens (HoloLens)
+title: Install apps on HoloLens
description: The recommended way to install apps on HoloLens is to use Microsoft Store for Business.
ms.prod: hololens
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: scooley
+ms.author: scooley
ms.topic: article
ms.localizationpriority: medium
ms.date: 10/23/2018
ms.reviewer:
-manager: dansimp
---
# Install apps on HoloLens
@@ -72,9 +71,9 @@ Using Intune, you can also [monitor your app deployment](https://docs.microsoft.
>[!IMPORTANT]
>When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
-1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
+1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
-2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_usb).
+2. On a PC, connect to the HoloLens using [Wi-Fi](https://docs.microsoft.com/windows/mixed-reality/connecting-to-wi-fi-on-hololens) or USB.
3. [Create a user name and password](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
@@ -84,13 +83,7 @@ Using Intune, you can also [monitor your app deployment](https://docs.microsoft.
4. In the Windows Device Portal, click **Apps**.
-
+
5. In **Install app**, select an **app package** from a folder on your computer or network. If the app package requires additional software, such as dependency frameworks, select **I want to specify framework packages**.
6. In **Deploy**, click **Go** to deploy the app package and added dependencies to the connected HoloLens.
-
-
-
-
-
-
diff --git a/devices/hololens/hololens-network.md b/devices/hololens/hololens-network.md
new file mode 100644
index 0000000000..6f7cb43370
--- /dev/null
+++ b/devices/hololens/hololens-network.md
@@ -0,0 +1,40 @@
+---
+title: Connect to a network
+description: Connect to a wi-fi or ethernet network with HoloLens.
+ms.assetid: 0895606e-96c0-491e-8b1c-52e56b00365d
+ms.prod: hololens
+ms.sitesec: library
+author: Teresa-Motiv
+ms.author: v-tea
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 8/12/19
+manager: jarrettr
+ms.reviewer:
+appliesto:
+- Hololens
+- HoloLens (1st gen)
+- HoloLens 2
+---
+
+# Connect to a network
+
+You'll need to be connected to a network to do most things on your HoloLens. [What can I do offline](hololens-offline.md)?
+
+## Connecting for the first time
+
+The first time you use your HoloLens, you'll be guided through connecting to a Wi-Fi network. If you have trouble connecting to Wi-Fi during setup, make sure your network is either open, password protected, or a captive portal network and doesn't require using certificates to connect. After setup, you can connect to other types of Wi-Fi networks.
+
+## Connecting to Wi-Fi after setup
+
+1. Go to **Start**, then select **Settings**.
+
+1. _HoloLens (1st gen) only_ - Use your gaze to position the Settings app, then air tap to place it, or say "Place."
+
+1. Select **Network & Internet** > **Wi-Fi**. If you don't see your network, scroll down the list.
+
+1. Select a network > **Connect**.
+
+1. Type the network password if asked for one, then select **Next**.
+
+Also see [Connect to Wifi](https://docs.microsoft.com/en-us/windows/mixed-reality/connecting-to-wi-fi-on-hololens)
diff --git a/devices/hololens/hololens-offline.md b/devices/hololens/hololens-offline.md
index 49190e6907..7de0cc1381 100644
--- a/devices/hololens/hololens-offline.md
+++ b/devices/hololens/hololens-offline.md
@@ -16,6 +16,9 @@ ms.localizationpriority: medium
# Use HoloLens offline
+[Use offline](https://support.microsoft.com/en-us/help/12645)
+
+
To set up HoloLens, you'll need to connect to a Wi-Fi network—the setup tutorial will show you how.
## HoloLens limitations
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index 6cb247c60b..6d0b1dcf12 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -1,88 +1,147 @@
---
-title: HoloLens in the enterprise requirements and FAQ (HoloLens)
-description: Requirements and FAQ for general use, Wi-Fi, and device management for HoloLens in the enterprise.
+title: Set up HoloLens in a commercial environment
+description: Learn more about deploying and managing HoloLens in enterprise environments.
ms.prod: hololens
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+ms.assetid: 88bf50aa-0bac-4142-afa4-20b37c013001
+author: scooley
+ms.author: scooley
ms.topic: article
ms.localizationpriority: medium
-ms.date: 06/04/2018
-ms.reviewer:
-manager: dansimp
+ms.date: 07/15/2019
---
-# Microsoft HoloLens in the enterprise: requirements and FAQ
+# Deploy HoloLens in a commercial environment
-When you develop for HoloLens, there are [system requirements and tools](https://developer.microsoft.com/windows/mixed-reality/install_the_tools) that you need. In an enterprise environment, there are also a few requirements to use and manage HoloLens which are listed below.
+TODO - [Commercial features](https://docs.microsoft.com/en-us/windows/mixed-reality/commercial-features)
-## Requirements
+Deploy and configure HoloLens at scale in a commercial setting.
-### General use
-- Microsoft account or Azure Active Directory (Azure AD) account
-- Wi-Fi network to set up HoloLens
+This article includes:
->[!NOTE]
->After you set up HoloLens, you can use it offline [with some limitations](https://support.microsoft.com/help/12645/hololens-use-hololens-offline).
+- infrastructure requirements and recommendations for HoloLens management
+- tools for provisioning HoloLens
+- instructions for remote device management
+- options for application deployment
+This guide assumes basic familiarity with HoloLens. Follow the [get started guide](./hololens-setup.md) to set up HoloLens for the first time.
+
+## Infrastructure for managing HoloLens
+
+HoloLens are, at their core, a Windows mobile device integrated with Azure. They work best in commercial environments with wireless network availability (wi-fi) and access to Microsoft services.
+
+Critical cloud services include:
+
+- Azure active directory (AAD)
+- Windows Update (WU)
+
+Commercial customers will need enterprise mobility management (EMM) or mobile device management (MDM) infrastructure in order to manage HoloLens devices at scale. This guide uses [Microsoft Intune](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune) as an example though any provider with full support for Microsoft Policy can support HoloLens. Ask your mobile device management provider if they support HoloLens 2.
+
+HoloLens does support a limited set of cloud disconnected experiences.
+
+## Initial set up at scale
+
+The HoloLens out of box experience is great for setting up one or two devices or for experiencing HoloLens for the first time. If you're provisioning many HoloLens devices, however, picking your language and settings manually for each device gets tedious and limits scale.
+
+This section:
+
+1. introduces Windows provisioning using provisioning packages
+1. walks through applying a provisioning package during first setup
+
+### Create and apply a provisioning package
+
+The best way to configure many new HoloLens devices is with Windows provisioning. Using Windows provisioning, you can specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in minutes.
+
+A [provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) (.ppkg) is a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device.
+
+### Upgrade to Windows Holographic for Business
+
+- HoloLens Enterprise license XML file
+
+Some of the HoloLens configurations that you can apply in a provisioning package:
+
+- Apply certificates to the device
+- Set up a Wi-Fi connection
+- Pre-configure out of box questions like language and locale.
+- (HoloLens 2) bulk enroll in mobile device management
+- (HoloLens v1) Apply key to enable Windows Holographic for Business
+
+Follow [this guide](https://docs.microsoft.com/hololens/hololens-provisioning) to create and apply a provisioning package to HoloLens.
+
+### Set up user identity and enroll in device management
+
+The last step setting up HoloLens for management at scale is to enroll devices with mobile device management infrastructure. There are several ways to enroll:
+
+1. Bulk enrollment with a security token in a provisioning package.
+ Pros: this is the most automated approach
+ Cons: takes initial server-side setup
+1. Auto-enroll on user sign in
+ Pros: easiest approach
+ Cons: users will need to complete set up after the provisioning package has been applied
+1. _not recommended_ - Manually enroll post-setup
+ Pros: possible to enroll after set up
+ Cons: most manual approach and devices aren't centrally manageable until they're manually enrolled.
+
+Learn more about MDM enrollment [here](hololens-enroll-mdm.md).
+
+## Ongoing device management
+
+Ongoing device management will depend on your mobile device management infrastructure. Most have the same general functionality but the user interface may vary widely.
+
+This article outlines [policies and capabilities HoloLens supports](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#hololens).
+
+[This article](https://docs.microsoft.com/intune/windows-holographic-for-business) talks about Intune's management tools for HoloLens.
+
+### Push compliance policy via Intune
+
+[Compliance policies](https://docs.microsoft.com/intune/device-compliance-get-started) are rules and settings that devices must meet to be compliant in your corporate infrastructure. Use these policies with Conditional Access to block access to company resources for devices that are not-compliant.
+
+For example, you can create a policy that requires Bitlocker be enabled.
+
+[Create compliance policies with Intune](https://docs.microsoft.com/intune/compliance-policy-create-windows).
+
+### Manage updates
+
+Intune includes a feature called update rings for Windows 10 devices, including HoloLens 2 and HoloLens v1 (with Holographic for Business). Update rings include a group of settings that determine how and when updates are installed.
+
+For example, you can create a maintenance window to install updates, or choose to restart after updates are installed. You can also choose to pause updates indefinitely until you're ready to update.
+
+Read more about [configuring update rings with Intune](https://docs.microsoft.com/en-us/intune/windows-update-for-business-configure).
+
+## Application management
+
+Manage holoLens applications through:
+
+1. Microsoft Store
+ The Microsoft Store is the best way to distribute and consume application on HoloLens. There is a great set of core HoloLens applications already available in the store or you can [publish your own](https://docs.microsoft.com/en-us/windows/uwp/publish/).
+ All applications in the store are available publicly to everyone, if that isn't acceptable, checkout the Microsoft Store for Business.
+
+1. [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/)
+ Microsoft Store for Business and Education is a custom store for your corporate environment. It lets you use the Microsoft Store built into Windows 10 and HoloLens to find, acquire, distribute, and manage apps for your organization. It lets you deploy apps that are specific to your commercial environment but not to the world.
+
+1. Application deployment and management via Intune or another mobile device management solution
+ Most mobile device management solutions, including Intune, provide a way to deploy line of business applications directly to a set of enrolled devices. See this article for [Intune app install](https://docs.microsoft.com/intune/apps-deploy).
+
+1. _not recommended_ Device Portal
+ Applications can also be installed on HoloLens directly using the Windows Device Portal. This isn't recommended since Developer Mode has to be enabled to use device portal.
+
+Read more about [installing apps on HoloLens](https://docs.microsoft.com/hololens/hololens-install-apps).
+
+## Get support
+
+Get support through the Microsoft support site.
+
+[File a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f).
+
+## Technical Reference
+
+### Wireless network EAP support
-### Supported wireless network EAP methods
- PEAP-MS-CHAPv2
- PEAP-TLS
-- TLS
+- TLS
- TTLS-CHAP
- TTLS-CHAPv2
- TTLS-MS-CHAPv2
- TTLS-PAP
- TTLS-TLS
-
-### Device management
- - Users have Azure AD accounts with [Intune license assigned](https://docs.microsoft.com/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4)
- - Wi-Fi network
- - Intune or a 3rd party mobile device management (MDM) provider that uses Microsoft MDM APIs
-
-### Upgrade to Windows Holographic for Business
-- HoloLens Enterprise license XML file
-
-
-## FAQ for HoloLens
-
-
-#### Is Windows Hello for Business supported on HoloLens?
-
-Windows Hello for Business (using a PIN to sign in) is supported for HoloLens. To allow Windows Hello for Business PIN sign-in on HoloLens:
-
-1. The HoloLens device must be [managed by MDM](hololens-enroll-mdm.md).
-2. You must enable Windows Hello for Business for the device. ([See instructions for Microsoft Intune.](https://docs.microsoft.com/intune/windows-hello))
-3. On HoloLens, the user can then set up a PIN from **Settings** > **Sign-in Options** > **Add PIN**.
-
->[!NOTE]
->Users who sign in with a Microsoft account can also set up a PIN in **Settings** > **Sign-in Options** > **Add PIN**. This PIN is associated with [Windows Hello](https://support.microsoft.com/help/17215/windows-10-what-is-hello), rather than [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview).
-
-#### Does the type of account change the sign-in behavior?
-
-Yes, the behavior for the type of account impacts the sign-in behavior. If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type.
-
-- Microsoft account: signs in automatically
-- Local account: always asks for password, not configurable in **Settings**
-- Azure AD: asks for password by default; configurable by **Settings** to no longer ask for password.
-
->[!NOTE]
->Inactivity timers are currently not supported, which means that the **AllowIdleReturnWithoutPassword** policy is respected only when the device goes into StandBy.
-
-
-#### How do I remove a HoloLens device from the Intune dashboard?
-
-You cannot [unenroll](https://docs.microsoft.com/intune-user-help/unenroll-your-device-from-intune-windows) HoloLens from Intune remotely. If the administrator unenrolls the device using MDM, the device will age out of the Intune dashboard.
-
-
-## Related resources
-
-[Getting started with Azure Active Directory Premium](https://azure.microsoft.com/documentation/articles/active-directory-get-started-premium/)
-
-[Get started with Intune](https://docs.microsoft.com/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune)
-
-[Enroll devices for management in Intune](https://docs.microsoft.com/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms)
-
-[Azure AD editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/)
-
diff --git a/devices/hololens/hololens-start.md b/devices/hololens/hololens-start.md
new file mode 100644
index 0000000000..d303ee0c44
--- /dev/null
+++ b/devices/hololens/hololens-start.md
@@ -0,0 +1,57 @@
+---
+title: HoloLens (1st gen) first start
+description: Go through the first start experience for HoloLens (1st gen).
+ms.assetid: 0136188e-1305-43be-906e-151d70292e87
+ms.prod: hololens
+author: Teresa-Motiv
+ms.author: v-tea
+ms.topic: article
+ms.date: 8/12/19
+manager: jarrettr
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Set up HoloLens for the first time
+
+The first time you turn on your HoloLens, you'll be guided through calibrating your device, setting up your device, and signing in. This section walks through the HoloLens (1st gen) first start experience.
+
+In the next section, you'll learn how to work with HoloLens and interact with holograms. Skip ahead to [Get started with HoloLens (1st gen)](holographic-home.md)
+
+## Before you start
+
+Before you get started, make sure you have the following available:
+
+**A Wi-Fi connection**. You'll need to connect your HoloLens to a Wi-Fi network to set it up. The first time you connect, you'll need an open or password-protected network that doesn't require navigating to a website or using certificates to connect. After setup, you can [use your device offline](hololens-offline.md).
+
+**A Microsoft account**. You'll also need to sign in to HoloLens with a Microsoft account (or with your work account, if your organization owns the device). If you don't have a Microsoft account, go to [account.microsoft.com](http://account.microsoft.com) and set one up for free.
+
+**A safe, well-lit space with no tripping hazards**. [Health and safety info](http://go.microsoft.com/fwlink/p/?LinkId=746661).
+
+**The optional comfort accessories** that came with your HoloLens, to help you get the most comfortable fit. [More on fit and comfort](https://support.microsoft.com/help/12632/hololens-fit-your-hololens).
+
+> [!NOTE]
+> [Cortana](hololens-cortana.md) is already on and ready to guide you the first time you use your HoloLens (though she won't be able to respond to your questions until after you set up your device). You can turn Cortana off at any time in Cortana's settings.
+
+## Set up your HoloLens
+
+Set up your HoloLens and your user account.
+
+1. The first time you use your HoloLens, you'll be guided through connecting to a Wi-Fi network. If you have trouble connecting to Wi-Fi during setup, make sure your network is either open, password protected, or a captive portal network and doesn't require using certificates to connect. After setup, you can connect to other types of Wi-Fi networks.
+1. Sign in to your user account. You'll choose between **My work or school owns it** and **I own it**.
+ - When you choose **My work or school owns it**, you sign in by using an Azure AD account. If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app).
+ 1. Enter your organizational account information.
+ 1. Accept the privacy statement.
+ 1. Sign in by using your Azure AD credentials. This may redirect to your organization's sign-in page.
+ 1. Continue with device setup.
+ - When you choose **I own it**, you sign in by using a Microsoft account. After setup is complete, you can [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app).
+ 1. Enter your Microsoft account information.
+ 1. Enter your password. If your Microsoft account requires [two-step verification (2FA)](https://blogs.technet.microsoft.com/microsoft_blog/2013/04/17/microsoft-account-gets-more-secure/), complete the verification process.
+1. The device sets your time zone based on information obtained from the Wi-Fi network.
+1. Follow the first-start guides to learn how to interact with holograms, control the HoloLens with your voice, and access the start menu.
+
+Congratulations! Setup is complete and you can begin using HoloLens.
+
+## Next steps
+
+- [Get started with HoloLens (1st gen)](holographic-home.md)
diff --git a/devices/hololens/hololens-status.md b/devices/hololens/hololens-status.md
new file mode 100644
index 0000000000..22c5e995db
--- /dev/null
+++ b/devices/hololens/hololens-status.md
@@ -0,0 +1,36 @@
+---
+title: HoloLens status
+description: Shows the status of HoloLens online services.
+author: todmccoy
+ms.author: v-todmc
+ms.reviewer: luoreill
+manager: jarrettr
+audience: Admin
+ms.topic: article
+ms.prod: hololens
+localization_priority: Medium
+ms.sitesec: library
+---
+
+# HoloLens status
+
+✔️ **All services are active**
+
+**Key** ✔️ Good, ⓘ Information, ⚠ Warning, ❌ Critical
+
+Area|HoloLens (1st gen)|HoloLens 2
+----|:----:|:----:
+[Azure services](https://status.azure.com/en-us/status)|✔️|✔️
+[Store app](https://www.microsoft.com/en-us/store/collections/hlgettingstarted/hololens)|✔️|✔️
+[Apps](https://www.microsoft.com/en-us/hololens/apps)|✔️|✔️
+[MDM](https://docs.microsoft.com/en-us/hololens/hololens-enroll-mdm)|✔️|✔️
+
+## Notes and related topics
+
+[Frequently asked questions about using Skype for HoloLens](https://support.skype.com/en/faq/FA34641/frequently-asked-questions-about-using-skype-for-hololens)
+
+For more details about the status of the myriad Azure Services that can connect to HoloLens, see [Azure status](https://azure.microsoft.com/en-us/status/).
+
+For more details about current known issues, see [HoloLens known issues](https://docs.microsoft.com/en-us/windows/mixed-reality/hololens-known-issues).
+
+Follow HoloLens on [Twitter](https://twitter.com/HoloLens) and subscribe on [Reddit](https://www.reddit.com/r/HoloLens/).
diff --git a/devices/surface-hub/General-Data-Privacy-Regulation-and-Surface-Hub.md b/devices/surface-hub/General-Data-Privacy-Regulation-and-Surface-Hub.md
index 3254e13d6c..e499178078 100644
--- a/devices/surface-hub/General-Data-Privacy-Regulation-and-Surface-Hub.md
+++ b/devices/surface-hub/General-Data-Privacy-Regulation-and-Surface-Hub.md
@@ -2,8 +2,6 @@
title: General Data Privacy Regulation and Surface Hub
description: Informs users who are subject to EU data protection laws of their options regarding how to delete or restrict diagnostic data produced by Surface Hub.
ms.assetid: 087713CF-631D-477B-9CC6-EFF939DE0186
-ms.reviewer:
-manager:
keywords: GDPR
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index cc71b5adf8..2f7fc9fd1f 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -21,10 +21,10 @@
### [Configure Easy Authentication for Surface Hub 2S](surface-hub-2s-phone-authenticate.md)
## Deploy
+### [Surface Hub 2S adoption and training](surface-hub-2s-adoption-kit.md)
### [First time setup for Surface Hub 2S](surface-hub-2s-setup.md)
### [Connect devices to Surface Hub 2S](surface-hub-2s-connect.md)
### [Surface Hub 2S deployment checklist](surface-hub-2s-deploy-checklist.md)
-### [Surface Hub 2S adoption toolkit](surface-hub-2s-adoption-kit.md)
### [Create Surface Hub 2S device account](surface-hub-2s-account.md)
### [Create provisioning packages for Surface Hub 2S](surface-hub-2s-deploy.md)
### [Deploy apps to Surface Hub 2S using Intune](surface-hub-2s-deploy-apps-intune.md)
@@ -44,7 +44,7 @@
### [Secure and manage Surface Hub 2S with SEMM and UEFI](surface-hub-2s-secure-with-uefi-semm.md)
### [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
-## Support
+## Troubleshoot
### [Recover and reset Surface Hub 2S](surface-hub-2s-recover-reset.md)
### [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md)
### [How to pack and ship your Surface Hub 2S for service](surface-hub-2s-pack-components.md)
@@ -106,7 +106,7 @@
### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
### [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
-## Support
+## Troubleshoot
### [Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md)
### [Surface Hub SSD replacement](surface-hub-ssd-replacement.md)
diff --git a/devices/surface-hub/connect-app-in-surface-hub-unexpectedly-exits.md b/devices/surface-hub/connect-app-in-surface-hub-unexpectedly-exits.md
index 9e70a8755c..439d3c68d7 100644
--- a/devices/surface-hub/connect-app-in-surface-hub-unexpectedly-exits.md
+++ b/devices/surface-hub/connect-app-in-surface-hub-unexpectedly-exits.md
@@ -2,8 +2,6 @@
title: What to do if the Connect app in Surface Hub exits unexpectedly
description: Describes how to resolve an issue where the Connect app in Surface Hub exits to the Welcome screen after cycling through inputs.
ms.assetid: 9576f4e4-d936-4235-8a03-d8a6fe9e8fec
-ms.reviewer:
-manager:
keywords: surface, hub, connect, input, displayport
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index d9a7bc204f..6d0b532210 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -65,9 +65,9 @@ Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platfor
diff --git a/devices/surface-hub/known-issues-and-additional-info-about-surface-hub.md b/devices/surface-hub/known-issues-and-additional-info-about-surface-hub.md
index 93c56d4e28..003795ec22 100644
--- a/devices/surface-hub/known-issues-and-additional-info-about-surface-hub.md
+++ b/devices/surface-hub/known-issues-and-additional-info-about-surface-hub.md
@@ -2,8 +2,6 @@
title: Known issues and additional information about Microsoft Surface Hub
description: Outlines known issues with Microsoft Surface Hub.
ms.assetid: aee90a0c-fb05-466e-a2b1-92de89d0f2b7
-ms.reviewer:
-manager:
keywords: surface, hub, issues
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 01c378c14a..4535bd1f1b 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -10,7 +10,6 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
-ms.date: 06/20/2019
ms.localizationpriority: medium
---
@@ -69,7 +68,7 @@ This table gives examples of deployment rings.
| Deployment ring | Ring size | Servicing branch | Deferral for feature updates | Deferral for quality updates (security fixes, drivers, and other updates) | Validation step |
| --------- | --------- | --------- | --------- | --------- | --------- |
-| Preview (e.g. non-critical or test devices) | Small | Semi-annual channel (Targeted) | None. | None. | Manually test and evaluate new functionality. Pause updates if there are issues. |
+| Preview (e.g. non-critical or test devices) | Small | Windows Insider Preview | None. | None. | Manually test and evaluate new functionality. Pause updates if there are issues. |
| Release (e.g. devices used by select teams) | Medium | Semi-annual channel | None. | None. | Monitor device usage and user feedback. Pause updates if there are issues. |
| Broad deployment (e.g. most of the devices in your organization) | Large | Semi-annual channel | 120 days after release. | 7-14 days after release. | Monitor device usage and user feedback. Pause updates if there are issues. |
| Mission critical (e.g. devices in executive boardrooms) | Small | Semi-annual channel | 180 days after release (maximum deferral for feature updates). | 30 days after release (maximum deferral for quality updates). | Monitor device usage and user feedback. |
diff --git a/devices/surface-hub/surface-Hub-installs-updates-and-restarts-outside-maintenance-hours.md b/devices/surface-hub/surface-Hub-installs-updates-and-restarts-outside-maintenance-hours.md
index 1ec6740c76..98ad30890e 100644
--- a/devices/surface-hub/surface-Hub-installs-updates-and-restarts-outside-maintenance-hours.md
+++ b/devices/surface-hub/surface-Hub-installs-updates-and-restarts-outside-maintenance-hours.md
@@ -2,8 +2,6 @@
title: Surface Hub may install updates and restart outside maintenance hours
description: troubleshooting information for Surface Hub regarding automatic updates
ms.assetid: 6C09A9F8-F9CF-4491-BBFB-67A1A1DED0AA
-ms.reviewer:
-manager:
keywords: surface hub, maintenance window, update
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-2s-account.md b/devices/surface-hub/surface-hub-2s-account.md
index 025b2b8320..b3e9822a05 100644
--- a/devices/surface-hub/surface-hub-2s-account.md
+++ b/devices/surface-hub/surface-hub-2s-account.md
@@ -90,5 +90,5 @@ Import-Module LyncOnlineConnector
$SfBSession = New-CsOnlineSession -Credential (Get-Credential)
Import-PSSession $SfBSession -AllowClobber
Enable the Skype for Business meeting room
-Enable-CsMeetingRoom -Identity account@YourDomain.com -RegistrarPoo(Get-CsTenant).Registrarpool -SipAddressType EmailAddress
+Enable-CsMeetingRoom -Identity account@YourDomain.com -RegistrarPool(Get-CsTenant).Registrarpool -SipAddressType EmailAddress
```
diff --git a/devices/surface-hub/surface-hub-2s-adoption-kit.md b/devices/surface-hub/surface-hub-2s-adoption-kit.md
index 119b93ff02..de75086db3 100644
--- a/devices/surface-hub/surface-hub-2s-adoption-kit.md
+++ b/devices/surface-hub/surface-hub-2s-adoption-kit.md
@@ -1,5 +1,5 @@
---
-title: "Surface Hub 2S adoption toolkit"
+title: "Surface Hub 2S Adoption and training guides"
description: "Microsoft has developed downloadable materials that you can make available for your users to aid in adoption of Surface Hub 2S."
keywords: separate values with commas
ms.prod: surface-hub
@@ -9,17 +9,20 @@ ms.author: robmazz
manager: laurawi
audience: Admin
ms.topic: article
-ms.date: 07/18/2019
+ms.date: 08/22/2019
ms.localizationpriority: Medium
---
-# Surface Hub 2S adoption toolkit
+# Surface Hub 2S adoption and training guides
-Microsoft has developed downloadable materials that you can make available for your users to aid in adoption of Surface Hub 2S.
+Whether you are a small or large business, a Surface Hub adoption plan is critical in generating the right use cases and helping your users become comfortable with the device. Check out these downloadable guides designed to help you deliver training across your organization.
+
+## Adoption toolkit
+
+- [Surface Hub adoption toolkit](downloads/SurfaceHubAdoptionToolKit.pdf)
## Training guides
-- [Surface Hub adoption toolkit](downloads/SurfaceHubAdoptionToolKit.pdf)
- [Training guide – end user](downloads/TrainingGuide-SurfaceHub2S-EndUser.pdf)
- [Training guide – power user](downloads/TrainingGuide-SurfaceHub2S-PowerUser.pdf)
- [Training guide – help desk](downloads/TrainingGuide-SurfaceHub2S-HelpDesk.pdf)
@@ -27,8 +30,6 @@ Microsoft has developed downloadable materials that you can make available for y
[Download all training guides](http://download.microsoft.com/download/2/2/3/2234F70E-E65A-4790-93DF-F4C373A75B8E/SurfaceHub2S-TrainerGuides-July2019.zip)
-[Download all training guides](http://download.microsoft.com/download/2/2/3/2234F70E-E65A-4790-93DF-F4C373A75B8E/SurfaceHub2S-TrainerGuides-July2019.zip)
-
## End user guides
- [Guide to Navigation on Surface Hub](downloads/Guide-SurfaceHub2S-Navigation.pptx)
@@ -36,6 +37,8 @@ Microsoft has developed downloadable materials that you can make available for y
- [Guide to Microsoft Whiteboard on Surface Hub](downloads/Guide-SurfaceHub2S-Whiteboard.pptx)
- [Guide to Microsoft Teams on Surface Hub](downloads/Guide-SurfaceHub2S-Teams.pptx)
+[Download all end user guides](http://download.microsoft.com/download/E/7/F/E7FC6611-BB55-43E1-AF36-7BD5CE6E0FE0/SurfaceHub2S-EndUserGuides-July2019.zip)
+
## Quick reference cards
- [Connect your PC](downloads/QRCConnectYourPC.pdf)
@@ -49,4 +52,4 @@ Microsoft has developed downloadable materials that you can make available for y
- [Whiteboard advanced](downloads/QRCWhiteboardAdvanced.pdf)
- [Whiteboard tools](downloads/QRCWhiteboardTools.pdf)
-[Download all user guides and quick reference cards](http://download.microsoft.com/download/E/7/F/E7FC6611-BB55-43E1-AF36-7BD5CE6E0FE0/SurfaceHub2S-EndUserGuides-July2019.zip)
+[Download all quick reference cards](http://download.microsoft.com/download/E/7/F/E7FC6611-BB55-43E1-AF36-7BD5CE6E0FE0/SurfaceHub2S-EndUserGuides-July2019.zip)
diff --git a/devices/surface-hub/surface-hub-start-menu.md b/devices/surface-hub/surface-hub-start-menu.md
index 9ddfa628e6..9c1f451f63 100644
--- a/devices/surface-hub/surface-hub-start-menu.md
+++ b/devices/surface-hub/surface-hub-start-menu.md
@@ -3,12 +3,12 @@ title: Configure Surface Hub Start menu
description: Use MDM to customize the Start menu on Surface Hub.
ms.prod: surface-hub
ms.sitesec: library
-author: levinec
-ms.author: ellevin
+author: robmazz
+ms.author: robmazz
ms.topic: article
-ms.date: 01/17/2018
+ms.date: 08/15/2018
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
@@ -107,7 +107,7 @@ There are a few key differences between Start menu customization for Surface Hub
## Example: Start layout that includes a Microsoft Edge link
-This example shows a link to a website and a link to a .pdf file.
+This example shows a link to a website and a link to a .pdf file. The secondary tile for Microsoft Edge uses a 150 x 150 pixel icon.
```xml
@@ -165,10 +165,10 @@ This example shows a link to a website and a link to a .pdf file.
TileID="6153963000"
DisplayName="cstrtqbiology.pdf"
Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x45b7376e -pinnedTimeHigh 0x01d2356c -securityFlags 0x00000000 -tileType 0x00000000 -url 0x0000003a https://www.ada.gov/regs2010/2010ADAStandards/Guidance_2010ADAStandards.pdf"
- Square150x150LogoUri="ms-appx:///"
+ Square150x150LogoUri="ms-appx:///Assets/MicrosoftEdgeSquare150x150.png"
Wide310x150LogoUri="ms-appx:///"
- ShowNameOnSquare150x150Logo="true"
- ShowNameOnWide310x150Logo="true"
+ ShowNameOnSquare150x150Logo="true"
+ ShowNameOnWide310x150Logo="false"
BackgroundColor="#ff4e4248"
Size="4x2"
Row="4"
@@ -181,8 +181,6 @@ This example shows a link to a website and a link to a .pdf file.
```
>[!NOTE]
->Microsoft Edge tile logos won't appear on secondary tiles because they aren't stored in Surface Hub.
->
>The default value for `ForegroundText` is light; you don't need to include `ForegroundText` in your XML unless you're changing the value to dark.
## More information
diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md
index 568e515039..0f70604dac 100644
--- a/devices/surface-hub/surface-hub-update-history.md
+++ b/devices/surface-hub/surface-hub-update-history.md
@@ -2,8 +2,6 @@
title: Surface Hub update history
description: Surface Hub update history
ms.assetid: d66a9392-2b14-4cb2-95c3-92db0ae2de34
-ms.reviewer:
-manager:
keywords:
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md b/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md
index 12678d2a9c..7a30ff1e37 100644
--- a/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md
+++ b/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md
@@ -2,8 +2,6 @@
title: Surface Hub Miracast channels 149-165 not supported in Europe, Japan, Israel
description: Surface Hub Miracast channels 149-165 not supported in Europe, Japan, Israel
ms.assetid: 8af3a832-0537-403b-823b-12eaa7a1af1f
-ms.reviewer:
-manager:
keywords:
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md b/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md
index 2cb3ab2414..d03cfe3055 100644
--- a/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md
+++ b/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md
@@ -2,8 +2,6 @@
title: How to use cloud recovery for BitLocker on a Surface Hub
description: How to use cloud recovery for BitLocker on a Surface Hub
ms.assetid: c0bde23a-49de-40f3-a675-701e3576d44d
-ms.reviewer:
-manager:
keywords: Accessibility settings, Settings app, Ease of Access
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
index eedbfe9ae5..40a5768d27 100644
--- a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
+++ b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
@@ -2,8 +2,6 @@
title: Using the Surface Hub Hardware Diagnostic Tool to test a device account
description: Using the Surface Hub Hardware Diagnostic Tool to test a device account
ms.assetid: a87b7d41-d0a7-4acc-bfa6-b9070f99bc9c
-ms.reviewer:
-manager:
keywords: Accessibility settings, Settings app, Ease of Access
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index e74076b642..665c1bd9c4 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -30,15 +30,16 @@
### [Surface System SKU reference](surface-system-sku-reference.md)
## Manage
+### [Optimizing wireless connectivity for Surface devices](surface-wireless-connect.md)
### [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md)
### [Battery Limit setting](battery-limit.md)
### [Surface Brightness Control](microsoft-surface-brightness-control.md)
### [Surface Asset Tag](assettag.md)
### [Surface firmware and driver updates](update.md)
-### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
+### [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
### [Surface Dock Updater](surface-dock-updater.md)
-### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
+
## Secure
### [Manage Surface UEFI settings](manage-surface-uefi-settings.md)
@@ -46,12 +47,14 @@
### [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
-
-## Support
-### [Fix common Surface problems using the Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-for-business-intro.md)
-### [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md)
-### [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
-### [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
+### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
### [Surface Data Eraser](microsoft-surface-data-eraser.md)
+
+## Troubleshoot
### [Top support solutions for Surface devices](support-solutions-surface.md)
+### [Fix common Surface problems using the Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-for-business-intro.md)
+#### [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md)
+#### [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
+#### [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
+
### [Change history for Surface documentation](change-history-for-surface.md)
diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md
index 60ff9078bd..e0df401dea 100644
--- a/devices/surface/assettag.md
+++ b/devices/surface/assettag.md
@@ -20,9 +20,9 @@ for Surface devices. It works on Surface Pro 3 and all newer Surface devices.
## System requirements
- - Surface Pro 3 or later
+- Surface Pro 3 or later
- - UEFI firmware version 3.9.150.0 or later
+- UEFI firmware version 3.9.150.0 or later
## Using Surface Asset Tag
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index 14eea5c91d..ea290fea58 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -15,6 +15,14 @@ ms.topic: article
This topic lists new and updated topics in the Surface documentation library.
+## August 2019
+
+| **New or changed topic** | **Description** |
+| ------------------------ | --------------- |
+| [Optimizing wireless connectivity for Surface devices](surface-wireless-connect.md) | New document highlights key wireless connectivity considerations for Surface devices in mobile scenarios. |
+| [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Updated to reflect minor changes in the file naming convention for Surface MSI files. |
+
+
## July 2019
| **New or changed topic** | **Description** |
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
index 76e1c293cc..4bad708b64 100644
--- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
+++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
@@ -1,5 +1,5 @@
---
-title: Download the latest firmware and drivers for Surface devices (Surface)
+title: Deploy the latest firmware and drivers for Surface devices (Surface)
description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.
ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A
ms.reviewer:
@@ -11,27 +11,43 @@ ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: dansimp
-ms.date: 11/15/2018
+ms.date: 08/13/2018
ms.author: dansimp
ms.topic: article
---
-# Deploying the latest firmware and drivers for Surface devices
+# Deploy the latest firmware and drivers for Surface devices
Although Surface devices are typically automatically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment.
-## Downloading MSI files
+## Download MSI files
To download MSI files, refer to the following Microsoft Support page:
- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface)
Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices.
## Deploying MSI files
-Driver and firmware updates for Surface devices containing all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10.
-In the name of each of these files you will find a Windows build number, this number indicates the minimum supported build required to install the drivers and firmware contained within. Refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information) for a list of the build numbers for each version. For example, to install the drivers contained in SurfacePro6_Win10_16299_1900307_0.msi file you must have Windows 10 Fall Creators Update version 1709, or newer installed on your Surface Pro 6.
+Driver and firmware updates for Surface devices consisting of all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10.
+The MSI file names contain useful information including the minimum supported Windows build number required to install the drivers and firmware. For example, to install the drivers contained in SurfaceBook_Win10_17763_19.080.2031.0.msi requires Windows 10 Fall Creators Update version 1709 or later installed on your Surface Book.
+
+To view build numbers for each version, refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information).
### Surface MSI naming convention
-Each .MSI file is named in accordance with a formula that begins with the product and Windows release information, followed by the Windows build number and version number, and ending with the revision of version number. SurfacePro6_Win10_16299_1900307_0.msi is classified as follows:
+Beginning in August 2019, MSI files use the following naming formula:
+
+- Product > Windows release > Windows build number > Version number > Revision of version number (typically zero).
+
+**Example:**
+SurfacePro6_Win10_18362_19.073.44195_0.msi :
+
+| Product | Windows release | Build | Version | Revision of version |
+| --- | --- | --- | --- | --- |
+| SurfacePro6 | Win10 | 18362 | 19.073.44195 | 0 |
+| | | | Indicates key date and sequence information. | Indicates release history of the update. |
+| | | | **19:** Signifies the year (2019). **073**: Signifies the month (July) and week of the release (3). **44195**: Signifies the minute of the month that the MSI file was created. |**0:** Signifies it's the first release of version 1907344195 and has not been re-released for any reason. |
+
+### Legacy Surface MSI naming convention
+Legacy MSI files prior to August 2019 followed the same overall naming formula but used a different method to derive the version number.
**Example:**
SurfacePro6_Win10_16299_1900307_0.msi :
@@ -39,8 +55,8 @@ SurfacePro6_Win10_16299_1900307_0.msi :
| Product | Windows release | Build | Version | Revision of version |
| --- | --- | --- | --- | --- |
| SurfacePro6 | Win10 | 16299 | 1900307 | 0 |
-| | | | Indicates key date and sequence information | Indicates release history of the MSI file |
-| | | | **19:** Signifies the year (2019) **003**: Signifies that it’s the third release of 2019 **07**: Signifies the product version number. (Surface Pro 6 is officially the seventh version of Surface Pro.) | **0:** Signifies it's the first release of version 1900307 and has not been re-released for any reason. |
+| | | | Indicates key date and sequence information. | Indicates release history of the MSI file. |
+| | | | **19:** Signifies the year (2019) **003**: Signifies that it’s the third release of 2019. **07**: Signifies the product version number. (Surface Pro 6 is officially the seventh version of Surface Pro.) | **0:** Signifies it's the first release of version 1900307 and has not been re-released for any reason. |
Look to the **version** number to determine the latest files that contain the most recent security updates. For example, you might need to install the newest file from the following list:
@@ -52,22 +68,13 @@ Look to the **version** number to determine the latest files that contain the mo
The first file — SurfacePro6_Win10_16299_1900307_0.msi — is the newest because its VERSION field has the newest build in 2019; the other files are from 2018.
## Supported devices
-Downloadable MSI files are available for Surface devices from Surface Pro 2 and later.
+Downloadable MSI files are available for Surface devices from Surface Pro 2 and later.
-
-[!NOTE]
-There are no downloadable firmware or driver updates available for Surface devices with Windows RT, including Surface RT and Surface 2. Updates can only be applied using Windows Update.
+>[!NOTE]
+>There are no downloadable firmware or driver updates available for Surface devices with Windows RT, including Surface RT and Surface 2. Updates can only be applied using Windows Update.
For more information about deploying Surface drivers and firmware, refer to:
-- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates).
-
-- [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business).
-
-
-
-
-
-
-
+- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates)
+- [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business)
diff --git a/devices/surface/images/wifi-band.png b/devices/surface/images/wifi-band.png
new file mode 100644
index 0000000000..38681a9dc8
Binary files /dev/null and b/devices/surface/images/wifi-band.png differ
diff --git a/devices/surface/images/wifi-roaming.png b/devices/surface/images/wifi-roaming.png
new file mode 100644
index 0000000000..eb539c9bd6
Binary files /dev/null and b/devices/surface/images/wifi-roaming.png differ
diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md
index d7e5bdc7d7..225135d993 100644
--- a/devices/surface/ltsb-for-surface.md
+++ b/devices/surface/ltsb-for-surface.md
@@ -1,5 +1,5 @@
---
-title: Long-Term Servicing Branch for Surface devices (Surface)
+title: Long-Term Servicing Channel for Surface devices (Surface)
description: LTSB is not supported for general-purpose Surface devices and should be used for specialized devices only.
ms.prod: w10
ms.mktglfcycl: manage
@@ -8,26 +8,25 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
-ms.date: 04/25/2017
ms.reviewer:
manager: dansimp
---
-# Long-Term Servicing Branch (LTSB) for Surface devices
+# Long-Term Servicing Channel (LTSC) for Surface devices
>[!WARNING]
>For updated information on this topic, see [Surface device compatibility with Windows 10 Long-Term Servicing Channel](surface-device-compatibility-with-windows-10-ltsc.md). For additional information on this update, see the [Documentation Updates for Surface and Windows 10 LTSB Compatibility](https://blogs.technet.microsoft.com/surface/2017/04/11/documentation-updates-for-surface-and-windows-10-ltsb-compatibility) post on the Surface Blog for IT Pros.
-General-purpose Surface devices running Long-Term Servicing Branch (LTSB) are not supported. As a general guideline, if a Surface device runs productivity software, such as Microsoft Office, it is a general-purpose device that does not qualify for LTSB and should instead run Current Branch (CB) or Current Branch for Business (CBB).
+General-purpose Surface devices in the Long-Term Servicing Channel (LTSC) are not supported. As a general guideline, if a Surface device runs productivity software, such as Microsoft Office, it is a general-purpose device that does not qualify for LTSC and should instead be on the Semi-Annual Channel.
>[!NOTE]
>For more information about the servicing branches, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
-LTSB prevents Surface devices from receiving critical Windows 10 feature updates and certain non-security servicing updates. Customers with poor experiences using Surface devices in the LTSB configuration will be instructed to upgrade to CB or CBB. Furthermore, the Windows 10 Enterprise LTSB edition removes core features of Surface devices, including seamless inking and touch-friendly applications. It does not contain key in-box applications including Microsoft Edge, OneNote, Calendar or Camera. Therefore, productivity is impacted and functionality is limited. LTSB is not supported as a suitable servicing solution for general-purpose Surface devices.
+LTSC prevents Surface devices from receiving critical Windows 10 feature updates and certain non-security servicing updates. Customers with poor experiences using Surface devices in the LTSC configuration will be instructed to switch to the Semi-Annual Channel. Furthermore, the Windows 10 Enterprise LTSB edition removes core features of Surface devices, including seamless inking and touch-friendly applications. It does not contain key in-box applications including Microsoft Edge, OneNote, Calendar or Camera. Therefore, productivity is impacted and functionality is limited. LTSC is not supported as a suitable servicing solution for general-purpose Surface devices.
-General-purpose Surface devices are intended to run CB or CBB to receive full servicing and firmware updates and forward compatibility with the introduction of new Surface features. With CB, feature updates are available as soon as Microsoft releases them. Customers in the CBB servicing model receive the same build of Windows 10 as those in CB, at a later date.
+General-purpose Surface devices are intended to run on the Semi-Annual Channel to receive full servicing and firmware updates and forward compatibility with the introduction of new Surface features. In the Semi-Annual Channel, feature updates are available as soon as Microsoft releases them.
-Surface devices in specialized scenarios–such as PCs that control medical equipment, point-of-sale systems, and ATMs–may consider the use of LTSB. These special-purpose systems typically perform a single task and do not require feature updates as frequently as other devices in the organization.
+Surface devices in specialized scenarios–such as PCs that control medical equipment, point-of-sale systems, and ATMs–might consider the use of LTSC. These special-purpose systems typically perform a single task and do not require feature updates as frequently as other devices in the organization.
diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
index 6dcd9db277..ede174d674 100644
--- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
+++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
@@ -9,6 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.reviewer:
manager: dansimp
+ms.date: 08/21/2019
---
# Best practice power settings for Surface devices
@@ -25,10 +26,14 @@ low power idle state (S0ix).
To ensure Surface devices across your organization fully benefit from Surface power optimization features:
-- Exclude Surface devices from any existing power management policy settings and let the Surface default policy control the power policy and behavior of the device.
-- If you must manage the power profile of devices across your network (such as in highly managed organizations), use the powercfg command tool to export the power profile from the factory image of the Surface device and then import it into the provisioning package for your Surface devices. For more information, refer to [Configure power settings](https://docs.microsoft.com/windows-hardware/customize/power-settings/configure-power-settings).
-- Always use the newest available version of the drivers and firmware for your devices and for the version of Windows 10 they're running. For more information, refer to [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
-- Avoid creating custom power profiles or adjusting advanced power settings not visible in the default UI (**System** > **Power & sleep**). For more information, refer to User best practices for extended battery life in this document.
+- Install the latest drivers and firmware from Windows Update or the Surface Driver and Firmware MSI. This creates the balanced power plan (aka power profile) by default and configures optimal power settings. For more information, refer to [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
+- Avoid creating custom power profiles or adjusting advanced power settings not visible in the default UI (**System** > **Power & sleep**).
+- If you must manage the power profile of devices across your network (such as in highly managed organizations), use the powercfg command tool to export the power plan from the factory image of the Surface device and then import it into the provisioning package for your Surface devices.
+
+>[!NOTE]
+>You can only export a power plan across the same type of Surface device. For example, you cannot export a power plan from Surface Laptop and import it on Surface Pro. For more information, refer to [Configure power settings](https://docs.microsoft.com/windows-hardware/customize/power-settings/configure-power-settings).
+
+- Exclude Surface devices from any existing power management policy settings.
## Background
@@ -59,14 +64,14 @@ instant on/instant off functionality typical of smartphones. S0ix, also
known as Deepest Runtime Idle Platform State (DRIPS), is the default
power mode for Surface devices. Modern standby has two modes:
- - **Connected standby.** The default mode for up-to-the minute
- delivery of emails, messaging, and cloud-synced data, connected
- standby keeps Wi-Fi on and maintains network connectivity.
+- **Connected standby.** The default mode for up-to-the minute
+ delivery of emails, messaging, and cloud-synced data, connected
+ standby keeps Wi-Fi on and maintains network connectivity.
- - **Disconnected standby.** An optional mode for extended battery
- life, disconnected standby delivers the same instant-on experience
- and saves power by turning off Wi-Fi, Bluetooth, and related network
- connectivity.
+- **Disconnected standby.** An optional mode for extended battery
+ life, disconnected standby delivers the same instant-on experience
+ and saves power by turning off Wi-Fi, Bluetooth, and related network
+ connectivity.
To learn more about modern standby, refer to the [Microsoft Hardware Dev
Center](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-wake-sources).
@@ -76,13 +81,13 @@ Center](https://docs.microsoft.com/windows-hardware/design/device-experiences/mo
Surface integrates the following features designed to help users
optimize the power management experience:
- - [Singular power plan](#singular-power-plan)
+- [Singular power plan](#singular-power-plan)
- - [Simplified power settings user
- interface](#simplified-power-settings-user-interface)
+- [Simplified power settings user
+ interface](#simplified-power-settings-user-interface)
- - [Windows performance power
- slider](#windows-performance-power-slider)
+- [Windows performance power
+ slider](#windows-performance-power-slider)
### Singular power plan
@@ -171,4 +176,4 @@ To learn more, see:
- [Battery
saver](https://docs.microsoft.com/windows-hardware/design/component-guidelines/battery-saver)
-- [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
\ No newline at end of file
+- [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md
index 34ccb3aa18..41b2e3d994 100644
--- a/devices/surface/microsoft-surface-brightness-control.md
+++ b/devices/surface/microsoft-surface-brightness-control.md
@@ -25,16 +25,16 @@ designed to help reduce thermal load and lower the overall carbon
footprint for deployed Surface devices. The tool automatically dims the screen when not in use and
includes the following configuration options:
- - Period of inactivity before dimming the display.
+- Period of inactivity before dimming the display.
- - Brightness level when dimmed.
+- Brightness level when dimmed.
- - Maximum brightness level when in use.
+- Maximum brightness level when in use.
**To run Surface Brightness Control:**
- - Install surfacebrightnesscontrol.msi on the target device and Surface Brightness Control
- will begin working immediately.
+- Install surfacebrightnesscontrol.msi on the target device and Surface Brightness Control
+ will begin working immediately.
## Configuring Surface Brightness Control
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index a1e5874ea2..956924345f 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -100,25 +100,25 @@ The following steps show you how to create a deployment share for Windows 10 tha
7. On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes:
- - Download of Windows ADK
+ - Download of Windows ADK
- - Installation of Windows ADK
+ - Installation of Windows ADK
- - Download of MDT
+ - Download of MDT
- - Installation of MDT
+ - Installation of MDT
- - Download of Surface apps and drivers
+ - Download of Surface apps and drivers
- - Creation of the deployment share
+ - Creation of the deployment share
- - Import of Windows installation files into the deployment share
+ - Import of Windows installation files into the deployment share
- - Import of the apps and drivers into the deployment share
+ - Import of the apps and drivers into the deployment share
- - Creation of rules and task sequences for Windows deployment
+ - Creation of rules and task sequences for Windows deployment
- 
+ 
*Figure 5. The Installation Progress window*
diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
index 83613f4a36..47046fbd72 100644
--- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
+++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
@@ -29,10 +29,9 @@ Before you run the diagnostic tool, make sure you have the latest Windows update
**To run the Surface Diagnostic Toolkit for Business:**
1. Download the [Surface Diagnostic Toolkit for Business](https://aka.ms/SDT4B).
-2. Select Run and follow the on-screen instructions.
-
-The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required. For more detailed information on Surface Diagnostic Toolkit for Business, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business).
+2. Select Run and follow the on-screen instructions. For full details, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business).
+The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required.
# If you still need help
If the Surface Diagnostic Toolkit for Business didn’t fix the problem, you can also:
diff --git a/devices/surface/surface-wireless-connect.md b/devices/surface/surface-wireless-connect.md
new file mode 100644
index 0000000000..fe1ff34fe6
--- /dev/null
+++ b/devices/surface/surface-wireless-connect.md
@@ -0,0 +1,84 @@
+---
+title: Optimizing wireless connectivity for Surface devices
+description: This topic provides guidance around recommended wireless connectivity settings for network admins and users.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: dansimp
+ms.localizationpriority: medium
+ms.author: dansimp
+ms.topic: article
+ms.date: 08/15/2019
+ms.reviewer:
+manager: dansimp
+---
+# Optimizing wireless connectivity for Surface devices
+
+## Introduction
+
+To stay connected with all-day battery life, Surface devices implement wireless connectivity settings that balance performance and power conservation. Outside of the most demanding mobility scenarios, users can maintain sufficient wireless connectivity without modifying default network adapter or related settings.
+
+In congested network environments, organizations can implement purpose-built wireless protocols across multiple network access points to facilitate roaming. This page highlights key wireless connectivity considerations in mobile scenarios utilizing Surface Pro 3 and later, Surface Book, Surface Laptop, and Surface Go.
+
+## Prerequisites
+
+This document assumes you have successfully deployed a wireless network that supports 802.11n (Wi-Fi 4) or later in accordance with best practice recommendations from leading equipment vendors.
+
+## Configuring access points for optimal roaming capabilities
+
+If you’re managing a wireless network that’s typically accessed by many different types of client devices, it’s recommended to enable specific protocols on access points (APs) in your WLAN, as described in [Fast Roaming with 802.11k, 802.11v, and 802.11r](https://docs.microsoft.com/en-us/windows-hardware/drivers/network/fast-roaming-with-802-11k--802-11v--and-802-11r). Surface devices can take advantage of the following wireless protocols:
+
+- **802.11r.** “**Fast BSS Transition”** accelerates connecting to new wireless access points by reducing the number of frames required before your device can access another AP as you move around with your device.
+- **802.11k.** **“Neighbor Reports”** provides devices with information on current conditions at neighboring access points. It can help your Surface device choose the best AP using criteria other than signal strength such as AP utilization.
+
+Surface Go devices can also use 802.11v “BSS Transition Management Frames,” which functions much like 802.11k in providing information on nearby candidate APs.
+
+## Managing user settings
+
+You can achieve optimal roaming capabilities through a well-designed network that supports 802.11r and 802.11k across all access points. Ensuring that your network is properly configured to provide users with the best wireless experience is the recommended approach versus attempting to manage user settings on individual devices. Moreover, in many corporate environments Surface device users won’t be able to access advanced network adapter settings without explicit permissions or local admin rights. In other lightly managed networks, users can benefit by knowing how specific settings can impact their ability to remain connected.
+
+### Recommended user settings and best practices
+
+In certain situations, modifying advanced network adapter settings built into Surface devices may facilitate a more reliable connection. Keep in mind however that an inability to connect to wireless resources is more often due to an access point issue, networking design flaw, or environmental site issue.
+
+> [!NOTE]
+> How you hold your Surface Pro or Surface Go can also affect signal strength. If you’re experiencing a loss of bandwidth, check that you’re not holding the top of the display, where the Wi-Fi radio receiver is located. Although holding the top of the display does not block wireless signals, it can trigger the device driver to initiate changes that reduce connectivity.
+
+### Keep default Auto setting for dual bandwidth capability
+On most Surface devices, you can configure client network adapter settings to only connect to wireless APs over 5 gigahertz (GHz), only connect over 2.4 GHz, or let the operating system choose the best option (default Auto setting).
+
+**To access network adapter settings go to:**
+
+- **Start** > **Control panel** > **Network and Sharing Center** > **your Wi-Fi adapter** > **Properties** > **Configure** > **Advanced**.
+
+
+
+Keep in mind that 2.4 GHz has some advantages over 5 GHz: It extends further and more easily penetrates through walls or other solid objects. Unless you have a clear use case that warrants connecting to 5 GHz, it’s recommended to leave the Band setting in the default state to avoid possible adverse consequences. For example:
+
+
+- Many hotspots found in hotels, coffee shops, and airports still only use 2.4 GHz, effectively blocking access to devices if Band is set to 5 GHz Only.
+- Since Miracast wireless display connections require the initial handshake to be completed over 2.4 GHz channels, devices won’t be able to connect at 5 GHz Only.
+
+> [!NOTE]
+> By default Surface devices will prefer connecting to 5 GHz if available. However, to preserve power in a low battery state, Surface will first look for a 2.4 GHz connection.
+
+You can also toggle the band setting as needed to suit your environment. For example, users living in high density apartment buildings with multiple Wi-Fi hotspots — amid the presence of consumer devices all broadcasting via 2.4 GHz — will likely benefit by setting their Surface device to connect on 5 GHz only and then revert to Auto when needed.
+
+### Roaming aggressiveness settings on Surface Go
+
+Front-line workers using Surface Go may wish to select a signal strength threshold that prompts the device to search for a new access point when signal strength drops (roaming aggressiveness). By default, Surface devices attempt to roam to a new access point if the signal strength drops below **Medium** (50 percent signal strength). Note that whenever you increase roaming aggressiveness, you accelerate battery power consumption.
+
+Leave the roaming aggressiveness setting in the default state unless you’re encountering connectivity issues in specific mobile scenarios such as conducting environmental site inspections while also maintaining voice and video connectivity during a conference meeting. If you don’t notice any improvement revert to the default **Medium** state.
+
+**To enable roaming aggressiveness on Surface Go:**
+
+1. Go to **Start > Control Panel** > **Network and Internet** > **Network and Sharing Center.**
+2. Under **Connections** select **Wi-Fi** and then select **Properties.**
+3. Select **Client for Microsoft Networks** and then select **Configure**
+4. Select **Advanced** > **Roaming Aggressiveness** and choose ****your preferred value from the drop-down menu.
+
+
+
+## Conclusion
+
+Surface devices are designed with default settings for optimal wireless connectivity balanced alongside the need to preserve battery life. The most effective way of enabling reliable connectivity for Surface devices is through a well-designed network that supports 802.11r and 802.11k. Users can adjust network adapter settings or roaming aggressiveness but should only do so in response to specific environmental factors and revert to default state if there’s no noticeable improvement.
diff --git a/devices/surface/update.md b/devices/surface/update.md
index 0a3a4b4a5d..d68bf71ed8 100644
--- a/devices/surface/update.md
+++ b/devices/surface/update.md
@@ -21,23 +21,7 @@ Find out how to download and manage the latest firmware and driver updates for y
| Topic | Description |
| --- | --- |
-|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically. |
-| [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.|
| [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.|
+| [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Find links to manually deploy firmware and drivers, outside of Windows Update. |
| [Surface Dock Updater](surface-dock-updater.md)| Get a detailed walkthrough of Microsoft Surface Dock Updater.|
-
-
-## Related topics
-
-[Surface TechCenter](https://technet.microsoft.com/windows/surface)
-
-[Surface for IT pros blog](http://blogs.technet.com/b/surface/)
-
-
-
-
-
-
-
-
-
+|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically. |
diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
index 72f123de7f..fc7cf4147e 100644
--- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
+++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
@@ -14,7 +14,7 @@ ms.reviewer:
manager: dansimp
---
-# Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit
+# Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit
#### Applies to
* Surface Pro 3
diff --git a/education/docfx.json b/education/docfx.json
index 2f691e4f77..15587928ef 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -28,6 +28,7 @@
"audience": "windows-education",
"ms.topic": "article",
"ms.technology": "windows",
+ "manager": "laurawi",
"audience": "ITPro",
"breadcrumb_path": "/education/breadcrumb/toc.json",
"ms.date": "05/09/2017",
diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md
index a36cdb45da..64cf56759a 100644
--- a/education/get-started/get-started-with-microsoft-education.md
+++ b/education/get-started/get-started-with-microsoft-education.md
@@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: hero-article
+ms.topic: article
ms.localizationpriority: medium
ms.pagetype: edu
author: levinec
diff --git a/education/get-started/set-up-windows-10-education-devices.md b/education/get-started/set-up-windows-10-education-devices.md
index 67b39af36c..7bd5123140 100644
--- a/education/get-started/set-up-windows-10-education-devices.md
+++ b/education/get-started/set-up-windows-10-education-devices.md
@@ -26,6 +26,8 @@ We recommend using the latest build of Windows 10, version 1703 on your educatio
To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options and follow the link to watch the video or follow the step-by-step guide:
- **Option 1: [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
- **Option 2: [Go through Windows OOBE and join the device to Azure AD](set-up-windows-education-devices.md)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
+- **Option 3: [Bulk enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-bulk-enroll)**
+- **Option 4: [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot)**
> [!div class="step-by-step"]
> [<< Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
diff --git a/education/get-started/use-intune-for-education.md b/education/get-started/use-intune-for-education.md
index 1a4fdb71e5..1e6eac8cf8 100644
--- a/education/get-started/use-intune-for-education.md
+++ b/education/get-started/use-intune-for-education.md
@@ -21,7 +21,7 @@ manager: dansimp
> [<< Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
> [Set up Windows 10 education devices >>](set-up-windows-10-education-devices.md)
-Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the Intune for Education documentation.
+Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 and iOS devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the Intune for Education documentation.
## Example - Set up Intune for Education, buy apps from the Store, and install the apps
In this walkthrough, we'll go through a sample scenario and walk you through the steps to:
@@ -221,4 +221,4 @@ You're now done assigning apps to all users in your tenant. It's time to set up
## Related topic
-[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
+[Set up iOS device management](https://docs.microsoft.com/en-us/intune-education/setup-ios-device-management)
diff --git a/education/index.md b/education/index.md
index f07f216119..8dfa606f42 100644
--- a/education/index.md
+++ b/education/index.md
@@ -56,7 +56,7 @@ ms.prod: w10
Deployment Guidance
-
Dive right into the step-by-step process for the easiest deployment path to M365 EDU. We walk you through setting up cloud infrastructure, configuring and managing devices, and migrating on-premise servers for Sharepoint and Exchange to the cloud.
+
Learn the easiest path to deploy Microsoft 365 Education through our step-by-step process. We walk you through cloud deployment, device management,apps set up and configuration, and how to find deployment assistance.
diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md
index d92973b13b..7c0eaafd0a 100644
--- a/education/windows/s-mode-switch-to-edu.md
+++ b/education/windows/s-mode-switch-to-edu.md
@@ -42,7 +42,7 @@ S mode is an enhanced security mode of Windows 10 – streamlined for security a
|Credential Guard | | | | X |
|Device Guard | | | | X |
-### Windows 10 in S mode is safe, secure, and fast.
+### Windows 10 in S mode is safe, secure, and fast.
However, in some limited scenarios, you might need to switch to Windows 10 Education. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store.
## How to switch
diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md
index 27ca52dfd3..546e8c7831 100644
--- a/education/windows/set-up-school-pcs-whats-new.md
+++ b/education/windows/set-up-school-pcs-whats-new.md
@@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: medium
author: mjcaparas
ms.author: macapara
-ms.date: 06/03/2019
+ms.date: 08/15/2019
ms.reviewer:
manager: dansimp
---
@@ -17,6 +17,15 @@ manager: dansimp
# What's new in Set up School PCs
Learn what’s new with the Set up School PCs app each week. Find out about new app features and functionality, and see updated screenshots. You'll also find information about past releases.
+
+## Week of June 24, 2019
+
+### Resumed support for Windows 10, version 1903 and later
+The previously mentioned provisioning problem was resolved, so the Set up School PCs app once again supports Windows 10, version 1903 and later. The Windows 10 settings that were removed are now back in the app.
+
+### Device rename made optional for Azure AD joined devices
+When you set up your Azure AD join devices in the Set up School PCs app, you no longer need to rename your devices. Set up School PCs will let you keep existing device names.
+
## Week of May 23, 2019
### Suspended support for Windows 10, version 1903 and later
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
index eaa22faf91..1f8eb4eb0f 100644
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@@ -20,9 +20,9 @@ manager: dansimp
- Windows 10
You have two tools to choose from to set up PCs for your classroom:
- * Set up School PCs
- * Windows Configuration Designer
-
+* Set up School PCs
+* Windows Configuration Designer
+
Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account).
You can use the following diagram to compare the tools.
diff --git a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md
index dc69096e0f..090949bb7e 100644
--- a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md
+++ b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md
@@ -272,15 +272,17 @@ As an AGPM Administrator (Full Control), you designate the e-mail addresses of A
**To configure e-mail notification for AGPM**
-1. In the details pane, click the **Domain Delegation** tab.
+1. In **Group Policy Management Editor** , navigate to the **Change Control** folder
-2. In the **From e-mail address** field, type the e-mail alias for AGPM from which notifications should be sent.
+2. In the details pane, click the **Domain Delegation** tab.
-3. In the **To e-mail address** field, type the e-mail address for the user account to which you intend to assign the Approver role.
+3. In the **From e-mail address** field, type the e-mail alias for AGPM from which notifications should be sent.
-4. In the **SMTP server** field, type a valid SMTP mail server.
+4. In the **To e-mail address** field, type the e-mail address for the user account to which you intend to assign the Approver role.
-5. In the **User name** and **Password** fields, type the credentials of a user who has access to the SMTP service. Click **Apply**.
+5. In the **SMTP server** field, type a valid SMTP mail server.
+
+6. In the **User name** and **Password** fields, type the credentials of a user who has access to the SMTP service. Click **Apply**.
### Step 5: Delegate access
diff --git a/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md b/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md
index f39efad9be..8a53cc64f2 100644
--- a/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md
+++ b/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md
@@ -19,7 +19,7 @@ ms.date: 06/16/2016
If you plan to use a server-based deployment scenario for your Microsoft Application Virtualization environment, it is important to understand the differences between the *Application Virtualization Management Server* and the *Application Virtualization Streaming Server*. This topic describes those differences and also provides information about package delivery methods, transmission protocols, and external components that you will need to consider as you proceed with your deployment.
-## Application Virtualization Management Server
+## Application Virtualization Management Server
The Application Virtualization Management Server performs both the publishing function and the streaming function. The server publishes application icons, shortcuts, and file type associations to the App-V clients for authorized users. When user requests for applications are received the server streams that data on-demand to authorized users using RTSP or RTSPS protocols. In most configurations using this server, one or more Management Servers share a common data store for configuration and package information.
@@ -28,7 +28,7 @@ The Application Virtualization Management Servers use Active Directory groups to
Because the Application Virtualization Management Servers stream applications to end-users on demand, these servers are ideally suited for system configurations that have reliable, high-bandwidth LANs.
-## Application Virtualization Streaming Server
+## Application Virtualization Streaming Server
The Application Virtualization Streaming Server delivers the same streaming and package upgrade capabilities provided by the Management Server, but without its Active Directory or SQL Server requirements. However, the Streaming Server does not have a publishing service, nor does it have licensing or metering capabilities. The publishing service of a separate App-V Management Server is used in conjunction with the App-V Streaming Server. The App-V Streaming Server addresses the needs of businesses that want to use Application Virtualization in multiple locations with the streaming capabilities of the classic server configuration but might not have the infrastructure to support App-V Management Servers in every location.
diff --git a/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md b/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md
index d572d752a6..acfe510e08 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md
@@ -79,13 +79,13 @@ Click **Next**.
10. On the **Customize** page, if you are finished installing and configuring the virtual application, select **Stop now** and skip to step 14 of this procedure. If you want to customize any of the items in the following list, select **Customize**.
- - Edit the file type associations associated with an application.
+ - Edit the file type associations associated with an application.
- - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
+ - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
- - Specify the operating systems that can run this package.
+ - Specify the operating systems that can run this package.
- Click **Next**.
+ Click **Next**.
11. On the **Edit Shortcuts** page, you can optionally configure the file type associations (FTA) that will be associated with the various applications in the package. To create a new FTA, in the left pane, select and expand the application that you want to customize, and then click **Add**. In the **Add File Type Association** dialog box, provide the necessary information for the new FTA. Under the application, select **Shortcuts** to review the shortcut information associated with an application. In the **Location** pane, you can review the icon file information. To edit an existing FTA, click **Edit**. To remove an FTA, select the FTA, and then click **Remove**. Click **Next**.
diff --git a/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md b/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md
index c1dbfafeb3..baf39c7e2c 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md
@@ -69,13 +69,13 @@ Click **Next**.
11. On the **Customize** page, if you are finished installing and configuring the virtual application, select **Stop now** and skip to step 15 of this procedure. If you want to customize any of the items in the following list, select **Customize**.
- - Edit the file type associations and the icons associated with an application.
+ - Edit the file type associations and the icons associated with an application.
- - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
+ - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
- - Specify the operating systems that can run this package.
+ - Specify the operating systems that can run this package.
- Click **Next**.
+ Click **Next**.
12. On the **Edit Shortcuts** page, you can optionally configure the file type associations (FTA) and shortcut locations that will be associated with the various applications in the package. To create a new FTA, in the left pane, select and expand the application you want to customize, and then click **Add**. In the **Add File Type Association** dialog box, provide the necessary information for the new FTA. To review the shortcut information associated with an application, under the application, select **Shortcuts**, and in the **Location** pane, you can edit the icon file information. To edit an existing FTA, click **Edit**. To remove an FTA, select the FTA, and then click **Remove**. Click **Next**.
diff --git a/mdop/appv-v4/planning-for-server-security.md b/mdop/appv-v4/planning-for-server-security.md
index c1ee2abf07..2cc2c0459b 100644
--- a/mdop/appv-v4/planning-for-server-security.md
+++ b/mdop/appv-v4/planning-for-server-security.md
@@ -31,7 +31,7 @@ The content directory contains all of the packages that are to be streamed to cl
Keep the number of users with administrative privileges to a minimum to reduce possible threats to the data in the data store and to avoid publishing malicious applications into the infrastructure.
-## Application Virtualization Security
+## Application Virtualization Security
App-V uses several methods of communication between the various components of the infrastructure. When you plan your App-V infrastructure, securing the communications between servers can reduce the security risks that might already be present on the existing network.
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
index 203086f71b..4dbf7f3b64 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
@@ -222,7 +222,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the configuration.xml file:
- ``` syntax
+ ```xml
@@ -633,7 +633,7 @@ You may want to disable specific applications in your Office App-V package. For
5. Add the Office 2016 App-V Package with the new Deployment Configuration File.
- ``` syntax
+ ```xml
Lync 2016
diff --git a/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md b/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md
index 7bc0c4e2c1..e1e6432a8a 100644
--- a/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md
+++ b/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md
@@ -43,9 +43,7 @@ You must configure the package converter to always save the package ingredients
Import-Module AppVPkgConverter
```
-3.
-
- The following cmdlets are available:
+3. The following cmdlets are available:
- Test-AppvLegacyPackage – This cmdlet is designed to check packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet will not parse the **.sft** file or do any in depth validation. For information about options and basic functionality for this cmdlet, using the PowerShell cmdline, type `Test-AppvLegacyPackage -?`.
diff --git a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md
index f69cd05803..8652ce06d6 100644
--- a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md
+++ b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md
@@ -143,11 +143,11 @@ Click **Next**.
11. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 14 of this procedure. To perform either of the following customizations, select **Customize**.
- - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
+ - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
- - Specify the operating systems that can run this package.
+ - Specify the operating systems that can run this package.
- Click **Next**.
+ Click **Next**.
12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
@@ -234,11 +234,11 @@ Click **Next**.
10. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**.
- - Optimize how the package will run across a slow or unreliable network.
+ - Optimize how the package will run across a slow or unreliable network.
- - Specify the operating systems that can run this package.
+ - Specify the operating systems that can run this package.
- Click **Next**.
+ Click **Next**.
11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**.
diff --git a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md
index 5143059379..ba6d5a807d 100644
--- a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md
+++ b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md
@@ -128,11 +128,11 @@ Click **Next**.
11. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 14 of this procedure. To perform either of the following customizations, select **Customize**.
- - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
+ - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
- - Specify the operating systems that can run this package.
+ - Specify the operating systems that can run this package.
- Click **Next**.
+ Click **Next**.
12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
@@ -210,11 +210,11 @@ On the computer that runs the sequencer, click **All Programs**, and then Click
10. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**.
- - Optimize how the package will run across a slow or unreliable network.
+ - Optimize how the package will run across a slow or unreliable network.
- - Specify the operating systems that can run this package.
+ - Specify the operating systems that can run this package.
- Click **Next**.
+ Click **Next**.
11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**.
diff --git a/mdop/docfx.json b/mdop/docfx.json
index 55e32ba407..252c242145 100644
--- a/mdop/docfx.json
+++ b/mdop/docfx.json
@@ -27,6 +27,9 @@
"ms.technology": "windows",
"audience": "ITPro",
"manager": "dansimp",
+ "ms.prod": "w10",
+ "ms.author": "dansimp",
+ "author": "dansimp",
"ms.sitesec": "library",
"ms.topic": "article",
"ms.date": "04/05/2017",
diff --git a/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md b/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md
index 00b1e7fdff..14a19f6fde 100644
--- a/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md
+++ b/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md
@@ -19,7 +19,7 @@ ms.date: 06/16/2016
This topic includes and describes the administrator roles that are available in Microsoft BitLocker Administration and Monitoring (MBAM), as well as the server locations where the local groups are created.
-## MBAM Administrator roles
+## MBAM Administrator roles
**MBAM System Administrators**
diff --git a/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md b/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md
index 0705bc85f5..ce78024608 100644
--- a/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md
+++ b/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md
@@ -141,7 +141,7 @@ This section describes the Client Management policy definitions for MBAM, found
-## Fixed Drive policy definitions
+## Fixed Drive policy definitions
This section describes the Fixed Drive policy definitions for MBAM, which can be found at the following GPO node: **Computer Configuration**\\**Administrative Templates**\\**Windows Components**\\**MDOP MBAM (BitLocker Management)** \\ **Fixed Drive**.
diff --git a/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md
index 8f3dfa626b..092ae557f4 100644
--- a/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md
+++ b/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md
@@ -19,7 +19,7 @@ ms.date: 06/16/2016
This topic lists and describes the available administrator roles that are available in Microsoft BitLocker Administration and Monitoring (MBAM) as well as the server locations where the local groups are created.
-## MBAM Administrator Roles
+## MBAM Administrator Roles
**MBAM System Administrators**
diff --git a/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md
index b84c686064..64b9b557da 100644
--- a/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md
+++ b/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md
@@ -142,7 +142,7 @@ This section describes Client Management policy definitions for Microsoft BitLoc
-## Fixed Drive Policy Definitions
+## Fixed Drive Policy Definitions
This section describes Fixed Drive policy definitions for Microsoft BitLocker Administration and Monitoring found at the following GPO node: **Computer Configuration**\\**Policies**\\**Administrative Templates**\\**Windows Components**\\**MDOP MBAM (BitLocker Management)**\\**Fixed Drive**.
diff --git a/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md b/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md
index 4c7082ea57..76b918713f 100644
--- a/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md
+++ b/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md
@@ -90,13 +90,13 @@ If SSRS was not configured to use Secure Socket Layer (SSL), the URL for the rep
10. Browse to the following web services to verify that they load successfully. A page opens to indicate that the service is running, but the page does not display any metadata.
- - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMAdministrationService/AdministrationService.svc
+ - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMAdministrationService/AdministrationService.svc
- - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMUserSupportService/UserSupportService.svc
+ - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMUserSupportService/UserSupportService.svc
- - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMComplianceStatusService/StatusReportingService.svc
+ - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMComplianceStatusService/StatusReportingService.svc
- - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMRecoveryAndHardwareService/CoreService.svc
+ - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMRecoveryAndHardwareService/CoreService.svc
## Validating the MBAM Server deployment with the Configuration Manager Integration topology
diff --git a/mdop/medv-v1/configuring-med-v-for-remote-networks.md b/mdop/medv-v1/configuring-med-v-for-remote-networks.md
index 108670ef04..cdb27ae2fd 100644
--- a/mdop/medv-v1/configuring-med-v-for-remote-networks.md
+++ b/mdop/medv-v1/configuring-med-v-for-remote-networks.md
@@ -53,7 +53,7 @@ When applying new settings, the service must be restarted.
- You can change the IIS authentication scheme to one of the following: BASIC, DIGEST, NTLM, or NEGOTIATE. The default is NEGOTIATE and uses the following entry:
- ``` syntax
+ ```xml
diff --git a/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md b/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md
index 4413918e3f..1aaecaa5a4 100644
--- a/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md
+++ b/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md
@@ -32,7 +32,7 @@ You can configure which folders are indexed on the host as part of the Trim Tran
When applying new settings, the service must be restarted.
-``` syntax
+```xml
- %WINDIR%
diff --git a/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md b/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md
index 859ef68c82..df91e27c64 100644
--- a/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md
+++ b/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md
@@ -17,7 +17,7 @@ ms.date: 08/30/2016
# Sharing Settings Location Templates with the UE-V Template Gallery
-## Share location templates with the template gallery
+## Share location templates with the template gallery
The Microsoft User Experience Virtualization (UE-V) template gallery allows administrators to share their UE-V settings location templates. In the gallery, you can upload your settings location templates for other people to use, and you can download templates that other people have created. The UE-V template gallery is located on Microsoft TechNet here: .
diff --git a/mdop/uev-v1/troubleshooting-ue-v-10.md b/mdop/uev-v1/troubleshooting-ue-v-10.md
index 85a8d4677a..74d1546a02 100644
--- a/mdop/uev-v1/troubleshooting-ue-v-10.md
+++ b/mdop/uev-v1/troubleshooting-ue-v-10.md
@@ -19,7 +19,7 @@ ms.date: 08/30/2016
Troubleshooting content is not included in the Administrator's Guide for this product. Instead, you can find troubleshooting information for this product on the [TechNet Wiki](https://go.microsoft.com/fwlink/p/?LinkId=224905).
-## Find troubleshooting information
+## Find troubleshooting information
You can use the following information to find troubleshooting content or additional technical content for this product.
@@ -44,7 +44,7 @@ The first step to find help content in the Administrator’s Guide is to search
3. Review the search results for assistance.
-## Create a troubleshooting article
+## Create a troubleshooting article
If you have a troubleshooting tip or a best practice to share that is not already included in the MDOP Online Help or TechNet Wiki, you can create your own TechNet Wiki article.
diff --git a/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md b/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md
index 733876d705..161015c807 100644
--- a/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md
+++ b/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md
@@ -19,7 +19,7 @@ ms.date: 08/30/2016
Troubleshooting content is not included in the Administrator's Guide for this product. Instead, you can find troubleshooting information for this product on the [TechNet Wiki](https://go.microsoft.com/fwlink/p/?LinkId=224905).
-## Find troubleshooting information
+## Find troubleshooting information
You can use the following information to find troubleshooting content or additional technical content for this product.
@@ -44,7 +44,7 @@ The first step to find help content in the Administrator’s Guide is to search
3. Review the search results for assistance.
-## Create a troubleshooting article
+## Create a troubleshooting article
If you have a troubleshooting tip or a best practice to share that is not already included in the MDOP Online Help or TechNet Wiki, you can create your own TechNet Wiki article.
diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md
index c4fdb65355..fe8f3b7411 100644
--- a/store-for-business/TOC.md
+++ b/store-for-business/TOC.md
@@ -1,7 +1,7 @@
# [Microsoft Store for Business](index.md)
## [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
## [Sign up and get started](sign-up-microsoft-store-for-business-overview.md)
-###[Microsoft Store for Business and Microsoft Store for Education overview](microsoft-store-for-business-overview.md)
+### [Microsoft Store for Business and Microsoft Store for Education overview](microsoft-store-for-business-overview.md)
### [Prerequisites for Microsoft Store for Business and Education](prerequisites-microsoft-store-for-business.md)
### [Sign up for Microsoft Store for Business or Microsoft Store for Education](sign-up-microsoft-store-for-business.md)
### [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md)
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index 2c0e080ed7..6a2720e035 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -51,7 +51,7 @@ Catalog and policy files have required files types.
| catalog files | .cat |
| policy files | .bin |
- ## Store for Business roles and permissions
+ ## Store for Business roles and permissions
Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role.
## Device Guard signing certificates
diff --git a/store-for-business/education/TOC.md b/store-for-business/education/TOC.md
index bf36f37baf..515b03dd25 100644
--- a/store-for-business/education/TOC.md
+++ b/store-for-business/education/TOC.md
@@ -1,7 +1,7 @@
# [Microsoft Store for Education](/microsoft-store/index?toc=/microsoft-store/education/toc.json)
## [What's new in Microsoft Store for Business and Education](/microsoft-store/whats-new-microsoft-store-business-education?toc=/microsoft-store/education/toc.json)
## [Sign up and get started](/microsoft-store/sign-up-microsoft-store-for-business-overview?toc=/microsoft-store/education/toc.json)
-###[Microsoft Store for Business and Education overview](/microsoft-store/windows-store-for-business-overview?toc=/microsoft-store/education/toc.json)
+### [Microsoft Store for Business and Education overview](/microsoft-store/windows-store-for-business-overview?toc=/microsoft-store/education/toc.json)
### [Prerequisites for Microsoft Store for Business and Education](/microsoft-store/prerequisites-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
### [Sign up for Microsoft Store for Business or Microsoft Store for Education](/microsoft-store/sign-up-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
### [Roles and permissions in the Microsoft Store for Business and Education](/microsoft-store/roles-and-permissions-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md
index 115dd3fa5b..91a18494e2 100644
--- a/store-for-business/manage-orders-microsoft-store-for-business.md
+++ b/store-for-business/manage-orders-microsoft-store-for-business.md
@@ -42,14 +42,14 @@ Refunds work a little differently for free apps, and apps that have a price. In
**Refunds for free apps**
- For free apps, there isn't really a refund to request -- you're removing the app from your inventory. You must first reclaim any assigned licenses, and then you can remove the app from your organization's inventory.
+For free apps, there isn't really a refund to request -- you're removing the app from your inventory. You must first reclaim any assigned licenses, and then you can remove the app from your organization's inventory.
- **Refunds for apps that have a price**
+**Refunds for apps that have a price**
- There are a few requirements for apps that have a price:
- - **Timing** - Refunds are available for the first 30 days after you place your order. For example, if your order is placed on June 1, you can self-refund through June 30.
- - **Available licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization.
- - **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory.
+There are a few requirements for apps that have a price:
+- **Timing** - Refunds are available for the first 30 days after you place your order. For example, if your order is placed on June 1, you can self-refund through June 30.
+- **Available licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization.
+- **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory.
**To refund an order**
diff --git a/store-for-business/work-with-partner-microsoft-store-business.md b/store-for-business/work-with-partner-microsoft-store-business.md
index 9ca69eef76..e2829a08cb 100644
--- a/store-for-business/work-with-partner-microsoft-store-business.md
+++ b/store-for-business/work-with-partner-microsoft-store-business.md
@@ -38,7 +38,7 @@ There are several ways that a solution provider can work with you. Solution prov
| OEM PC partner | Solution providers can upload device IDs for PCs that you're [managing with Autopilot](https://docs.microsoft.com/microsoft-store/add-profile-to-devices). |
| Line-of-business (LOB) partner | Solution providers can develop, submit, and manage LOB apps specific for your organization or school. |
-## Find a solution provider
+## Find a solution provider
You can find partner in Microsoft Store for Business and Education.
diff --git a/surface-hub-2s-ports-keypad.md b/surface-hub-2s-ports-keypad.md
deleted file mode 100644
index de36eacd73..0000000000
--- a/surface-hub-2s-ports-keypad.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: "Surface Hub 2S ports and keypad overview"
-description: "This page describes the ports, physical buttons, and configuration information for Surface Hub 2S."
-keywords: separate values with commas
-ms.prod: surface-hub
-ms.sitesec: library
-author: robmazz
-ms.author: robmazz
-audience: Admin
-ms.topic: article
-ms.localizationpriority: Normal
----
-
-# Surface Hub 2S ports and keypad overview
-
-This page describes the ports, physical buttons, and configuration information essential for connecting to Surface Hub 2S whether via wired, Wi-Fi, or Bluetooth methods. It also includes best practice recommendations for key connectivity scenarios.
-
-Figure 1 shows the location ports and physical buttons located on a keypad attached to the underside of the device. Table 1 includes detailed descriptions of each element.
-*Figure 1. Front facing and underside view of I/O connections and physical buttons*
-*Table 1. Surface Hub 2S port and keypad component reference*
-
-| Key | Component | Description | Key parameters |
-| --- | -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- |
-| ① | USB C | USB 3.0 Port
- Use as a walk-up port for plugging in peripherals such as thumb-drives. Guest ports are located on each side of the device (4). -
NOTE: This is the recommended port for connecting an external camera. Additional camera mount features are incorporated into the design to help support retention of attached cameras.
- NOTE: TouchBack and video ingest are not supported on these ports. | Type C
- 15 W Port (5V/3A) |
-| ② | AC power | 100-240V input Connect to standard AC power and Surface Hub 2S will auto switch to the local power standard such as110 volts in the US and Canada or 220 volts in the UK or other countries.
NOTE: When the AC cord is plugged in, the system remains in an off state in which only the system management controller (SMC), real time clock (RTC), and keypad are running. | IEC 60320 C14 |
-| ③ | DC power | 24V DC input port Use for connecting to mobile battery. | Xbox1 Dual barrel to Anderson connector |
-| ④ | Ethernet | 1000/100/10 BaseT Use for providing a continuous connection in a corporate environment and related scenarios requiring maximum stability or capacity. | RJ45 |
-| ⑤ | USB-A | USB 3.0 Port Use as a walk-up port for plugging in peripherals such as thumb-drives. | Type A 7.5 W Port (5V/1.5A) |
-| ⑥ | USB-C | USB 3.0 Port Use as a walk-up port for connecting external PCs and related devices or plugging in peripherals such as thumb-drives.
NOTE: This is the recommended video input port, supporting both TouchBack and InkBack. | Type C 18 W Port (5V/3A, 9V/2A) |
-| ⑦ | HDMI in | HDMI 2.0, HDCP 2.2 /1.4 Use for multiple scenarios including HDMI-to-HDMI guest input. | Standard HDMI |
-| ⑧ | Mini DisplayPort out | DisplayPort 1.2 output Use for video-out scenarios such as mirroring the Surface Hub 2S display to a larger projector. | Mini DisplayPort |
-| ⑨ | Source | Use to toggle among connected ingest sources — external PC, HDMI, and DisplayPort modes. | n/a |
-| ⑩ | Volume | Use +/- to adjust audio locally on the device.
NOTE: When navigating to the brightness control, use +/- on the volume slider to control display brightness. | n/a |
-| ⑪ | Power | Power device on/off. Use also to navigate display menus and select items. | n/a |
-
- **
- **
-*Figure 2. Rear facing view of wireless, audio, & related components*
-NOTE: **many of these components are internal and may not be obviously visible from the outside.
-
-*Figure 3. Wired port connections on Surface Hub-2S*
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md
index 3d117f1d01..099bcdf1c4 100644
--- a/windows/application-management/app-v/appv-capacity-planning.md
+++ b/windows/application-management/app-v/appv-capacity-planning.md
@@ -128,9 +128,9 @@ Computers running the App-V client connect to the App-V publishing server to sen
> [!IMPORTANT]
> The following list displays the main factors to consider when setting up the App-V publishing server:
-> * The number of clients connecting simultaneously to a single publishing server.
-> * The number of packages in each refresh.
-> * The available network bandwidth in your environment between the client and the App-V publishing server.
+> * The number of clients connecting simultaneously to a single publishing server.
+> * The number of packages in each refresh.
+> * The available network bandwidth in your environment between the client and the App-V publishing server.
|Scenario|Summary|
|---|---|
@@ -153,9 +153,9 @@ Computers running the App-V client stream the virtual application package from t
> [!IMPORTANT]
> The following list identifies the main factors to consider when setting up the App-V streaming server:
-> * The number of clients streaming application packages simultaneously from a single streaming server.
-> * The size of the package being streamed.
-> * The available network bandwidth in your environment between the client and the streaming server.
+> * The number of clients streaming application packages simultaneously from a single streaming server.
+> * The size of the package being streamed.
+> * The available network bandwidth in your environment between the client and the streaming server.
|Scenario|Summary|
|---|---|
diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json
index bb9c73976e..d687294412 100644
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@@ -35,6 +35,7 @@
"ms.technology": "windows",
"audience": "ITPro",
"ms.topic": "article",
+ "manager": "dansimp",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 79fb1d0045..a9b1b89487 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -17,14 +17,6 @@ ms.date: 07/25/2019
The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked.
-> **Note**
-> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
->
-> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps.
->
-> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node.
-
-
The following diagram shows the AppLocker configuration service provider in tree format.
@@ -39,6 +31,9 @@ Defines restrictions for applications.
> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
>
> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps.
+>
+> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node.
+
Additional information:
@@ -363,7 +358,8 @@ The product name is first part of the PackageFullName followed by the version nu
The following list shows the apps that may be included in the inbox.
-> **Note** This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience.
+> [!NOTE]
+> This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience.
@@ -830,7 +826,7 @@ The following list shows the apps that may be included in the inbox.
The following example disables the calendar application.
-``` syntax
+```xml
@@ -854,7 +850,7 @@ The following example disables the calendar application.
The following example blocks the usage of the map application.
-``` syntax
+```xml
@@ -1394,7 +1390,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo
## Example for Windows 10 Holographic for Business
The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable to enable a working device, as well as Settings.
-``` syntax
+```xml
1
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 90c5a2b411..deb52e3e8a 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -6,15 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: lomayor
-ms.date: 05/02/2019
+ms.date: 08/05/2019
ms.reviewer:
manager: dansimp
---
# BitLocker CSP
-> [!WARNING]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.
> [!NOTE]
@@ -31,10 +28,10 @@ The following diagram shows the BitLocker configuration service provider in tree
**./Device/Vendor/MSFT/BitLocker**
-
Defines the root node for the BitLocker configuration service provider.
+Defines the root node for the BitLocker configuration service provider.
**RequireStorageCardEncryption**
-
Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU.
+Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU.
@@ -57,14 +54,14 @@ The following diagram shows the BitLocker configuration service provider in tree
-
Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.
+Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.
- 0 (default) – Storage cards do not need to be encrypted.
- 1 – Require Storage cards to be encrypted.
-
Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.
+Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.
-
If you want to disable this policy use the following SyncML:
+If you want to disable this policy use the following SyncML:
```xml
@@ -85,11 +82,11 @@ The following diagram shows the BitLocker configuration service provider in tree
```
-
Data type is integer. Supported operations are Add, Get, Replace, and Delete.
+Data type is integer. Supported operations are Add, Get, Replace, and Delete.
**RequireDeviceEncryption**
-
Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.
+Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.
@@ -112,9 +109,26 @@ The following diagram shows the BitLocker configuration service provider in tree
-
Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.
+Data type is integer. Sample value for this node to enable this policy: 1.
+Supported operations are Add, Get, Replace, and Delete.
-
If you want to disable this policy use the following SyncML:
+Status of OS volumes and encryptable fixed data volumes are checked with a Get operation. Typically, BitLocker/Device Encryption will follow whichever value [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) policy is set to. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives.
+
+Encryptable fixed data volumes are treated similarly to OS volumes. However, fixed data volumes must meet additional criteria to be considered encryptable:
+
+- It must not be a dynamic volume.
+- It must not be a recovery partition.
+- It must not be a hidden volume.
+- It must not be a system partition.
+- It must not be backed by virtual storage.
+- It must not have a reference in the BCD store.
+
+The following list shows the supported values:
+
+- 0 (default) – Disable. If the policy setting is not set or is set to 0, the device's enforcement status will not be checked. The policy will not enforce encryption and it will not decrypt encrypted volumes.
+- 1 – Enable. The device's enforcement status will be checked. Setting this policy to 1 will trigger encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy).
+
+If you want to disable this policy use the following SyncML:
```xml
@@ -135,10 +149,9 @@ The following diagram shows the BitLocker configuration service provider in tree
```
-
Data type is integer. Supported operations are Add, Get, Replace, and Delete.
Allows you to set the default encrytion method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
+Allows you to set the default encrytion method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
Home
@@ -159,7 +172,7 @@ The following diagram shows the BitLocker configuration service provider in tree
-
ADMX Info:
+ADMX Info:
GP English name: Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
GP name: EncryptionMethodWithXts_Name
@@ -170,23 +183,23 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
-
This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
+This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
-
If you enable this setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511.
+If you enable this setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511.
-
If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.
+If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.
-
Sample value for this node to enable this policy and set the encryption methods is:
+ Sample value for this node to enable this policy and set the encryption methods is:
```xml
```
-
EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives
-
EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
-
EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
+EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives
+EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
+EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
-
The possible values for 'xx' are:
+ The possible values for 'xx' are:
- 3 = AES-CBC 128
- 4 = AES-CBC 256
@@ -196,7 +209,7 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!NOTE]
> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.
-
If you want to disable this policy use the following SyncML:
+ If you want to disable this policy use the following SyncML:
```xml
@@ -213,10 +226,10 @@ The following diagram shows the BitLocker configuration service provider in tree
```
-
Data type is string. Supported operations are Add, Get, Replace, and Delete.
+Data type is string. Supported operations are Add, Get, Replace, and Delete.
**SystemDrivesRequireStartupAuthentication**
-
This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".
+This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".
Home
@@ -237,7 +250,7 @@ The following diagram shows the BitLocker configuration service provider in tree
-
ADMX Info:
+ADMX Info:
GP English name: Require additional authentication at startup
GP name: ConfigureAdvancedStartup_Name
@@ -248,31 +261,31 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
-
This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.
+This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.
> [!NOTE]
> Only one of the additional authentication options can be required at startup, otherwise an error occurs.
-
If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
+If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
-
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
+On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
> [!NOTE]
> In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.
-
If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.
+If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.
-
If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.
+If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.
> [!NOTE]
> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
-
Sample value for this node to enable this policy is:
+Sample value for this node to enable this policy is:
```xml
```
-
Data id:
+Data id:
ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.
@@ -281,20 +294,20 @@ The following diagram shows the BitLocker configuration service provider in tree
ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.
-
The possible values for 'xx' are:
+The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
-
The possible values for 'yy' are:
+The possible values for 'yy' are:
2 = Optional
1 = Required
0 = Disallowed
-
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
@@ -310,10 +323,10 @@ The following diagram shows the BitLocker configuration service provider in tree
```
-
Data type is string. Supported operations are Add, Get, Replace, and Delete.
+Data type is string. Supported operations are Add, Get, Replace, and Delete.
**SystemDrivesMinimumPINLength**
-
This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".
+This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".
Home
@@ -334,7 +347,7 @@ The following diagram shows the BitLocker configuration service provider in tree
-
ADMX Info:
+ADMX Info:
GP English name:Configure minimum PIN length for startup
GP name: MinimumPINLength_Name
@@ -345,24 +358,24 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
-
This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
+This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
> [!NOTE]
> In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits.
>
>In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This does not apply to TPM 1.2.
-
If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN.
+If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN.
-
If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.
+If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.
-
Sample value for this node to enable this policy is:
+Sample value for this node to enable this policy is:
```xml
```
-
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
@@ -379,10 +392,10 @@ The following diagram shows the BitLocker configuration service provider in tree
```
-
Data type is string. Supported operations are Add, Get, Replace, and Delete.
+Data type is string. Supported operations are Add, Get, Replace, and Delete.
**SystemDrivesRecoveryMessage**
-
This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).
+This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).
Home
@@ -403,7 +416,7 @@ The following diagram shows the BitLocker configuration service provider in tree
-
ADMX Info:
+ADMX Info:
GP English name: Configure pre-boot recovery message and URL
GP name: PrebootRecoveryInfo_Name
@@ -414,21 +427,21 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
-
This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
-
+This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
-
If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).
-
If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
+If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).
-
If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
+If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
-
Sample value for this node to enable this policy is:
+If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
+
+Sample value for this node to enable this policy is:
```xml
```
-
The possible values for 'xx' are:
+The possible values for 'xx' are:
- 0 = Empty
- 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input").
@@ -440,7 +453,7 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!NOTE]
> When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
-
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
@@ -460,10 +473,10 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!NOTE]
> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
-
Data type is string. Supported operations are Add, Get, Replace, and Delete.
+Data type is string. Supported operations are Add, Get, Replace, and Delete.
**SystemDrivesRecoveryOptions**
-
This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
+This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
Home
@@ -484,7 +497,7 @@ The following diagram shows the BitLocker configuration service provider in tree
-
ADMX Info:
+ADMX Info:
GP English name: Choose how BitLocker-protected operating system drives can be recovered
GP name: OSRecoveryUsage_Name
@@ -495,52 +508,52 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
-
This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.
+This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.
-
The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
+The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
-
In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
+In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
-
Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
-
Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
+Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
-
Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
> [!Note] > If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
-
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
+If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
-
If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
+If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
-
Sample value for this node to enable this policy is:
+Sample value for this node to enable this policy is:
```xml
```
-
The possible values for 'xx' are:
+The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
-
The possible values for 'yy' are:
+The possible values for 'yy' are:
2 = Allowed
1 = Required
0 = Disallowed
-
The possible values for 'zz' are:
+The possible values for 'zz' are:
2 = Store recovery passwords only
1 = Store recovery passwords and key packages
-
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
@@ -557,10 +570,10 @@ The following diagram shows the BitLocker configuration service provider in tree
```
-
Data type is string. Supported operations are Add, Get, Replace, and Delete.
+Data type is string. Supported operations are Add, Get, Replace, and Delete.
**FixedDrivesRecoveryOptions**
-
This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
+This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
Home
@@ -581,7 +594,7 @@ The following diagram shows the BitLocker configuration service provider in tree
-
ADMX Info:
+ADMX Info:
GP English name: Choose how BitLocker-protected fixed drives can be recovered
GP name: FDVRecoveryUsage_Name
@@ -592,39 +605,39 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
-
This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
+This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
-
The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
+The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
-
In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
+In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
-
Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
-
Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
+Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
-
Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
-
Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.
+Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.
> [!Note] > If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
-
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
+If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
-
If this setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
+If this setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
-
Sample value for this node to enable this policy is:
+Sample value for this node to enable this policy is:
```xml
```
-
The possible values for 'xx' are:
+The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
-
The possible values for 'yy' are:
+The possible values for 'yy' are:
2 = Allowed
1 = Required
@@ -632,13 +645,13 @@ The following diagram shows the BitLocker configuration service provider in tree
-
The possible values for 'zz' are:
+The possible values for 'zz' are:
2 = Store recovery passwords only
1 = Store recovery passwords and key packages
-
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
@@ -655,10 +668,10 @@ The following diagram shows the BitLocker configuration service provider in tree
```
-
Data type is string. Supported operations are Add, Get, Replace, and Delete.
+Data type is string. Supported operations are Add, Get, Replace, and Delete.
**FixedDrivesRequireEncryption**
-
This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
+This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
Home
@@ -679,7 +692,7 @@ The following diagram shows the BitLocker configuration service provider in tree
-
ADMX Info:
+ADMX Info:
GP English name: Deny write access to fixed drives not protected by BitLocker
GP name: FDVDenyWriteAccess_Name
@@ -690,17 +703,17 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
-
This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
+This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
-
If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
+If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
-
Sample value for this node to enable this policy is:
+Sample value for this node to enable this policy is:
```xml
```
-
If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML:
+If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML:
```xml
@@ -717,10 +730,10 @@ The following diagram shows the BitLocker configuration service provider in tree
```
-
Data type is string. Supported operations are Add, Get, Replace, and Delete.
+Data type is string. Supported operations are Add, Get, Replace, and Delete.
**RemovableDrivesRequireEncryption**
-
This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
+This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
Home
@@ -741,7 +754,7 @@ The following diagram shows the BitLocker configuration service provider in tree
-
ADMX Info:
+ADMX Info:
GP English name: Deny write access to removable drives not protected by BitLocker
GP name: RDVDenyWriteAccess_Name
@@ -752,29 +765,29 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
-
This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
+This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
-
If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
+If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
-
If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
+If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
-
If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
+If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
> [!Note] > This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
-
Sample value for this node to enable this policy is:
+Sample value for this node to enable this policy is:
```xml
```
-
The possible values for 'xx' are:
+The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
-
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
@@ -793,7 +806,7 @@ The following diagram shows the BitLocker configuration service provider in tree
**AllowWarningForOtherDiskEncryption**
-
Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.
+Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.
> [!IMPORTANT]
> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview).
@@ -822,7 +835,7 @@ The following diagram shows the BitLocker configuration service provider in tree
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 – Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.
- 1 (default) – Warning prompt allowed.
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index 5664409319..41612181c5 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -372,7 +372,7 @@ Data type is string.
Enroll a client certificate through SCEP.
-``` syntax
+```xml
@@ -571,7 +571,7 @@ Enroll a client certificate through SCEP.
Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate fro "My" store.
-``` syntax
+```xml
diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md
index 432b10a418..301c28ea8e 100644
--- a/windows/client-management/mdm/cm-proxyentries-csp.md
+++ b/windows/client-management/mdm/cm-proxyentries-csp.md
@@ -90,7 +90,7 @@ Specifies the username used to connect to the proxy.
To delete both a proxy and its associated connection, you must delete the proxy first, and then delete the connection. The following example shows how to delete the proxy and then the connection.
-``` syntax
+```xml
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 2579fa4d39..744a4be799 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -215,7 +215,7 @@ Supported product status values:
Example:
-``` syntax
+```xml
@@ -224,7 +224,7 @@ Example:
./Vendor/MSFT/Defender/Health/ProductStatus
-
+
diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
index 31cb8df991..85de08a137 100644
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@@ -73,7 +73,7 @@ When the PC is already enrolled in MDM, you can remotely collect logs from the P
Example: Enable the Debug channel logging
-``` syntax
+```xml
diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md
index 09b61984c1..aa61f9d50b 100644
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@@ -262,7 +262,7 @@ Stores specifies which certificate stores the DM client will search to find the
Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following:
-``` syntax
+```xml
```
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index 49635be46f..03e82dc9e8 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -56,7 +56,7 @@ Here is an easy way to get the EAP configuration from your desktop using the ras
9. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
- ``` syntax
+ ```powershell
Get-VpnConnection -Name Test
```
@@ -80,17 +80,17 @@ Here is an easy way to get the EAP configuration from your desktop using the ras
IdleDisconnectSeconds : 0
```
- ``` syntax
+ ```powershell
$a = Get-VpnConnection -Name Test
```
- ``` syntax
+ ```powershell
$a.EapConfigXmlStream.InnerXml
```
Here is an example output
- ``` syntax
+ ```xml
130013
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index a14f71ce2d..3870f7d385 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -314,16 +314,16 @@ For DHA-OnPrem & DHA-EMC scenarios, send a SyncML command to the HASEndpoint nod
The following example shows a sample call that instructs a managed device to communicate with an enterprise managed DHA-Service.
-``` syntax
-
- 1
-
-
- ./Vendor/MSFT/HealthAttestation/HASEndpoint
-
- www.ContosoDHA-Service
-
-
+```xml
+
+ 1
+
+
+ ./Vendor/MSFT/HealthAttestation/HASEndpoint
+
+ www.ContosoDHA-Service
+
+
```
@@ -334,24 +334,24 @@ Send a SyncML call to start collection of the DHA-Data.
The following example shows a sample call that triggers collection and verification of health attestation data from a managed device.
-``` syntax
-
- 1
-
-
- ./Vendor/MSFT/HealthAttestation/VerifyHealth
-
-
-
+```xml
+
+ 1
+
+
+ ./Vendor/MSFT/HealthAttestation/VerifyHealth
+
+
+
-
- 2
-
-
- ./Vendor/MSFT/HealthAttestation/Status
-
-
-
+
+ 2
+
+
+ ./Vendor/MSFT/HealthAttestation/Status
+
+
+
```
## **Step 4: Take action based on the clients response**
@@ -364,21 +364,21 @@ After the client receives the health attestation request, it sends a response. T
Here is a sample alert that is issued by DHA_CSP:
-``` syntax
-
- 1
- 1226
-
-
- ./Vendor/MSFT/HealthAttestation/VerifyHealth
-
-
- com.microsoft.mdm:HealthAttestation.Result
- int
-
- 3
-
-
+```xml
+
+ 1
+ 1226
+
+
+ ./Vendor/MSFT/HealthAttestation/VerifyHealth
+
+
+ com.microsoft.mdm:HealthAttestation.Result
+ int
+
+ 3
+
+
```
- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
@@ -389,35 +389,34 @@ Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and
Here is an example:
-``` syntax
+```xml
- 1
-
-
- ./Vendor/MSFT/HealthAttestation/Nonce
-
- AAAAAAAAAFFFFFFF
-
+ 1
+
+
+ ./Vendor/MSFT/HealthAttestation/Nonce
+
+ AAAAAAAAAFFFFFFF
+
-
- 2
-
-
- ./Vendor/MSFT/HealthAttestation/Certificate
-
-
-
-
-
- 3
-
-
- ./Vendor/MSFT/HealthAttestation/CorrelationId
-
-
-
+
+ 2
+
+
+ ./Vendor/MSFT/HealthAttestation/Certificate
+
+
+
+
+ 3
+
+
+ ./Vendor/MSFT/HealthAttestation/CorrelationId
+
+
+
```
## **Step 6: Forward device health attestation data to DHA-service**
@@ -1019,8 +1018,8 @@ Each of these are described in further detail in the following sections, along w
## DHA-Report V3 schema
-``` syntax
-
+```xml
+
Valid values are:
- - 0 (default) - Both TCP and UDP
- - 1 - TCP
- - 2 - UDP
+- 0 (default) - Both TCP and UDP
+- 1 - TCP
+- 2 - UDP
The data type is int.
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 5ce6a56526..9feb66be2d 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -478,11 +478,11 @@ An XML blob that specifies the application restrictions company want to put to t
>
> Here's additional guidance for the upgrade process:
>
-> - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
-> - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it.
-> - In the SyncML, you must use lowercase product ID.
-> - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
-> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
+> - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
+> - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it.
+> - In the SyncML, you must use lowercase product ID.
+> - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
+> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
An application that is running may not be immediately terminated.
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index f796a9ae53..067c82000d 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1821,7 +1821,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
+Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit.
If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
@@ -2815,4 +2815,3 @@ Footnote:
- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)
- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)
-
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index 8e0abebf9d..b1150dc1b9 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -65,7 +65,7 @@ manager: dansimp
-Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
+Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
The system settings require a reboot; the application settings do not require a reboot.
diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md
index 5e4b03fa34..1553b89d93 100644
--- a/windows/client-management/mdm/policy-csp-taskmanager.md
+++ b/windows/client-management/mdm/policy-csp-taskmanager.md
@@ -70,8 +70,8 @@ manager: dansimp
This setting determines whether non-administrators can use Task Manager to end tasks.
Value type is integer. Supported values:
- - 0 - Disabled. EndTask functionality is blocked in TaskManager.
- - 1 - Enabled (default). Users can perform EndTask in TaskManager.
+- 0 - Disabled. EndTask functionality is blocked in TaskManager.
+- 1 - Enabled (default). Users can perform EndTask in TaskManager.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index fbef0fce58..fdb6615bf6 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 05/21/2019
+ms.date: 08/16/2019
ms.reviewer:
manager: dansimp
---
@@ -1072,7 +1072,7 @@ The following list shows the supported values:
- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709)
- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709)
- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted).
-- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903)
+- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the Semi-annual Channel and Semi-annual Channel (Targeted) into a single Semi-annual Channel with a value of 16)
@@ -2418,13 +2418,11 @@ The following list shows the supported values:
To validate this policy:
-1. Enable the policy ensure the device is on a cellular network.
+1. Enable the policy and ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
- - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f`
-
- - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""`
-
-3. Verify that any downloads that are above the download size limit will complete without being paused.
+ ```TShell
+ exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I'
+ ```
@@ -2472,11 +2470,6 @@ Added in Windows 10, version 1703. Specifies whether to ignore the MO download
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
-
- - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
-
-3. Verify that any downloads that are above the download size limit will complete without being paused.
-
The following list shows the supported values:
@@ -2489,7 +2482,10 @@ The following list shows the supported values:
To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
-2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
+2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
+ ```TShell
+ exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I'
+ ```
@@ -3874,20 +3870,20 @@ The following list shows the supported values:
Example
-``` syntax
-
- $CmdID$
-
-
- chr
- text/plain
-
-
- ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl
-
- http://abcd-srv:8530
-
-
+```xml
+
+ $CmdID$
+
+
+ chr
+ text/plain
+
+
+ ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl
+
+ http://abcd-srv:8530
+
+
```
diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md
index ea985de378..3ea4ca8ee0 100644
--- a/windows/client-management/mdm/remotelock-csp.md
+++ b/windows/client-management/mdm/remotelock-csp.md
@@ -117,7 +117,7 @@ A Get operation on this node must follow an Exec operation on the /RemoteLock/Lo
Initiate a remote lock of the device.
-``` syntax
+```xml
1
@@ -130,7 +130,7 @@ Initiate a remote lock of the device.
Initiate a remote lock and PIN reset of the device. To successfully retrieve the new device-generated PIN, the commands must be executed together and in the proper sequence as shown below.
-``` syntax
+```xml
1
diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md
index 21149dd08e..726df442f0 100644
--- a/windows/client-management/mdm/remotering-csp.md
+++ b/windows/client-management/mdm/remotering-csp.md
@@ -31,14 +31,14 @@ The supported operation is Exec.
The following sample shows how to initiate a remote ring on the device.
-``` syntax
+```xml
- 5
-
-
- ./Vendor/MSFT/RemoteRing/Ring
-
-
+ 5
+
+
+ ./Vendor/MSFT/RemoteRing/Ring
+
+
```
diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md
index 44828e2d90..1f1391ff33 100644
--- a/windows/client-management/mdm/reporting-csp.md
+++ b/windows/client-management/mdm/reporting-csp.md
@@ -81,7 +81,7 @@ Supported operations are Get and Replace.
Retrieve all available Windows Information Protection (formerly known as Enterprise Data Protection) logs starting from the specified StartTime.
-``` syntax
+```xml
@@ -104,7 +104,7 @@ Retrieve all available Windows Information Protection (formerly known as Enterpr
Retrieve a specified number of security auditing logs starting from the specified StartTime.
-``` syntax
+```xml
diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md
index 91478addbe..9b8b3ce65d 100644
--- a/windows/client-management/mdm/securitypolicy-csp.md
+++ b/windows/client-management/mdm/securitypolicy-csp.md
@@ -199,7 +199,7 @@ The following security roles are supported.
Setting a security policy:
-``` syntax
+```xml
@@ -209,7 +209,7 @@ Setting a security policy:
Querying a security policy:
-``` syntax
+```xml
@@ -222,7 +222,7 @@ Querying a security policy:
Setting a security policy:
-``` syntax
+```xml
…
@@ -245,7 +245,7 @@ Setting a security policy:
Querying a security policy:
-``` syntax
+```xml
…
diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
index 7791fe19fd..0e0293bca8 100644
--- a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
+++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
@@ -53,7 +53,7 @@ The following table shows the OMA DM versions that are supported.
The following example shows the general structure of the XML document sent by the server using OMA DM version 1.2.1 for demonstration purposes only. The initial XML packages exchanged between client and server could contain additional XML tags. For a detailed description and samples for those packages, see the [OMA Device Management Protocol 1.2.1](https://go.microsoft.com/fwlink/p/?LinkId=526902) specification.
-``` syntax
+```xml
1.2
@@ -107,7 +107,7 @@ The following example shows the header component of a DM message. In this case,
-``` syntax
+```xml
1.2DM/1.2
@@ -130,7 +130,7 @@ SyncBody contains one or more DM commands. The SyncBody can contain multiple DM
The following example shows the body component of a DM message. In this example, SyncBody contains only one command, Get. This is indicated by the <Final /> tag that occurs immediately after the terminating tag for the Get command.
-``` syntax
+```xml
@@ -157,7 +157,7 @@ The Replace command is used to update a device setting.
The following example illustrates how to use the Replace command to update a device setting.
-``` syntax
+```xml
1.2DM/1.2
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index ded1d293de..09ea7f32d0 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -481,7 +481,7 @@ Adding a SUPL and a V2 UPL account to the same device. Values in italic must be
Adding a SUPL account to a device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value.
-``` syntax
+```xml
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index 50b1862e82..fcb23c170c 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -39,52 +39,52 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
```
TrafficFilterLIst App
-``` syntax
+```xml
Desktop App
10013
@@ -929,7 +926,7 @@ TrafficFilterLIst App
Protocol, LocalPortRanges, RemotePortRanges, LocalAddressRanges, RemoteAddressRanges, RoutingPolicyType, EDPModeId, RememberCredentials, AlwaysOn, Lockdown, DnsSuffix, TrustedNetworkDetection
-``` syntax
+```xml
Protocol
$CmdID$
@@ -1077,7 +1074,7 @@ Protocol
Proxy - Manual or AutoConfigUrl
-``` syntax
+```xml
Manual
$CmdID$
@@ -1103,7 +1100,7 @@ Manual
Device Compliance - Sso
-``` syntax
+```xml
Enabled
10011
@@ -1143,7 +1140,7 @@ Device Compliance - Sso
PluginProfile
-``` syntax
+```xml
PluginPackageFamilyName
@@ -1181,7 +1178,7 @@ PluginPackageFamilyName
NativeProfile
-``` syntax
+```xml
Servers
10001
diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md
index 2aa15af132..fbb8abae88 100644
--- a/windows/client-management/mdm/vpnv2-profile-xsd.md
+++ b/windows/client-management/mdm/vpnv2-profile-xsd.md
@@ -344,7 +344,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
## Plug-in profile example
-``` syntax
+```xml
testserver1.contoso.com;testserver2.contoso..com
diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md
index 0a7adafa8c..eff35b4fd4 100644
--- a/windows/client-management/mdm/w7-application-csp.md
+++ b/windows/client-management/mdm/w7-application-csp.md
@@ -160,7 +160,7 @@ Stores specifies which certificate stores the DM client will search to find the
Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following:
-``` syntax
+```xml
```
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index 7db7e01ffb..79992abc08 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -121,7 +121,7 @@ These XML examples show how to perform various tasks using OMA DM.
The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork,' a proxy URL 'testproxy,' and port 80.
-``` syntax
+```xml
@@ -160,7 +160,7 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwor
The following example shows how to query Wi-Fi profiles installed on an MDM server.
-``` syntax
+```xml
301
@@ -173,7 +173,7 @@ The following example shows how to query Wi-Fi profiles installed on an MDM serv
The following example shows the response.
-``` syntax
+```xml
31
@@ -190,17 +190,17 @@ The following example shows the response.
The following example shows how to remove a network with SSID ‘MyNetwork’ and no proxy. Removing all network authentication types is done in this same manner.
-``` syntax
+```xml
- 300
-
- 301
-
-
- ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml
-
-
-
+ 300
+
+ 301
+
+
+ ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml
+
+
+
```
@@ -208,21 +208,21 @@ The following example shows how to remove a network with SSID ‘MyNetwork’ an
The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetwork’ and root CA validation for server certificate.
-``` syntax
+```xml
- 300
-
- 301
-
-
- ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml
-
-
- chr
-
- MyNetworkMyNetworkfalseESSmanualWPA2AEStrueuser2500025true InsertCertThumbPrintHere truefalse26falsefalsefalsetruefalse
-
-
+ 300
+
+ 301
+
+
+ ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml
+
+
+ chr
+
+ MyNetworkMyNetworkfalseESSmanualWPA2AEStrueuser2500025true InsertCertThumbPrintHere truefalse26falsefalsefalsetruefalse
+
+
```
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
index f4394c7d54..2570e65b3d 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@@ -11,7 +11,7 @@ ms.reviewer:
manager: dansimp
---
-# Win32CompatibilityAppraiser CSP
+# Win32CompatibilityAppraiser CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index 6ae22efd72..2508fa2863 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -120,7 +120,7 @@ The following list describes the characteristics and parameters.
## Examples
-``` syntax
+```xml
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 0b9e8aa3aa..7831cfbce6 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -30,9 +30,9 @@ Interior node. Supported operation is Get.
**Settings/AllowWindowsDefenderApplicationGuard**
Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
- - 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment.
- - 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container.
+
+- 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment.
+- 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container.
**Settings/ClipboardFileType**
Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
index 4d421e7c6a..b6fb182eae 100644
--- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md
+++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
@@ -27,7 +27,7 @@ The child node names of the result from a WMI query are separated by a forward s
Get the list of network adapters from the device.
-``` syntax
+```xml
./cimV2/Win32_NetworkAdapter
@@ -37,7 +37,7 @@ Get the list of network adapters from the device.
Result
-``` syntax
+```xml
./cimV2/Win32_NetworkAdapter
diff --git a/windows/client-management/reset-a-windows-10-mobile-device.md b/windows/client-management/reset-a-windows-10-mobile-device.md
index 945ba0f15a..e90c985fdb 100644
--- a/windows/client-management/reset-a-windows-10-mobile-device.md
+++ b/windows/client-management/reset-a-windows-10-mobile-device.md
@@ -66,7 +66,7 @@ To perform a "wipe and persist" reset, preserving the provisioning applied to th
```
-## Reset using the UI
+## Reset using the UI
1. On your mobile device, go to **Settings** > **System** > **About** > **Reset your Phone**
diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md
index ac7e1e2391..27b46491dc 100644
--- a/windows/client-management/troubleshoot-inaccessible-boot-device.md
+++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md
@@ -17,7 +17,7 @@ manager: dansimp
This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error may occur after some changes are made to the computer, or immediately after you deploy Windows on the computer.
-## Causes of the Inaccessible_Boot_Device Stop error
+## Causes of the Inaccessible_Boot_Device Stop error
Any one of the following factors may cause the stop error:
@@ -37,7 +37,7 @@ Any one of the following factors may cause the stop error:
* Corrupted files in the **Boot** partition (for example, corruption in the volume that is labeled **SYSTEM** when you run the `diskpart` > `list vol` command)
-## Troubleshoot this error
+## Troubleshoot this error
Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). To do this, follow these steps.
@@ -47,9 +47,9 @@ Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com
3. On the **System Recovery Options** screen, select **Next** > **Command Prompt** .
-### Verify that the boot disk is connected and accessible
+### Verify that the boot disk is connected and accessible
-#### Step 1
+#### Step 1
At the WinRE Command prompt, run `diskpart`, and then run `list disk`.
@@ -67,7 +67,7 @@ If the computer uses a Unified Extensible Firmware Interface (UEFI) startup inte
If the computer uses a basic input/output system (BIOS) interface, there will not be an asterisk in the **Dyn** column.
-#### Step 2
+#### Step 2
If the `list disk` command lists the OS disks correctly, run the `list vol` command in `diskpart`.
@@ -88,7 +88,7 @@ If the `list disk` command lists the OS disks correctly, run the `list vol` comm
>[!NOTE]
>If the disk that contains the OS is not listed in the output, you will have to engage the OEM or virtualization manufacturer.
-### Verify the integrity of Boot Configuration Database
+### Verify the integrity of Boot Configuration Database
Check whether the Boot Configuration Database (BCD) has all the correct entries. To do this, run `bcdedit` at the WinRE command prompt.
@@ -163,7 +163,7 @@ If you do not have a Windows 10 ISO, you must format the partition and copy **bo
4. Right-click the partition, and then format it.
-### Troubleshooting if this issue occurs after a Windows Update installation
+### Troubleshooting if this issue occurs after a Windows Update installation
Run the following command to verify the Windows update installation and dates:
@@ -203,9 +203,9 @@ After you run this command, you will see the **Install pending** and **Uninstall
11. Expand **Control\Session Manager**. Check whether the **PendingFileRenameOperations** key exists. If it does, back up the **SessionManager** key, and then delete the **PendingFileRenameOperations** key.
-### Verifying boot critical drivers and services
+### Verifying boot critical drivers and services
-#### Check services
+#### Check services
1. Follow steps 1-10 in the "Troubleshooting if this issue occurs after an Windows Update installation" section. (Step 11 does not apply to this procedure.)
@@ -235,7 +235,7 @@ ren SYSTEM SYSTEM.old
copy OSdrive:\Windows\System32\config\RegBack\SYSTEM OSdrive:\Windows\System32\config\
```
-#### Check upper and lower filter drivers
+#### Check upper and lower filter drivers
Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they do not exist on another, similar working computer. if they do exist, remove the upper and lower filter drivers:
@@ -268,7 +268,7 @@ The reason that these entries may affect us is because there may be an entry in
>[!NOTE]
>If there actually is a service that is set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error.
-### Running SFC and Chkdsk
+### Running SFC and Chkdsk
If the computer still does not start, you can try to run a **chkdisk** process on the system drive, and also run System File Checker. To do this, run the following commands at a WinRE command prompt:
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 56de2504c6..977161bcd3 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -23,12 +23,12 @@ ms.date: 11/15/2017
- Windows 10
->**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
+> **Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
->[!IMPORTANT]
->If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
+> [!IMPORTANT]
+> If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions.
@@ -39,14 +39,15 @@ Three features enable Start and taskbar layout control:
- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
- >[!NOTE]
- >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.
+ > [!NOTE]
+ > To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.
- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration.
- In Windows Configuration Designer, you use the **Policies/Start/StartLayout** setting to provide the contents of the .xml file that defines the Start and taskbar layout.
-
+
+
## Prepare the Start layout XML file
The **Export-StartLayout** cmdlet produces an XML file. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout section to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout section to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters.
@@ -61,8 +62,8 @@ The **Export-StartLayout** cmdlet produces an XML file. Because Windows Configur
Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md)
->[!IMPORTANT]
->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+> [!IMPORTANT]
+> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
@@ -76,8 +77,8 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
6. Expand **Runtime settings** > **Policies** > **Start**, and click **StartLayout**.
- >[!TIP]
- >If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**.
+ > [!TIP]
+ > If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**.
7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the layout.xml file in a later step.
diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md
index ff9c230e83..cf28c53e4a 100644
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@@ -16,7 +16,7 @@ ms.author: dansimp
ms.topic: article
---
-# Assigned Access configuration (kiosk) XML reference
+# Assigned Access configuration (kiosk) XML reference
**Applies to**
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 5d8414295c..2b237f1092 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -172,18 +172,19 @@ Here are the predefined assigned access AppLocker rules for **desktop apps**:
The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in.
+
```xml
-<AllAppsList>
- <AllowedApps>
- <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
- <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
- <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
- <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
- <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
- <App DesktopAppPath="%windir%\system32\mspaint.exe" />
- <App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="123.txt"/>
- </AllowedApps>
-</AllAppsList>
+
+
+
+
+
+
+
+
+
+
+
```
##### FileExplorerNamespaceRestrictions
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index b7a9b2ca2d..2e002f5962 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -233,10 +233,10 @@ XML files can and should be tested locally on a Hyper-V or other virtual machine
- User-initiated changes to the start layout are not roamed.
Specifically, behaviors include
- - Applications (apps or icons) pinned to the start menu are missing.
- - Entire tile window disappears.
- - The start button fails to respond.
- - If a new roaming user is created, the first logon appears normal, but on subsequent logons, tiles are missing.
+- Applications (apps or icons) pinned to the start menu are missing.
+- Entire tile window disappears.
+- The start button fails to respond.
+- If a new roaming user is created, the first logon appears normal, but on subsequent logons, tiles are missing.
diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md
index 9dd957088d..cb9a984961 100644
--- a/windows/configuration/wcd/wcd-messaging.md
+++ b/windows/configuration/wcd/wcd-messaging.md
@@ -357,4 +357,4 @@ For networks that require non-standard handling of single-segment incoming MMS W
## Related topics
- - [Customizations for SMS and MMS](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/customizations-for-sms-and-mms)
+- [Customizations for SMS and MMS](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/customizations-for-sms-and-mms)
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index cc903e11ec..2ac2f8253f 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -249,6 +249,7 @@
### Use Windows Update for Business
#### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md)
#### [Configure Windows Update for Business](update/waas-configure-wufb.md)
+#### [Enforcing compliance deadlines for updates](update/wufb-compliancedeadlines.md)
#### [Integrate Windows Update for Business with management solutions](update/waas-integrate-wufb.md)
#### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md)
#### [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index 85ffed51b0..267732586c 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -1,184 +1,185 @@
----
-title: What's new in Windows 10 deployment
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description: Changes and new features related to Windows 10 deployment
-keywords: deployment, automate, tools, configure, news
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.prod: w10
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# What's new in Windows 10 deployment
-
-**Applies to**
-- Windows 10
-
-## In this topic
-
-This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization.
-
-- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/index).
-- For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history).
-
-## Recent additions to this page
-
-[SetupDiag](#setupdiag) 1.4.1 is released.
-The [Windows ADK for Windows 10, version 1903](https://docs.microsoft.com/windows-hardware/get-started/adk-install) is available.
-New [Windows Autopilot](#windows-autopilot) content is available.
-[Windows 10 Subscription Activation](#windows-10-subscription-activation) now supports Windows 10 Education.
-
-## The Modern Desktop Deployment Center
-
-The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus.
-
-## Microsoft 365
-
-Microsoft 365 is a new offering from Microsoft that combines
-- Windows 10
-- Office 365
-- Enterprise Mobility and Security (EMS).
-
-See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [M365 Enterprise poster](deploy-m365.md#m365-enterprise-poster).
-
-## Windows 10 servicing and support
-
-- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon!
-- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
-- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
-- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
-- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
-- **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
-- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
-- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
-
-Microsoft previously announced that we are [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below.
-
-
-
-## Windows 10 Enterprise upgrade
-
-Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md).
-
-Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
-
-For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
-
-
-## Deployment solutions and tools
-
-### Windows Autopilot
-
-[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices.
-
-The following Windows Autopilot features are available in Windows 10, version 1903 and later:
-
-- [Windows Autopilot for white glove deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
-- The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
-- [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
-
-### Windows 10 Subscription Activation
-
-Windows 10 Education support has been added to Windows 10 Subscription Activation.
-
-With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation).
-
-### SetupDiag
-
-[SetupDiag](upgrade/setupdiag.md) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
-
-SetupDiag version 1.4.1 was released on 5/17/2019.
-
-### Upgrade Readiness
-
-The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
-
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
-
-The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
-
-For more information about Upgrade Readiness, see the following topics:
-
-- [Windows Analytics blog](https://aka.ms/blog/WindowsAnalytics/)
-- [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
-
-
-### Update Compliance
-
-Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
-
-Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
-
-For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md).
-
-### Device Health
-
-Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](update/device-health-monitor.md)
-
-### MBR2GPT
-
-MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
-
-There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
-
-For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
-
-
-### Microsoft Deployment Toolkit (MDT)
-
-MDT build 8456 (12/19/2018) is available, including support for Windows 10, version 1809, and Windows Server 2019.
-
-For more information about MDT, see the [MDT resource page](https://docs.microsoft.com/sccm/mdt/).
-
-
-### Windows Assessment and Deployment Kit (ADK)
-
-The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. See the following topics:
-
-- [What's new in ADK kits and tools](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools)
-- [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
-
-
-## Testing and validation guidance
-
-### Windows 10 deployment proof of concept (PoC)
-
-The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup.
-
-For more information, see the following guides:
-
-- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
-- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
-
-
-## Troubleshooting guidance
-
-[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The topic provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
-
-
-## Online content change history
-
-The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10.
-
-[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
- [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
- [Change history for Device Security](/windows/device-security/change-history-for-device-security)
- [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
-
-
-## Related topics
-
-[Overview of Windows as a service](update/waas-overview.md)
- [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
- [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information)
- [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications)
- [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
- [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+---
+title: What's new in Windows 10 deployment
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description: Changes and new features related to Windows 10 deployment
+keywords: deployment, automate, tools, configure, news
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# What's new in Windows 10 deployment
+
+**Applies to**
+- Windows 10
+
+## In this topic
+
+This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization.
+
+- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/index).
+- For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history).
+
+## Recent additions to this page
+
+[SetupDiag](#setupdiag) 1.6 is released.
+The [Windows ADK for Windows 10, version 1903](https://docs.microsoft.com/windows-hardware/get-started/adk-install) is available.
+New [Windows Autopilot](#windows-autopilot) content is available.
+[Windows 10 Subscription Activation](#windows-10-subscription-activation) now supports Windows 10 Education.
+
+## The Modern Desktop Deployment Center
+
+The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus.
+
+## Microsoft 365
+
+Microsoft 365 is a new offering from Microsoft that combines
+- Windows 10
+- Office 365
+- Enterprise Mobility and Security (EMS).
+
+See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [M365 Enterprise poster](deploy-m365.md#m365-enterprise-poster).
+
+## Windows 10 servicing and support
+
+- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon!
+- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
+- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
+- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
+- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
+- **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
+- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
+- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
+
+Microsoft previously announced that we are [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below.
+
+
+
+## Windows 10 Enterprise upgrade
+
+Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md).
+
+Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
+
+For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
+
+
+## Deployment solutions and tools
+
+### Windows Autopilot
+
+[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices.
+
+The following Windows Autopilot features are available in Windows 10, version 1903 and later:
+
+- [Windows Autopilot for white glove deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
+- The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
+- [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
+- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
+- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
+
+### Windows 10 Subscription Activation
+
+Windows 10 Education support has been added to Windows 10 Subscription Activation.
+
+With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation).
+
+### SetupDiag
+
+[SetupDiag](upgrade/setupdiag.md) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
+
+SetupDiag version 1.6.0.42 was released on 08/08/2019.
+
+### Upgrade Readiness
+
+The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+
+Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
+
+The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
+
+For more information about Upgrade Readiness, see the following topics:
+
+- [Windows Analytics blog](https://aka.ms/blog/WindowsAnalytics/)
+- [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
+
+
+### Update Compliance
+
+Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
+
+Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
+
+For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md).
+
+### Device Health
+
+Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](update/device-health-monitor.md)
+
+### MBR2GPT
+
+MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
+
+There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+
+For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
+
+
+### Microsoft Deployment Toolkit (MDT)
+
+MDT build 8456 (12/19/2018) is available, including support for Windows 10, version 1809, and Windows Server 2019.
+
+For more information about MDT, see the [MDT resource page](https://docs.microsoft.com/sccm/mdt/).
+
+
+### Windows Assessment and Deployment Kit (ADK)
+
+The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. See the following topics:
+
+- [What's new in ADK kits and tools](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools)
+- [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
+
+
+## Testing and validation guidance
+
+### Windows 10 deployment proof of concept (PoC)
+
+The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup.
+
+For more information, see the following guides:
+
+- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
+- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
+- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+
+
+## Troubleshooting guidance
+
+[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The topic provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
+
+
+## Online content change history
+
+The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10.
+
+[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
+ [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
+ [Change history for Device Security](/windows/device-security/change-history-for-device-security)
+ [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
+
+
+## Related topics
+
+[Overview of Windows as a service](update/waas-overview.md)
+ [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
+ [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information)
+ [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications)
+ [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
+ [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
diff --git a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
index f1f6931c75..a34c87220b 100644
--- a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
@@ -1,93 +1,89 @@
----
-title: Creating a Custom Compatibility Mode in Compatibility Administrator (Windows 10)
-description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues.
-ms.assetid: 661a1c0d-267f-4a79-8445-62a9a98d09b0
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Creating a Custom Compatibility Mode in Compatibility Administrator
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-Windows® provides several *compatibility modes*, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.
-
-## What Is a Compatibility Mode?
-
-
-A compatibility mode is a group of compatibility fixes. A compatibility fix, previously known as a shim, is a small piece of code that intercepts API calls from applications. The fix transforms the API calls so that the current version of the operating system supports the application in the same way as previous versions of the operating system. This can be anything from disabling a new feature in Windows to emulating a particular behavior of an older version of the Windows API.
-
-## Searching for Existing Compatibility Modes
-
-
-The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility mode, you can search for an existing application and then copy and paste the known fixes into your custom database.
-
-**Important**
-Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
-
-
-
-**To search for an existing application**
-
-1. In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
-
-2. Click the application name to view the preloaded compatibility modes, compatibility fixes, or AppHelp messages.
-
-## Creating a New Compatibility Mode
-
-
-If you are unable to find a preloaded compatibility mode for your application, you can create a new one for use by your custom database.
-
-**Important**
-A compatibility mode includes a set of compatibility fixes and must be deployed as a group. Therefore, you should include only fixes that you intend to deploy together to the database.
-
-
-
-**To create a new compatibility mode**
-
-1. In the left-side pane of Compatibility Administrator, underneath the **Custom Databases** heading, right-click the name of the database to which you will apply the compatibility mode, click **Create New**, and then click **Compatibility Mode**.
-
-2. Type the name of your custom-compatibility mode into the **Name of the compatibility mode** text box.
-
-3. Select each of the available compatibility fixes to include in your custom-compatibility mode and then click **>**.
-
- **Important**
- If you are unsure which compatibility fixes to add, you can click **Copy Mode**. The **Select Compatibility Mode** dialog box appears and enables you to select from the preloaded compatibility modes. After you select a compatibility mode and click **OK**, any compatibility fixes that are included in the preloaded compatibility mode will be automatically added to your custom-compatibility mode.
-
-
-
-~~~
-If you have any compatibility fixes that require additional parameters, you can select the fix, and then click **Parameters**. The **Options for <Compatibility\_Fix\_Name>** dialog box appears, enabling you to update the parameter fields.
-~~~
-
-4. After you are done selecting the compatibility fixes to include, click **OK**.
-
- The compatibility mode is added to your custom database.
-
-## Related topics
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
-
-
-
-
-
-
-
-
+---
+title: Creating a Custom Compatibility Mode in Compatibility Administrator (Windows 10)
+description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues.
+ms.assetid: 661a1c0d-267f-4a79-8445-62a9a98d09b0
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Creating a Custom Compatibility Mode in Compatibility Administrator
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+Windows® provides several *compatibility modes*, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.
+
+## What Is a Compatibility Mode?
+
+
+A compatibility mode is a group of compatibility fixes. A compatibility fix, previously known as a shim, is a small piece of code that intercepts API calls from applications. The fix transforms the API calls so that the current version of the operating system supports the application in the same way as previous versions of the operating system. This can be anything from disabling a new feature in Windows to emulating a particular behavior of an older version of the Windows API.
+
+## Searching for Existing Compatibility Modes
+
+
+The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility mode, you can search for an existing application and then copy and paste the known fixes into your custom database.
+
+**Important**
+Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
+
+
+
+**To search for an existing application**
+
+1. In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
+
+2. Click the application name to view the preloaded compatibility modes, compatibility fixes, or AppHelp messages.
+
+## Creating a New Compatibility Mode
+
+
+If you are unable to find a preloaded compatibility mode for your application, you can create a new one for use by your custom database.
+
+**Important**
+A compatibility mode includes a set of compatibility fixes and must be deployed as a group. Therefore, you should include only fixes that you intend to deploy together to the database.
+
+
+
+**To create a new compatibility mode**
+
+1. In the left-side pane of Compatibility Administrator, underneath the **Custom Databases** heading, right-click the name of the database to which you will apply the compatibility mode, click **Create New**, and then click **Compatibility Mode**.
+
+2. Type the name of your custom-compatibility mode into the **Name of the compatibility mode** text box.
+
+3. Select each of the available compatibility fixes to include in your custom-compatibility mode and then click **>**.
+
+ > [!IMPORTANT]
+ > If you are unsure which compatibility fixes to add, you can click **Copy Mode**. The **Select Compatibility Mode** dialog box appears and enables you to select from the preloaded compatibility modes. After you select a compatibility mode and click **OK**, any compatibility fixes that are included in the preloaded compatibility mode will be automatically added to your custom-compatibility mode.
+ > If you have any compatibility fixes that require additional parameters, you can select the fix, and then click **Parameters**. The **Options for <Compatibility\_Fix\_Name>** dialog box appears, enabling you to update the parameter fields.
+
+4. After you are done selecting the compatibility fixes to include, click **OK**.
+
+ The compatibility mode is added to your custom database.
+
+## Related topics
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/windows-10-1709-removed-features.md b/windows/deployment/planning/windows-10-1709-removed-features.md
index 6126b5272f..5a745277d5 100644
--- a/windows/deployment/planning/windows-10-1709-removed-features.md
+++ b/windows/deployment/planning/windows-10-1709-removed-features.md
@@ -1,46 +1,47 @@
----
-title: Windows 10, version 1709 removed features
-description: Learn about features that will be removed in Windows 10, version 1709
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-manager: laurawi
-ms.topic: article
----
-# Features that are removed or deprecated in Windows 10, version 1709
-
-> Applies to: Windows 10, version 1709
-
-The following features and functionalities in the Windows 10, version 1709 are either removed from the product in the current release (*Removed*) or are not in active development and might be removed in future releases.
-
-This list is intended to help customers consider these removals and deprecations for their own planning. The list is subject to change and may not include every deprecated feature or functionality.
-
-For more information about a listed feature or functionality and its replacement, see the documentation for that feature. You can also follow the provided links in this table to see additional resources.
-
-| Feature | Removed | Not actively developed |
-|----------|---------|------------|
-|**3D Builder app** No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store. | X | |
-|**Apndatabase.xml** For more information about the replacement database, see the following Hardware Dev Center articles: [MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission) [COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | X | |
-|**Enhanced Mitigation Experience Toolkit (EMET)** Use will be blocked. Consider using the [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/#fMH3bUDAb5HEstZ5.97) feature of Windows Defender Exploit Guard as a replacement.| X | |
-|**IIS 6 Management Compatibility** We recommend that users use alternative scripting tools and a newer management console. | | X |
-|**IIS Digest Authentication** We recommend that users use alternative authentication methods.| | X |
-|**Microsoft Paint** Will be available through the Windows Store. Functionality integrated into Paint 3D.| | X |
-|**Outlook Express** Removing this non-functional legacy code.| X | |
-|**Reader app** Functionality to be integrated into Microsoft Edge.| X | |
-|**Reading List** Functionality to be integrated into Microsoft Edge.| X | |
-|**Resilient File System (ReFS)** Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. (added: August 17, 2017)| | X |
-|**RSA/AES Encryption for IIS** We recommend that users use CNG encryption provider.| | X |
-|**Screen saver functionality in Themes** Disabled in Themes (classified as **Removed** in this table). Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lockscreen features and policies are preferred. | X | X |
-|**Sync your settings** Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The "Sync your settings" options and the Enterprise State Roaming feature will continue to work. (updated: August 17, 2017) | | X |
-|**Syskey.exe** Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see the following Knowledge Base article: [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window)| X | |
-|**System Image Backup (SIB) Solution** We recommend that users use full-disk backup solutions from other vendors.| | X |
-|**TCP Offload Engine** Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see the following PFE Platform Blog article: [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| X ||
-|**Tile Data Layer** To be replaced by the Tile Store.| X ||
-|**TLS RC4 Ciphers** To be disabled by default. For more information, see the following Windows IT Center topic: [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)|| X|
-|**Trusted Platform Module (TPM) Owner Password Management** This legacy code to be removed.|| X |
-|**Trusted Platform Module (TPM): TPM.msc and TPM Remote Management** To be replaced by a new user interface in a future release.| | X |
-|**Trusted Platform Module (TPM) Remote Management** This legacy code to be removed in a future release.|| X |
-|**Windows Hello for Business deployment that uses System Center Configuration Manager** Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience.|| X |
-|**Windows PowerShell 2.0** Applications and components should be migrated to PowerShell 5.0+.| | X |
+---
+title: Windows 10, version 1709 removed features
+description: Learn about features that will be removed in Windows 10, version 1709
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: ITPro
+author: greg-lindsay
+manager: laurawi
+ms.topic: article
+---
+# Features that are removed or deprecated in Windows 10, version 1709
+
+> Applies to: Windows 10, version 1709
+
+The following features and functionalities in the Windows 10, version 1709 are either removed from the product in the current release (*Removed*) or are not in active development and might be removed in future releases.
+
+This list is intended to help customers consider these removals and deprecations for their own planning. The list is subject to change and may not include every deprecated feature or functionality.
+
+For more information about a listed feature or functionality and its replacement, see the documentation for that feature. You can also follow the provided links in this table to see additional resources.
+
+| Feature | Removed | Not actively developed |
+-|-|-
+|**3D Builder app** No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store. | X | |
+|**Apndatabase.xml** For more information about the replacement database, see the following Hardware Dev Center articles: [MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission) [COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | X | |
+|**Enhanced Mitigation Experience Toolkit (EMET)** Use will be blocked. Consider using [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/#fMH3bUDAb5HEstZ5.97) as a replacement.| X | |
+|**IIS 6 Management Compatibility** We recommend that users use alternative scripting tools and a newer management console. | | X |
+|**IIS Digest Authentication** We recommend that users use alternative authentication methods.| | X |
+|**Microsoft Paint** Will be available through the Windows Store. Functionality integrated into Paint 3D.| | X |
+|**Outlook Express** Removing this non-functional legacy code.| X | |
+|**Reader app** Functionality to be integrated into Microsoft Edge.| X | |
+|**Reading List** Functionality to be integrated into Microsoft Edge.| X | |
+|**Resilient File System (ReFS)** Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. (added: August 17, 2017)| | X |
+|**RSA/AES Encryption for IIS** We recommend that users use CNG encryption provider.| | X |
+|**Screen saver functionality in Themes** Disabled in Themes (classified as **Removed** in this table). Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lockscreen features and policies are preferred. | X | X |
+|**Sync your settings** Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The "Sync your settings" options and the Enterprise State Roaming feature will continue to work. (updated: August 17, 2017) | | X |
+|**Syskey.exe** Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see the following Knowledge Base article: [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window)| X | |
+|**System Image Backup (SIB) Solution** We recommend that users use full-disk backup solutions from other vendors.| | X |
+|**TCP Offload Engine** Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see the following PFE Platform Blog article: [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| X ||
+|**Tile Data Layer** To be replaced by the Tile Store.| X ||
+|**TLS RC4 Ciphers** To be disabled by default. For more information, see the following Windows IT Center topic: [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)|| X|
+|**Trusted Platform Module (TPM) Owner Password Management** This legacy code to be removed.|| X |
+|**Trusted Platform Module (TPM): TPM.msc and TPM Remote Management** To be replaced by a new user interface in a future release.| | X |
+|**Trusted Platform Module (TPM) Remote Management** This legacy code to be removed in a future release.|| X |
+|**Windows Hello for Business deployment that uses System Center Configuration Manager** Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience.|| X |
+|**Windows PowerShell 2.0** Applications and components should be migrated to PowerShell 5.0+.| | X |
diff --git a/windows/deployment/planning/windows-10-fall-creators-removed-features.md b/windows/deployment/planning/windows-10-fall-creators-removed-features.md
index bec34fa0f2..9c2f192856 100644
--- a/windows/deployment/planning/windows-10-fall-creators-removed-features.md
+++ b/windows/deployment/planning/windows-10-fall-creators-removed-features.md
@@ -1,87 +1,107 @@
----
-title: Windows 10 Fall Creators Update - Features removed or planned for removal
-description: Which features were removed in Windows 10 Fall Creators Update (version 1709)? Which features are we thinking of removing in the future?
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 10/09/2017
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.topic: article
----
-# Features removed or planned for replacement starting with Windows 10 Fall Creators Update (version 1709)
-
-> Applies to: Windows 10, version 1709
-
-Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Read on for details about the features and functionalities that we removed in Windows 10 Fall Creators Update (version 1709). This list also includes information about features and functionality that we're considering removing in a future release of Windows 10. This list is intended to make you aware of current and future changes and inform your planning. **The list is subject to change and might not include every affected feature or functionality.**
-
-## Features removed from Windows 10 Fall Creators Update
-We've removed the following features and functionalities from the installed product image in Windows 10, version 1709. Applications, code, or usage that depend on these features won't function in this release unless you employ an alternate method.
-
-### 3D Builder
-No longer installed by default, [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) is still available for download from the Microsoft Store. You can also consider using Print 3D and Paint 3D in its place.
-
-### APN database (Apndatabase.xml)
-Replaced by the Country and Operator Settings Asset (COSA) database. For more information, see the following Hardware Dev Center articles:
-- [Planning your COSA/APN database submission](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission)
-- [COSA – FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq)
-
-### Enhanced Mitigation Experience Toolkit (EMET)
-Removed from the image, and you're blocked from using it. Consider using the [Exploit Protection feature of Windows Defender Exploit Guard](/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) as a replacement. See the [Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/) for details.
-
-### Outlook Express
-Removed this non-functional code.
-
-### Reader app
-Integrated the Reader functionality into Microsoft Edge.
-
-### Reading list
-Integrated the Reading list functionality into Microsoft Edge.
-
-### Resilient File System (ReFS)
-We changed the way that ReFS works, based on the edition of Windows 10 you have. We didn't **remove** ReFS, but how you can use ReFS depends on your edition.
-
-If you have Windows 10 Enterprise or Windows 10 Pro for Workstations: You can create, read, and write volumes.
-
-If you have any other edition of Windows 10: You can read and write volumes, but you can't create volumes. If you need to create volumes, upgrade to the Enterprise or Pro for Workstations edition.
-
-### Syskey.exe
-Removed this security feature. Instead, we recommend using [BitLocker](/device-security/bitlocker/bitlocker-overview). For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window).
-
-### TCP Offload Engine
-Removed this code. The TCP Offload Engine functionality is now available in the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features (KB4014193)?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193/)
-
-### TPM Owner Password Management
-Removed this code.
-
-## Features being considered for replacement starting after Windows Fall Creators Update
-We are considering removing the following features and functionalities from the installed product image, starting with releases after Windows 10, version 1709. Eventually, we might completely remove them and replace them with other features or functionality (or, in some instances, make them available from different sources). These features and functionalities are *still available* in this release, but **you should begin planning now to either use alternate methods or to replace any applications, code, or usage that depend on these features.**
-
-If you have feedback to share about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
-
-### IIS 6 Management Compatibility
-We're considering replacing the following specific DISM features:
-
-- IIS 6 Metabase Compatibility (Web-Metabase)
-- IIS 6 Management Console (Web-Lgcy-Mgmt-Console)
-- IIS 6 Scripting Tools (Web-Lgcy-Scripting)
-- IIS 6 WMI Compatibility (Web-WMI)
-
-Instead of IIS 6 Metabase Compatibility (which acts as an emulation layer between IIS 6-based metabase scripts and the file-based configuration used by IIS 7 or newer versions) you should start migrating management scripts to target IIS file-based configuration directly, by using tools such as the Microsoft.Web.Administration namespace.
-
-You should also start migration from IIS 6.0 or earlier versions, and move to the [latest version of IIS](/iis/get-started/whats-new-in-iis-10/new-features-introduced-in-iis-10).
-
-### IIS Digest Authentication
-We're considering removing the IIS Digest Authentication method. Instead, you should start using other authentication methods, such as [Client Certificate Mapping](/iis/manage/configuring-security/configuring-one-to-one-client-certificate-mappings) or [Windows Authentication](/iis/configuration/system.webServer/security/authentication/windowsAuthentication/).
-
-### Microsoft Paint
-We're considering removing MS Paint from the basic installed product image - that means it won't be installed by default. **You'll still be able to get the app separately from the [Microsoft Store](https://www.microsoft.com/store/b/home) for free.** Alternately, you can get [Paint 3D](https://www.microsoft.com/store/p/paint-3d/9nblggh5fv99) and [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) from the Microsoft Store today; both of these offer the same functionality as Microsoft Paint, plus additional features.
-
-### RSA/AES Encryption for IIS
-We're considering removing RSA/AES encryption because the superior [Cryptography API: Next Generation (CNG)](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx) method is already available.
-
-### Sync your settings
-We're considering making changes to the back-end storage that will affect the sync process: [Enterprise State Roaming](/azure/active-directory/active-directory-windows-enterprise-state-roaming-overview) and all other users will use a single cloud storage system. Both the "Sync your settings" options and the Enterprise State Roaming feature will continue to work.
+---
+title: Windows 10 Fall Creators Update - Features removed or planned for removal
+description: Which features were removed in Windows 10 Fall Creators Update (version 1709)? Which features are we thinking of removing in the future?
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 10/09/2017
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.topic: article
+---
+
+# Features removed or planned for replacement starting with Windows 10 Fall Creators Update (version 1709)
+
+> Applies to: Windows 10, version 1709
+
+Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Read on for details about the features and functionalities that we removed in Windows 10 Fall Creators Update (version 1709). This list also includes information about features and functionality that we're considering removing in a future release of Windows 10. This list is intended to make you aware of current and future changes and inform your planning. **The list is subject to change and might not include every affected feature or functionality.**
+
+## Features removed from Windows 10 Fall Creators Update
+
+We've removed the following features and functionalities from the installed product image in Windows 10, version 1709. Applications, code, or usage that depend on these features won't function in this release unless you employ an alternate method.
+
+### 3D Builder
+
+No longer installed by default, [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) is still available for download from the Microsoft Store. You can also consider using Print 3D and Paint 3D in its place.
+
+### APN database (Apndatabase.xml)
+
+Replaced by the Country and Operator Settings Asset (COSA) database. For more information, see the following Hardware Dev Center articles:
+
+- [Planning your COSA/APN database submission](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission)
+- [COSA – FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq)
+
+### Enhanced Mitigation Experience Toolkit (EMET)
+
+Removed from the image, and you're blocked from using it. Consider using the [Exploit Protection feature](/windows/threat-protection/windows-defender-exploit-guard/exploit-protection) as a replacement. See the [Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/) for details.
+
+### Outlook Express
+
+Removed this non-functional code.
+
+### Reader app
+
+Integrated the Reader functionality into Microsoft Edge.
+
+### Reading list
+
+Integrated the Reading list functionality into Microsoft Edge.
+
+### Resilient File System (ReFS)
+
+We changed the way that ReFS works, based on the edition of Windows 10 you have. We didn't **remove** ReFS, but how you can use ReFS depends on your edition.
+
+If you have Windows 10 Enterprise or Windows 10 Pro for Workstations: You can create, read, and write volumes.
+
+If you have any other edition of Windows 10: You can read and write volumes, but you can't create volumes. If you need to create volumes, upgrade to the Enterprise or Pro for Workstations edition.
+
+### Syskey.exe
+
+Removed this security feature. Instead, we recommend using [BitLocker](/device-security/bitlocker/bitlocker-overview). For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window).
+
+### TCP Offload Engine
+
+Removed this code. The TCP Offload Engine functionality is now available in the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features (KB4014193)?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193/)
+
+### TPM Owner Password Management
+
+Removed this code.
+
+## Features being considered for replacement starting after Windows Fall Creators Update
+
+We are considering removing the following features and functionalities from the installed product image, starting with releases after Windows 10, version 1709. Eventually, we might completely remove them and replace them with other features or functionality (or, in some instances, make them available from different sources). These features and functionalities are *still available* in this release, but **you should begin planning now to either use alternate methods or to replace any applications, code, or usage that depend on these features.**
+
+If you have feedback to share about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
+
+### IIS 6 Management Compatibility
+
+We're considering replacing the following specific DISM features:
+
+- IIS 6 Metabase Compatibility (Web-Metabase)
+- IIS 6 Management Console (Web-Lgcy-Mgmt-Console)
+- IIS 6 Scripting Tools (Web-Lgcy-Scripting)
+- IIS 6 WMI Compatibility (Web-WMI)
+
+Instead of IIS 6 Metabase Compatibility (which acts as an emulation layer between IIS 6-based metabase scripts and the file-based configuration used by IIS 7 or newer versions) you should start migrating management scripts to target IIS file-based configuration directly, by using tools such as the Microsoft.Web.Administration namespace.
+
+You should also start migration from IIS 6.0 or earlier versions, and move to the [latest version of IIS](/iis/get-started/whats-new-in-iis-10/new-features-introduced-in-iis-10).
+
+### IIS Digest Authentication
+
+We're considering removing the IIS Digest Authentication method. Instead, you should start using other authentication methods, such as [Client Certificate Mapping](/iis/manage/configuring-security/configuring-one-to-one-client-certificate-mappings) or [Windows Authentication](/iis/configuration/system.webServer/security/authentication/windowsAuthentication/).
+
+### Microsoft Paint
+
+We're considering removing MS Paint from the basic installed product image - that means it won't be installed by default. **You'll still be able to get the app separately from the [Microsoft Store](https://www.microsoft.com/store/b/home) for free.** Alternately, you can get [Paint 3D](https://www.microsoft.com/store/p/paint-3d/9nblggh5fv99) and [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) from the Microsoft Store today; both of these offer the same functionality as Microsoft Paint, plus additional features.
+
+### RSA/AES Encryption for IIS
+
+We're considering removing RSA/AES encryption because the superior [Cryptography API: Next Generation (CNG)](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx) method is already available.
+
+### Sync your settings
+
+We're considering making changes to the back-end storage that will affect the sync process: [Enterprise State Roaming](/azure/active-directory/active-directory-windows-enterprise-state-roaming-overview) and all other users will use a single cloud storage system. Both the "Sync your settings" options and the Enterprise State Roaming feature will continue to work.
diff --git a/windows/deployment/update/images/wufb-pastdeadline-restart-warning.png b/windows/deployment/update/images/wufb-pastdeadline-restart-warning.png
new file mode 100644
index 0000000000..984afea6ed
Binary files /dev/null and b/windows/deployment/update/images/wufb-pastdeadline-restart-warning.png differ
diff --git a/windows/deployment/update/images/wufb-pastdeadline-restartnow.png b/windows/deployment/update/images/wufb-pastdeadline-restartnow.png
new file mode 100644
index 0000000000..c1fe8c04a6
Binary files /dev/null and b/windows/deployment/update/images/wufb-pastdeadline-restartnow.png differ
diff --git a/windows/deployment/update/images/wufb-restart-imminent-warning.png b/windows/deployment/update/images/wufb-restart-imminent-warning.png
new file mode 100644
index 0000000000..5fc96b5cb4
Binary files /dev/null and b/windows/deployment/update/images/wufb-restart-imminent-warning.png differ
diff --git a/windows/deployment/update/images/wufb-update-deadline-warning.png b/windows/deployment/update/images/wufb-update-deadline-warning.png
new file mode 100644
index 0000000000..9a3158583a
Binary files /dev/null and b/windows/deployment/update/images/wufb-update-deadline-warning.png differ
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 4df1a782b7..cda79baf8e 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -4,10 +4,9 @@ description: WSUS allows companies to defer, selectively approve, choose when de
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: greg-lindsay
+author: jaimeo
ms.localizationpriority: medium
-ms.author: greglin
-ms.date: 10/16/2017
+ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
@@ -23,9 +22,8 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
>[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
->
->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy or the registry. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
+
WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
@@ -35,35 +33,23 @@ When you choose WSUS as your source for Windows updates, you use Group Policy to
## Requirements for Windows 10 servicing with WSUS
-To be able to use WSUS to manage and deploy Windows 10 feature updates, you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the [KB3095113](https://support.microsoft.com/kb/3095113) and [KB3159706](https://support.microsoft.com/kb/3159706) patches on the WSUS server.
+To be able to use WSUS to manage and deploy Windows 10 feature updates, you must use a supported WSUS version:
+- WSUS 10.0.14393 (role in Windows Server 2016)
+- WSUS 10.0.17763 (role in Windows Server 2019)
+- WSUS 6.2 and 6.3 (role in Windows Server 2012 and Windows Server 2012 R2)
+- KB 3095113 and KB 3159706 (or an equivalent update) must be installed on WSUS 6.2 and 6.3.
+
+> [!IMPORTANT]
+> Both [KB 3095113](https://support.microsoft.com/kb/3095113) and [KB 3159706](https://support.microsoft.com/kb/3159706) are included in the **Security Monthly Quality Rollup** starting in July 2017. This means you might not see KB 3095113 and KB 3159706 as installed updates since they might have been installed with a rollup. However, if you need either of these updates, we recommend installing a **Security Monthly Quality Rollup** released after **October 2017** since they contain an additional WSUS update to decrease memory utilization on WSUS's clientwebservice.
+>If you have synced either of these updates prior to the security monthly quality rollup, you can experience problems. To recover from this, see [How to Delete Upgrades in WSUS](https://blogs.technet.microsoft.com/wsus/2016/01/29/how-to-delete-upgrades-in-wsus/).
+
## WSUS scalability
To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](https://technet.microsoft.com/library/cc720448%28v=ws.10%29.aspx).
-## Express Installation Files
-With Windows 10, quality updates will be larger than traditional Windows Updates because they’re cumulative. To manage the bandwidth clients downloading large updates like these will need, WSUS has a feature called *Express Installation Files*.
-
- At a binary level, files associated with updates may not change a lot. In fact, with cumulative quality updates, most of the content will be from previous updates. Rather than downloading the entire update when only a small percentage of the payload is actually different, Express Installation Files analyze the differences between the new files associated with an update and the existing files on the client. This approach significantly reduces the amount of bandwidth used because only a fraction of the update content is actually delivered.
-
- **To configure WSUS to download Express Update Files**
-
-1. Open the WSUS Administration Console.
-
-2. In the navigation pane, go to *Your_Server*\\**Options**.
-
-3. In the **Options** section, click **Update Files and Languages**.
-
- 
-
-4. In the **Update Files and Languages** dialog box, select **Download express installation files**.
-
- 
-
- >[!NOTE]
- >Because Windows 10 updates are cumulative, enabling Express Installation Files when WSUS is configured to download Windows 10 updates will significantly increase the amount of disk space that WSUS requires. Alternatively, when using Express Installation Files for previous versions of Windows, the feature’s positive effects aren’t noticeable because the updates aren’t cumulative.
## Configure automatic updates and update service location
@@ -71,11 +57,11 @@ When using WSUS to manage updates on Windows client devices, start by configurin
**To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment**
-1. Open GPMC.
+1. Open Group Policy Management Console (gpmc.msc).
-2. Expand Forest\Domains\\*Your_Domain*.
+2. Expand *Forest\Domains\\*Your_Domain**.
-3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+3. Right-click **Your_Domain**, and then select **Create a GPO in this domain, and Link it here**.
@@ -99,13 +85,13 @@ When using WSUS to manage updates on Windows client devices, start by configurin
> [!NOTE]
- > ?There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
+ > There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
-10. Right-click the **Specify intranet Microsoft update service location** setting, and then click **Edit**.
+10. Right-click the **Specify intranet Microsoft update service location** setting, and then select **Edit**.
11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**.
-12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then click **OK**.
+12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then select **OK**.
>[!NOTE]
>The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
@@ -113,7 +99,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
>[!NOTE]
- >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. If you’re unsure which port WSUS is using for client communication, right-click the WSUS Administration site in IIS Manager, and then click **Edit Bindings**.
+ >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.)
As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings.
@@ -139,6 +125,7 @@ You can use computer groups to target a subset of devices that have specific qua
Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin).
+
## Use the WSUS Administration Console to populate deployment rings
Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*.
@@ -205,7 +192,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
>[!TIP]
>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings.
-1. Open GPMC.
+1. Open Group Policy Management Console (gpmc.msc).
2. Expand Forest\Domains\\*Your_Domain*.
@@ -223,10 +210,13 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
8. In the **Enable client-side targeting** dialog box, select **Enable**.
-9. In the **Target group name for this computer** box, type **Ring 4 Broad Business Users**. This is the name of the deployment ring in WSUS to which these computers will be added.
+9. In the **Target group name for this computer** box, type *Ring 4 Broad Business Users*. This is the name of the deployment ring in WSUS to which these computers will be added.
+> [!WARNING]
+> The target group name must match the computer group name.
+
10. Close the Group Policy Management Editor.
Now you’re ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
@@ -248,7 +238,8 @@ The next time the clients in the **Ring 4 Broad Business Users** security group
For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
>[!NOTE]
->WSUS respects the client’s servicing branch. If you approve a feature update while it is still Current Branch (CB), WSUS will install the update only on PCs that are in the CB servicing branch. When Microsoft releases the build for Current Branch for Business (CBB), the PCs in the CBB servicing branch will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
+>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for Semi-Annual Channel, the devices in the Semi-Annual Channel will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
+
**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring**
@@ -277,13 +268,18 @@ For clients that should have their feature updates approved as soon as they’re
9. In the **Automatic Approvals** dialog box, click **OK**.
>[!NOTE]
- >WSUS does not honor any existing month/week/day deferral settings for CB or CBB. That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
+ >WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
+> [!WARNING]
+> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows 10 version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actualy want--which can be a problem when the download sizes are very large.
+
## Manually approve and deploy feature updates
-You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
+You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. It might be best to approve update rules manually after your pilot deployment has been updated.
+
+To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
**To approve and deploy feature updates manually**
@@ -301,7 +297,7 @@ You can manually approve updates and set deadlines for installation within the W
-Now that you have the All Windows 10 Upgrades view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
+Now that you have the **All Windows 10 Upgrades** view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades.
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 4396b9d4b7..49efd6e3b2 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -90,7 +90,7 @@ With Windows 10, Microsoft will package new features into feature updates that c
Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of non-security fixes.
-In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and non-security fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment devicess contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
+In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and non-security fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment devices contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
**Figure 1**
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 2b0e2f7f98..2b84969903 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -9,7 +9,7 @@ author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
author: jaimeo
-ms.reviewer:
+ms.reviewer:
manager: laurawi
ms.topic: article
---
@@ -22,7 +22,7 @@ ms.topic: article
- Windows 10
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update (WU) on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more.
@@ -31,7 +31,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure
## Summary of Windows Update settings
-| Group Policy setting | MDM setting | Supported from version |
+| Group Policy setting | MDM setting | Supported from version |
| --- | --- | --- |
| [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) | [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | All |
| [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) | [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | 1703 |
@@ -62,9 +62,9 @@ For additional settings that configure when Feature and Quality updates are rece
### Specify Intranet Microsoft update service location
Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
-This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
+This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
-To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.
+To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.
If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don’t have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them.
If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
@@ -125,7 +125,7 @@ If the intranet Microsoft update service supports multiple target groups, this p
### Allow signed updates from an intranet Microsoft update service location
-This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
+This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**.
@@ -148,7 +148,7 @@ To add more flexibility to the update process, settings are available to control
Allows admins to exclude Windows Update (WU) drivers during updates.
-To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**.
+To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**.
Enable this policy to not include drivers with Windows quality updates.
If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification.
@@ -192,48 +192,48 @@ To do this, follow these steps:
3. Add one of the following registry values to configure Automatic Update.
* NoAutoUpdate (REG_DWORD):
-
+
* **0**: Automatic Updates is enabled (default).
-
+
* **1**: Automatic Updates is disabled.
-
+
* AUOptions (REG_DWORD):
-
+
* **1**: Keep my computer up to date is disabled in Automatic Updates.
-
+
* **2**: Notify of download and installation.
-
+
* **3**: Automatically download and notify of installation.
-
+
* **4**: Automatically download and scheduled installation.
- * ScheduledInstallDay (REG_DWORD):
-
- * **0**: Every day.
-
- * **1** through **7**: The days of the week from Sunday (1) to Saturday (7).
-
- * ScheduledInstallTime (REG_DWORD):
-
- **n**, where **n** equals the time of day in a 24-hour format (0-23).
-
- * UseWUServer (REG_DWORD)
-
- Set this value to **1** to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update.
-
- * RescheduleWaitTime (REG_DWORD)
-
- **m**, where **m** equals the time period to wait between the time Automatic Updates starts and the time that it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes)
-
- > [!NOTE]
- > This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
-
- * NoAutoRebootWithLoggedOnUsers (REG_DWORD):
-
- **0** (false) or **1** (true). If set to **1**, Automatic Updates does not automatically restart a computer while users are logged on.
-
- > [!NOTE]
- > This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
+ * ScheduledInstallDay (REG_DWORD):
+
+ * **0**: Every day.
+
+ * **1** through **7**: The days of the week from Sunday (1) to Saturday (7).
+
+ * ScheduledInstallTime (REG_DWORD):
+
+ **n**, where **n** equals the time of day in a 24-hour format (0-23).
+
+ * UseWUServer (REG_DWORD)
+
+ Set this value to **1** to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update.
+
+ * RescheduleWaitTime (REG_DWORD)
+
+ **m**, where **m** equals the time period to wait between the time Automatic Updates starts and the time that it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes)
+
+ > [!NOTE]
+ > This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
+
+ * NoAutoRebootWithLoggedOnUsers (REG_DWORD):
+
+ **0** (false) or **1** (true). If set to **1**, Automatic Updates does not automatically restart a computer while users are logged on.
+
+ > [!NOTE]
+ > This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
To use Automatic Updates with a server that is running Software Update Services, see the Deploying Microsoft Windows Server Update Services 2.0 guidance.
@@ -256,7 +256,7 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
- [Update Windows 10 in the enterprise](index.md)
- [Overview of Windows as a service](waas-overview.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index bb088093c1..1edad940a4 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -1,100 +1,173 @@
----
-title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10)
-description: Learn how to enforce compliance deadlines using Windows Update for Business.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 06/20/2018
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-# Enforcing compliance deadlines for updates
-
->Applies to: Windows 10
-
-Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce patch compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer revisions. We offer two compliance flows that you can choose from:
-
-- [Deadline only](#deadline-only)
-- [Deadline with user engagement](#deadline-with-user-engagement)
-
-## Deadline Only
-
-This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option.
-
-### End User Experience
-
-Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to reboot the device.
-
->[!NOTE]
->Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update).
-
-### Policy overview
-
-|Policy|Description |
-|-|-|
-|Specify deadline before auto-restart for update installation|Governs the update experience once the device has entered pending reboot state. It specifies a deadline, in days, to enforce compliance (such as imminent install).|
-|Configure Auto-restart warning notification schedule for updates|Configures the reminder notification and the warning notification for a scheduled install. The user can dismiss a reminder, but not the warning.|
-
-### Suggested Configuration
-
-|Policy|Location|3 Day Compliance|5 Day Compliance|7 Day Compliance |
-|-|-|-|-|-|
-|Specify deadline before auto-restart for update installation| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline before auto-restart for update installation |State: Enabled **Specify the number of days before pending restart will automatically be executed outside of active hours**: 2|State: Enabled **Specify the number of days before pending restart will automatically be executed outside of active hours**: 3|State: Enabled **Specify the number of days before pending restart will automatically be executed outside of active hours**: 4
-
-### Controlling notification experience for deadline
-
-|Policy| Location|Suggested Configuration |
-|-|-|-|
-|Configure Auto-restart warning notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart warning notifications schedule for updates |State: Enabled **Reminder** (hours): 2 **Warning** (minutes): 60 |
-
-### Notification experience for deadline
-
-Notification users get for a quality update deadline:
-
-
-Notification users get for a feature update deadline:
-
-
-## Deadline with user engagement
-
-This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active.
-
-### End user experience
-
-Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time.
-
-### Policy overview
-
-|Policy| Description |
-|-|-|
-|Specify engaged restart transition and notification schedule for updates|Governs how the user will be impacted by the pending reboot. Transition days, first starts out in Auto-Restart where the device will find an idle moment to reboot the device. After 2 days engaged restart will commence and the user will be able to choose a time|
-|Configure Auto-restart required notification for updates|Governs the notifications during the Auto-Restart period. During Active hours, the user will be notified that the device is trying to reboot. They will have the option to confirm or dismiss the notification|
-
-### Suggested configuration
-
-|Policy| Location| 3 Day Compliance| 5 Day Compliance| 7 Day Compliance |
-|-|-|-|-|-|
-|Specify engaged restart transition and notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Engaged restart transition and notification schedule for updates|State: Enabled **Transition** (Days): 2 **Snooze** (Days): 2 **Deadline** (Days): 3|State: Enabled **Transition** (Days): 2 **Snooze** (Days): 2 **Deadline** (Days): 4|State: Enabled **Transition** (Days): 2 **Snooze** (Days): 2 **Deadline** (Days): 5|
-
-### Controlling notification experience for engaged deadline
-
-|Policy| Location |Suggested Configuration
-|-|-|-|
-|Configure Auto-restart required notification for updates |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Auto-restart required notification for updates|State: Enabled **Method**: 2- User|
-
-### Notification experience for engaged deadlines
-Notification users get for quality update engaged deadline:
-
-
-Notification users get for a quality update deadline:
-
-
-Notification users get for a feature update engaged deadline:
-
-
-Notification users get for a feature update deadline:
-
+---
+title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10)
+description: Learn how to enforce compliance deadlines using Windows Update for Business.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+# Enforcing compliance deadlines for updates
+
+>Applies to: Windows 10
+
+Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions.
+
+The compliance options have changed with the release of Windows 10, version 1903:
+
+- [Starting with Windows 10, version 1903](#starting-with-windows-10-version-1903)
+- [Prior to Windows 10, version 1903](#prior-to-windows-10-version-1903)
+
+
+## Starting with Windows 10, version 1903
+
+With a current version of Windows 10, it's best to use the new policy introduced in Windows 10, version 1903: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings:
+
+- Update/ConfigureDeadlineForFeatureUpdates
+- Update/ConfigureDeadlineForQualityUpdates
+- Update/ConfigureDeadlineGracePeriod
+- Update/ConfigureDeadlineNoAutoReboot
+
+This policy starts the countdown for the update installation deadline from when the update is published, instead of starting with the "restart pending" state as the older policies did.
+
+The policy also includes a configurable grace period to allow, for example, users who have been away to have extra time before being forced to restart their devices.
+
+Further, the policy includes the option to opt out of automatic restarts until the deadline is reached by presenting the "engaged restart experience" until the deadline has actually expired. At this point the device will automatically schedule a restart regardless of active hours.
+
+
+
+### Policy setting overview
+
+|Policy|Description |
+|-|-|
+| (starting in Windows 10, version 1903) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. |
+
+
+
+### Suggested configurations
+
+|Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
+|-|-|-|-|-|
+|(starting in Windows 10, version 1903) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 |
+
+When **Specify deadlines for automatic updates and restarts** is set (starting in Windows 10, version 1903):
+
+**While restart is pending, before the deadline occurs:**
+- For the first few days, the user receives a toast notification
+- After this period, the user receives this dialog:
+
+
+- If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur:
+
+
+
+**If the restart is still pending after the deadline passes:**
+- Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching:
+
+
+- Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification:
+
+
+
+
+
+
+## Prior to Windows 10, version 1903
+
+
+Two compliance flows are available:
+
+- [Deadline only](#deadline-only)
+- [Deadline with user engagement](#deadline-with-user-engagement)
+
+### Deadline only
+
+This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option.
+
+#### End-user experience
+
+Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to restart the device.
+
+>[!NOTE]
+>Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update).
+
+#### Policy overview
+
+|Policy|Description |
+|-|-|
+|Specify deadline before auto-restart for update installation|Governs the update experience once the device has entered pending restart state. It specifies a deadline, in days, to enforce compliance (such as imminent installation).|
+|Configure Auto-restart warning notification schedule for updates|Configures the reminder notification and the warning notification for a scheduled installation. The user can dismiss a reminder, but not the warning.|
+
+
+
+
+#### Suggested configuration
+
+|Policy|Location|3-day compliance|5-day compliance|7-day compliance|
+|-|-|-|-|-|
+|Specify deadline before auto-restart for update installation| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline before auto-restart for update installation |State: Enabled **Specify the number of days before pending restart will automatically be executed outside of active hours:** 2| State: Enabled **Specify the number of days before pending restart will automatically be executed outside of active hours:** 3 | State: Enabled **Specify the number of days before pending restart will automatically be executed outside of active hours:** 4|
+
+#### Controlling notification experience for deadline
+
+|Policy| Location|Suggested Configuration |
+|-|-|-|
+|Configure Auto-restart warning notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart warning notifications schedule for updates |State: Enabled **Reminder** (hours): 2 **Warning** (minutes): 60 |
+
+#### Notification experience for deadline
+
+Notification users get for a quality update deadline:
+
+
+Notification users get for a feature update deadline:
+
+
+### Deadline with user engagement
+
+This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active.
+
+#### End-user experience
+
+Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time.
+
+#### Policy overview
+
+|Policy| Description |
+|-|-|
+|Specify engaged restart transition and notification schedule for updates|Governs how the user will be impacted by the pending restart. Transition days, first starts out in Auto-Restart where the device will find an idle moment to restart the device. After 2 days engaged restart will commence and the user will be able to choose a time|
+|Configure Auto-restart required notification for updates|Governs the notifications during the Auto-Restart period. During Active hours, the user will be notified that the device is trying to restart. They will have the option to confirm or dismiss the notification|
+
+#### Suggested configuration
+
+|Policy| Location| 3-day compliance| 5-day compliance| 7-day compliance |
+|-|-|-|-|-|
+|Specify engaged restart transition and notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Engaged restart transition and notification schedule for updates|State: Enabled **Transition** (Days): 2 **Snooze** (Days): 2 **Deadline** (Days): 3|State: Enabled **Transition** (Days): 2 **Snooze** (Days): 2 **Deadline** (Days): 4|State: Enabled **Transition** (Days): 2 **Snooze** (Days): 2 **Deadline** (Days): 5|
+
+#### Controlling notification experience for engaged deadline
+
+|Policy| Location |Suggested Configuration
+|-|-|-|
+|Configure Auto-restart required notification for updates |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Auto-restart required notification for updates|State: Enabled **Method**: 2- User|
+
+#### Notification experience for engaged deadlines
+
+Notification users get for quality update engaged deadline:
+
+
+
+Notification users get for a quality update deadline:
+
+
+
+Notification users get for a feature update engaged deadline:
+
+
+
+Notification users get for a feature update deadline:
+
+
+
+
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index cd3aaab920..a34a0b7891 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -28,7 +28,8 @@ ms.topic: article
## About SetupDiag
-Current version of SetupDiag: 1.5.0.0
+Current version of SetupDiag: 1.6.0.42
+>Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues.
SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
@@ -72,6 +73,8 @@ The [Release notes](#release-notes) section at the bottom of this topic has info
| /Verbose |
This optional parameter will output much more data to a log file. By default, SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce an additional log file with debugging details. These details can be useful when reporting a problem with SetupDiag.
|
| /NoTel |
This optional parameter tells SetupDiag.exe not to send diagnostic telemetry to Microsoft.
|
| /AddReg |
This optional parameter instructs SetupDiag.exe to add failure information to the registry in offline mode. By default, SetupDiag will add failure information to the registry in online mode only. Registry data is added to the following location on the system where SetupDiag is run: **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**.
|
+| /RegPath |
This optional parameter instructs SetupDiag.exe to add failure information to the registry using the specified path. If this parameter is not specified the default path is **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**.
+
|
Note: The **/Mode** parameter is deprecated in version 1.4.0.0 of SetupDiag.
- In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In version 1.4.0.0 when you specify /LogsPath then SetupDiag will automatically run in offline mode, therefore the /Mode parameter is not needed.
@@ -147,7 +150,6 @@ SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /LogsPath:D:\Dump
## Known issues
1. Some rules can take a long time to process if the log files involved are large.
-2. If the failing computer is opted into the Insider program and getting regular pre-release updates, or an update is already pending on the computer when SetupDiag is run, it can encounter problems trying to open these log files. This will likely cause a failure to determine a root cause. In this case, try gathering the log files and running SetupDiag in offline mode.
## Sample output
@@ -157,7 +159,7 @@ The following is an example where SetupDiag is run in offline mode.
```
D:\SetupDiag>SetupDiag.exe /output:c:\setupdiag\result.xml /logspath:D:\Tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e /format:xml
-SetupDiag v1.5.0.0
+SetupDiag v1.6.0.0
Copyright (c) Microsoft Corporation. All rights reserved.
Searching for setup logs...
@@ -318,6 +320,19 @@ Each rule name and its associated unique rule identifier are listed with a descr
## Release notes
+08/08/2019 - SetupDiag v1.6.0.42 is released with 60 rules, as a standalone tool available from the Download Center.
+ - Log detection performance is improved. What used to take up to a minute should take around 10 seconds or less.
+ - Added Setup Operation and Setup Phase information to both the results log and the registry information.
+ - This is the last Operation and Phase that Setup was in when the failure occurred.
+ - Added detailed Setup Operation and Setup Phase information (and timing) to output log when /verbose is specified.
+ - Note, if the issue found is a compat block, no Setup Operation or Phase info exists yet and therefore won’t be available.
+ - Added more info to the Registry output.
+ - Detailed ‘FailureData’ info where available. Example: “AppName = MyBlockedApplication” or “DiskSpace = 6603” (in MB)
+ - “Key = Value” data specific to the failure found.
+ - Added ‘UpgradeStartTime’, ‘UpgradeEndTime’ and ‘UpgradeElapsedTime’
+ - Added ‘SetupDiagVersion’, ‘DateTime’ (to indicate when SetupDiag was executed on the system), ‘TargetOSVersion’, ‘HostOSVersion’ and more…
+
+
06/19/2019 - SetupDiag v1.5.0.0 is released with 60 rules, as a standalone tool available from the Download Center.
- All date and time outputs are updated to localized format per user request.
- Added setup Operation and Phase information to /verbose log.
@@ -335,7 +350,7 @@ Each rule name and its associated unique rule identifier are listed with a descr
- For an example, see [Sample registry key](#sample-registry-key).
05/17/2019 - SetupDiag v1.4.1.0 is released with 53 rules, as a standalone tool available from the Download Center.
- - This release adds the ability to find and diagnose reset and recovery failures (Push Button Reset).
+ - This release dds the ability to find and diagnose reset and recovery failures (Push Button Reset).
12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center.
- This release includes major improvements in rule processing performance: ~3x faster rule processing performance!
@@ -408,7 +423,7 @@ Refer to https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-cod
```xml
- 1.5.0.0
+ 1.6.0.0FindSPFatalErrorA4028172-1B09-48F8-AD3B-86CDD7D55852
@@ -459,7 +474,7 @@ Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" f
```
{
- "Version":"1.5.0.0",
+ "Version":"1.6.0.0",
"ProfileName":"FindSPFatalError",
"ProfileGuid":"A4028172-1B09-48F8-AD3B-86CDD7D55852",
"SystemInfo":{
diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
index 93d1f63cc0..c6c73aa23e 100644
--- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
+++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
@@ -5,7 +5,8 @@ manager: laurawi
ms.author: greglin
description: Explains additional features of Upgrade Readiness.
ms.prod: w10
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
ms.topic: article
ms.collection: M365-analytics
---
@@ -14,44 +15,9 @@ ms.collection: M365-analytics
This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include:
-- [Spectre and Meltdown protections](#spectre-and-meltdown-protection-status): Status of devices with respect to their anti-virus, security update, and firmware updates related to protection from the "Spectre" and "Meltdown" vulnerabilities.
- [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7, Windows 8.1, or Windows 10 using Internet Explorer.
- [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers.
-## Spectre and Meltdown protection status
-Microsoft has published guidance for IT Pros that outlines the steps you can take to improve protection against the hardware vulnerabilities known as "Spectre" and "Meltdown." See [Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities](https://go.microsoft.com/fwlink/?linkid=867468) for details about the vulnerabilities and steps you can take.
-
-Microsoft recommends three steps to help protect against the Spectre and Meltdown vulnerabilities:
-- Verify that you are running a supported antivirus application.
-- Apply all available Windows operating system updates, including the January 2018 and later Windows security updates.
-- Apply any applicable processor firmware (microcode) updates provided by your device manufacturer(s).
-
-Upgrade Readiness reports on status of your devices in these three areas.
-
-
-
->[!IMPORTANT]
->To provide these blades with data, ensure that your devices can reach the endpoint **http://adl.windows.com**. (See [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started) for more about necessary endpoints and how to whitelist them.)
-
-### Anti-virus status blade
-This blade helps you determine if your devices' anti-virus solution is compatible with the latest Windows operating system updates. It shows the number of devices that have an anti-virus solution with no known issues, issues reported, or an unknown status for a particular Windows security update. In the following example, an anti-virus solution that has no known issues with the January 3, 2018 Windows update is installed on about 2,800 devices.
-
-
-
-### Security update status blade
-This blade indicates whether a Windows security update that includes Spectre- or Meltdown-related fixes (January 3, 2018 or later) has been installed, as well as whether specific fixes have been disabled. Though protections are enabled by default on devices running Windows (but not Windows Server) operating systems, some IT administrators might choose to disable specific protections. In the following example, about 4,300 devices have a Windows security update that includes Spectre or Meltdown protections installed, and those protections are enabled.
-
-
-
->[!IMPORTANT]
->If you are seeing computers with statuses of either “Unknown – action may be required” or “Installed, but mitigation status unknown,” it is likely that you need to whitelist the **http://adl.windows.com** endpoint.
-
-### Firmware update status blade
-This blade reports the number of devices that have installed a firmware update that includes Spectre or Meltdown protections. The blade might report a large number of blank, “unknown”, or “to be determined” statuses at first. As CPU information is provided by partners, the blade will automatically update with no further action required on your part.
-
-
-
-
## Site discovery
The IE site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
index 671ba50c38..bb0ea00851 100644
--- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
+++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
@@ -1,63 +1,63 @@
----
-title: Use Upgrade Readiness to manage Windows upgrades (Windows 10)
-ms.reviewer:
-manager: laurawi
-description: Describes how to use Upgrade Readiness to manage Windows upgrades.
-keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics,
-ms.localizationpriority: medium
-ms.prod: w10
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.topic: article
----
-
-# Use Upgrade Readiness to manage Windows upgrades
-
->[!IMPORTANT]
->>**The OMS portal has been deprecated, so you need to switch to the [Azure portal](https://portal.azure.com) now.** The two portals offer the same experience, with some key differences. Learn how to use [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md). Find out more about the [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition), or jump right in and [Get started with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started).
-
-You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues.
-
-- Based on diagnostic data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
-- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
-
-When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks.
-
-
-
-Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step.
-
->**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are running a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Current Branch for Business (CBB).
-
-The following information and workflow is provided:
-
-- [Upgrade overview](upgrade-readiness-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers.
-- [Step 1: Identify important apps](upgrade-readiness-identify-apps.md): Assign importance levels to prioritize your applications.
-- [Step 2: Resolve issues](upgrade-readiness-resolve-issues.md): Identify and resolve problems with applications.
-- [Step 3: Deploy](upgrade-readiness-deploy-windows.md): Start the upgrade process.
-
-Also see the following topic for information about additional items that can be affected by the upgrade process:
-
-- [Additional insights](upgrade-readiness-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity.
-
-## Target version
-
-The target version setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. The target version of Windows 10 is displayed on the upgrade overview tile. See the following example:
-
-
-
-The default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version.
-
-The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version.
-
-You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, Windows 10 version 1703, Windows 10 version 1709 and Windows 10 version 1803.
-
-To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution:
-
-
-
->You must be signed in to Upgrade Readiness as an administrator to view settings.
-
-On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
-
-
+---
+title: Use Upgrade Readiness to manage Windows upgrades (Windows 10)
+ms.reviewer:
+manager: laurawi
+description: Describes how to use Upgrade Readiness to manage Windows upgrades.
+keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics,
+ms.localizationpriority: medium
+ms.prod: w10
+audience: itpro
+author: jaimeo
+ms.author: jaimeo
+ms.topic: article
+---
+
+# Use Upgrade Readiness to manage Windows upgrades
+
+>[!IMPORTANT]
+>>**The OMS portal has been deprecated, so you need to switch to the [Azure portal](https://portal.azure.com) now.** The two portals offer the same experience, with some key differences. Learn how to use [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md). Find out more about the [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition), or jump right in and [Get started with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started).
+
+You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues.
+
+- Based on diagnostic data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
+- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
+
+When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks.
+
+
+
+Blue tiles enumerate each step in the workflow. White tiles show data to help you get started, to monitor your progress, and to complete each step.
+>**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are running a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Semi-Annual Channel.
+
+The following information and workflow is provided:
+
+- [Upgrade overview](upgrade-readiness-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers.
+- [Step 1: Identify important apps](upgrade-readiness-identify-apps.md): Assign importance levels to prioritize your applications.
+- [Step 2: Resolve issues](upgrade-readiness-resolve-issues.md): Identify and resolve problems with applications.
+- [Step 3: Deploy](upgrade-readiness-deploy-windows.md): Start the upgrade process.
+
+Also see the following topic for information about additional items that can be affected by the upgrade process:
+
+- [Additional insights](upgrade-readiness-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity.
+
+## Target version
+
+The target version setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. The target version of Windows 10 is displayed on the upgrade overview tile. See the following example:
+
+
+
+The default target version in Upgrade Readiness is set to the released version of the Semi-Annual Channel. Check [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx) to learn the current version in the Semi-Annual Channel. The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version.
+
+The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version.
+
+You can change the Windows 10 version you want to target. All currently supported versions of Windows 10 are available options.
+
+To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution:
+
+
+
+>You must be signed in to Upgrade Readiness as an administrator to view settings.
+
+On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
+
+
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 5b29de8d83..294a31c04b 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -1,850 +1,850 @@
----
-title: Demonstrate Autopilot deployment
-ms.reviewer:
-manager: laurawi
-description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
-ms.custom: autopilot
----
-
-
-# Demonstrate Autopilot deployment
-
-**Applies to**
-
-- Windows 10
-
-To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10.
-
-In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune.
-
->Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
-
-The following video provides an overview of the process:
-
-
-
-
->For a list of terms used in this guide, see the [Glossary](#glossary) section.
-
-## Prerequisites
-
-These are the things you'll need to complete this lab:
-
Windows 10 installation media
Windows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.
-
Internet access
If you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet.
-
Hyper-V or a physical device running Windows 10
The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.
-
A Premium Intune account
This guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
-
-## Procedures
-
-A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix.
-
-[Verify support for Hyper-V](#verify-support-for-hyper-v)
- [Enable Hyper-V](#enable-hyper-v)
- [Create a demo VM](#create-a-demo-vm)
- [Set ISO file location](#set-iso-file-location)
- [Determine network adapter name](#determine-network-adapter-name)
- [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm)
- [Install Windows 10](#install-windows-10)
- [Capture the hardware ID](#capture-the-hardware-id)
- [Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe)
- [Verify subscription level](#verify-subscription-level)
- [Configure company branding](#configure-company-branding)
- [Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment)
- [Register your VM](#register-your-vm)
- [Autopilot registration using Intune](#autopilot-registration-using-intune)
- [Autopilot registration using MSfB](#autopilot-registration-using-msfb)
- [Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
- [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
- [Assign the profile](#assign-the-profile)
- [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
- [See Windows Autopilot in action](#see-windows-autopilot-in-action)
- [Remove devices from Autopilot](#remove-devices-from-autopilot)
- [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device)
- [Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v)
- [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile)
- [Add a Win32 app](#add-a-win32-app)
- [Prepare the app for Intune](#prepare-the-app-for-intune)
- [Create app in Intune](#create-app-in-intune)
- [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
- [Add Office 365](#add-office-365)
- [Create app in Intune](#create-app-in-intune)
- [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
- [Glossary](#glossary)
-
-## Verify support for Hyper-V
-
-If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later).
-
->If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
-
-If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed.
-
-## Enable Hyper-V
-
-To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command:
-
-```powershell
-Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
-```
-
-This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command:
-
-```powershell
-Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
-```
-
-When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
-
->Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
-
- 
-
- 
-
-
If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
-
-After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box.
-
-To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server).
-
-## Create a demo VM
-
-Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
-
-To use Windows Powershell we just need to know two things:
-
-1. The location of the Windows 10 ISO file.
- - In the example, we assume the location is **c:\iso\win10-eval.iso**.
-2. The name of the network interface that connects to the Internet.
- - In the example, we use a Windows PowerShell command to determine this automatically.
-
-After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
-
-### Set ISO file location
-
-You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
-- When asked to select a platform, choose **64 bit**.
-
-After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
-
-1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
-2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
-3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
-
-### Determine network adapter name
-
-The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
-
-```powershell
-(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
-```
-
-The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name.
-
-For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
-
-### Use Windows PowerShell to create the demo VM
-
-All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
-
->[!IMPORTANT]
->**VM switch**: a VM switch is how Hyper-V connects VMs to a network.
If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
If you have never created an external VM switch before, then just run the commands below.
-
-```powershell
-New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
-New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
-Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
-Start-VM -VMName WindowsAutopilot
-```
-
-After entering these commands, connect to the VM that you just created and wait for a prompt to press a key and boot from the DVD. You can connect to the VM by double-clicking it in Hyper-V Manager.
-
-See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
-
-
-
-### Install Windows 10
-
-Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
-
- 
- 
- 
- 
- 
- 
-
->After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
-
- 
-
-Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
-
- 
-
-To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
-
-```powershell
-Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
-```
-
-Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane.
-
-## Capture the hardware ID
-
->NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
-
-Follow these steps to run the PS script:
-
-1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
-
- ```powershell
- md c:\HWID
- Set-Location c:\HWID
- Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
- Install-Script -Name Get-WindowsAutopilotInfo -Force
- $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
- Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
- ```
-
-When you are prompted to install the NuGet package, choose **Yes**.
-
-See the sample output below.
-
-
-PS C:\> md c:\HWID
-
- Directory: C:\
-
-Mode LastWriteTime Length Name
----- ------------- ------ ----
-d----- 3/14/2019 11:33 AM HWID
-
-PS C:\> Set-Location c:\HWID
-PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
-PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
-
-NuGet provider is required to continue
-PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
- provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
-'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
- 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
-import the NuGet provider now?
-[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
-PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
-PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
-PS C:\HWID> dir
-
- Directory: C:\HWID
-
-Mode LastWriteTime Length Name
----- ------------- ------ ----
--a---- 3/14/2019 11:33 AM 8184 AutopilotHWID.csv
-
-PS C:\HWID>
-
-
-Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
-
-**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
-
-
-
-You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
-
-If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
-
->[!NOTE]
->When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
-
-## Reset the VM back to Out-Of-Box-Experience (OOBE)
-
-With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
-
-On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
-Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**.
-
-
-
-Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process.
-
-
-
-## Verify subscription level
-
-For this lab, you need an AAD Premium subscription. You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example:
-
-**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
-
-
-
-If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
-
-To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
-
-
-
-## Configure company branding
-
-If you already have company branding configured in Azure Active Directory, you can skip this step.
-
->[!IMPORTANT]
->Make sure to sign-in with a Global Administrator account.
-
-Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
-
-
-
-When you are finished, click **Save**.
-
->[!NOTE]
->Changes to company branding can take up to 30 minutes to apply.
-
-## Configure Microsoft Intune auto-enrollment
-
-If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step.
-
-Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**.
-
-For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
-
-
-
-## Register your VM
-
-Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but only pick one for purposes of this lab. We highly recommend using Intune rather than MSfB.
-
-### Autopilot registration using Intune
-
-1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**.
-
- 
-
- >[!NOTE]
- >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
-
-2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank.
-
- 
-
- You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
-
-3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
-
-4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example.
-
- 
-
-### Autopilot registration using MSfB
-
->[!IMPORTANT]
->If you've already registered your VM (or device) using Intune, then skip this step.
-
-Optional: see the following video for an overview of the process.
-
-
-
-> [!video https://www.youtube.com/embed/IpLIZU_j7Z0]
-
-First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one.
-
-Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page.
-
-Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
-
-
-
-Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
-
-
-
-## Create and assign a Windows Autopilot deployment profile
-
->[!IMPORTANT]
->Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab:
-
-Pick one:
-- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
-- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
-
-### Create a Windows Autopilot deployment profile using Intune
-
->[!NOTE]
->Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
-
-
-
->The example above lists both a physical device and a VM. Your list should only include only one of these.
-
-To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles**
-
-
-
-Click on **Create profile**.
-
-
-
-On the **Create profile** blade, use the following values:
-
-| Setting | Value |
-|---|---|
-| Name | Autopilot Lab profile |
-| Description | blank |
-| Convert all targeted devices to Autopilot | No |
-| Deployment mode | User-driven |
-| Join to Azure AD as | Azure AD joined |
-
-Click on **Out-of-box experience (OOBE)** and configure the following settings:
-
-| Setting | Value |
-|---|---|
-| EULA | Hide |
-| Privacy Settings | Hide |
-| Hide change account options | Hide |
-| User account type | Standard |
-| Apply device name template | No |
-
-See the following example:
-
-
-
-Click on **OK** and then click on **Create**.
-
->If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
-
-#### Assign the profile
-
-Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading.
-
-To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**:
-
-
-
-Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type:
-
-Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
-
-
-
-Now click **Create** to finish creating the new group.
-
-Click on **All groups** and click **Refresh** to verify that your new group has been successfully created.
-
-With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results).
-
-From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile:
-
-
-
-Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**).
-
-
-
-Click **Select** and then click **Save**.
-
-
-
-It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
-
-### Create a Windows Autopilot deployment profile using MSfB
-
-If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section.
-
-A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below.
-
-First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab.
-
-Click **Manage** from the top menu, then click **Devices** from the left navigation tree.
-
-
-
-Click the **Windows Autopilot Deployment Program** link in the **Devices** tile.
-
-To CREATE the profile:
-
-Select your device from the **Devices** list:
-
-
-
-On the Autopilot deployment dropdown menu, select **Create new profile**:
-
-
-
-Name the profile, choose your desired settings, and then click **Create**:
-
-
-
-The new profile is added to the Autopilot deployment list.
-
-To ASSIGN the profile:
-
-To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
-
-
-
-Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
-
-
-
->[!IMPORTANT]
->The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
-
-## See Windows Autopilot in action
-
-If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
-
-
-
-Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
-
->[!TIP]
->If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
-
-- Ensure your device has an internet connection.
-- Turn on the device
-- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
-
-
-
-Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
-
-
-
-Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
-
-Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
-
-## Remove devices from Autopilot
-
-To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
-
-### Delete (deregister) Autopilot device
-
-You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
-
-
-
-Click **X** when challenged to complete the operation:
-
-
-
-This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
-
-
-
-The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
-
-To remove the device from the Autopilot program, select the device and click Delete.
-
-
-
-A warning message appears reminding you to first remove the device from Intune, which we previously did.
-
-
-
-At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
-
-
-
-Once the device no longer appears, you are free to reuse it for other purposes.
-
-If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
-
-
-
-## Appendix A: Verify support for Hyper-V
-
-Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
-
-To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
-
-
-C:>systeminfo
-
-...
-Hyper-V Requirements: VM Monitor Mode Extensions: Yes
- Virtualization Enabled In Firmware: Yes
- Second Level Address Translation: Yes
- Data Execution Prevention Available: Yes
-
-
-In this example, the computer supports SLAT and Hyper-V.
-
->If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
-
-You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
-
-
-C:>coreinfo -v
-
-Coreinfo v3.31 - Dump information on system CPU and memory topology
-Copyright (C) 2008-2014 Mark Russinovich
-Sysinternals - www.sysinternals.com
-
-Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
-Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
-Microcode signature: 0000001B
-HYPERVISOR - Hypervisor is present
-VMX * Supports Intel hardware-assisted virtualization
-EPT * Supports Intel extended page tables (SLAT)
-
-
-Note: A 64-bit operating system is required to run Hyper-V.
-
-## Appendix B: Adding apps to your profile
-
-### Add a Win32 app
-
-#### Prepare the app for Intune
-
-Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool:
-
-1. The source folder for your application
-2. The name of the setup executable file
-3. The output folder for the new file
-
-For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app.
-
-Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi.
-
-Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
-
-
-
-After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
-
-#### Create app in Intune
-
-Log into the Azure portal and select **Intune**.
-
-Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
-
-
-Under **App Type**, select **Windows app (Win32)**:
-
-
-
-On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
-
-
-
-On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
-
-
-
-On the **Program Configuration** blade, supply the install and uninstall commands:
-
-Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
-Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
-
-NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
-
-
-
-Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
-
-Click **OK** to save your input and activate the **Requirements** blade.
-
-On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
-
-
-
-Next, configure the **Detection rules**. For our purposes, we will select manual format:
-
-
-
-Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
-
-
-
-Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
-
-**Return codes**: For our purposes, leave the return codes at their default values:
-
-
-
-Click **OK** to exit.
-
-You may skip configuring the final **Scope (Tags)** blade.
-
-Click the **Add** button to finalize and save your app package.
-
-Once the indicator message says the addition has completed.
-
-
-
-You will be able to find your app in your app list:
-
-
-
-#### Assign the app to your Intune profile
-
-**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
-
-In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
-
-
-Select **Add Group** to open the **Add group** pane that is related to the app.
-
-For our purposes, select *8Required** from the **Assignment type** dropdown menu:
-
->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
-
-Select **Included Groups** and assign the groups you previously created that will use this app:
-
-
-
-
-
-In the **Select groups** pane, click the **Select** button.
-
-In the **Assign group** pane, select **OK**.
-
-In the **Add group** pane, select **OK**.
-
-In the app **Assignments** pane, select **Save**.
-
-
-
-At this point, you have completed steps to add a Win32 app to Intune.
-
-For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management).
-
-### Add Office 365
-
-#### Create app in Intune
-
-Log into the Azure portal and select **Intune**.
-
-Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
-
-
-Under **App Type**, select **Office 365 Suite > Windows 10**:
-
-
-
-Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
-
-
-
-Click **OK**.
-
-In the **App Suite Information** pane, enter a unique suite name, and a suitable description.
-
->Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
-
-
-
-Click **OK**.
-
-In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
-
-
-
-Click **OK** and then click **Add**.
-
-#### Assign the app to your Intune profile
-
-**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
-
-In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
-
-
-Select **Add Group** to open the **Add group** pane that is related to the app.
-
-For our purposes, select **Required** from the **Assignment type** dropdown menu:
-
->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
-
-Select **Included Groups** and assign the groups you previously created that will use this app:
-
-
-
-
-
-In the **Select groups** pane, click the **Select** button.
-
-In the **Assign group** pane, select **OK**.
-
-In the **Add group** pane, select **OK**.
-
-In the app **Assignments** pane, select **Save**.
-
-
-
-At this point, you have completed steps to add Office to Intune.
-
-For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365).
-
-If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
-
-
-
-## Glossary
-
-
-
OEM
Original Equipment Manufacturer
-
CSV
Comma Separated Values
-
MPC
Microsoft Partner Center
-
CSP
Cloud Solution Provider
-
MSfB
Microsoft Store for Business
-
AAD
Azure Active Directory
-
4K HH
4K Hardware Hash
-
CBR
Computer Build Report
-
EC
Enterprise Commerce (server)
-
DDS
Device Directory Service
-
OOBE
Out of the Box Experience
-
VM
Virtual Machine
-
+---
+title: Demonstrate Autopilot deployment
+ms.reviewer:
+manager: laurawi
+description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+ms.custom: autopilot
+---
+
+
+# Demonstrate Autopilot deployment
+
+**Applies to**
+
+- Windows 10
+
+To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10.
+
+In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune.
+
+>Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
+
+The following video provides an overview of the process:
+
+
+
+
+>For a list of terms used in this guide, see the [Glossary](#glossary) section.
+
+## Prerequisites
+
+These are the things you'll need to complete this lab:
+
Windows 10 installation media
Windows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.
+
Internet access
If you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet.
+
Hyper-V or a physical device running Windows 10
The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.
+
A Premium Intune account
This guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
+
+## Procedures
+
+A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix.
+
+[Verify support for Hyper-V](#verify-support-for-hyper-v)
+ [Enable Hyper-V](#enable-hyper-v)
+ [Create a demo VM](#create-a-demo-vm)
+ [Set ISO file location](#set-iso-file-location)
+ [Determine network adapter name](#determine-network-adapter-name)
+ [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm)
+ [Install Windows 10](#install-windows-10)
+ [Capture the hardware ID](#capture-the-hardware-id)
+ [Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe)
+ [Verify subscription level](#verify-subscription-level)
+ [Configure company branding](#configure-company-branding)
+ [Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment)
+ [Register your VM](#register-your-vm)
+ [Autopilot registration using Intune](#autopilot-registration-using-intune)
+ [Autopilot registration using MSfB](#autopilot-registration-using-msfb)
+ [Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
+ [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
+ [Assign the profile](#assign-the-profile)
+ [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
+ [See Windows Autopilot in action](#see-windows-autopilot-in-action)
+ [Remove devices from Autopilot](#remove-devices-from-autopilot)
+ [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device)
+ [Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v)
+ [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile)
+ [Add a Win32 app](#add-a-win32-app)
+ [Prepare the app for Intune](#prepare-the-app-for-intune)
+ [Create app in Intune](#create-app-in-intune)
+ [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
+ [Add Office 365](#add-office-365)
+ [Create app in Intune](#create-app-in-intune)
+ [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
+ [Glossary](#glossary)
+
+## Verify support for Hyper-V
+
+If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later).
+
+>If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
+
+If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed.
+
+## Enable Hyper-V
+
+To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command:
+
+```powershell
+Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
+```
+
+This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command:
+
+```powershell
+Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
+```
+
+When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
+
+>Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
+
+ 
+
+ 
+
+
If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
+
+After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box.
+
+To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server).
+
+## Create a demo VM
+
+Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
+
+To use Windows Powershell we just need to know two things:
+
+1. The location of the Windows 10 ISO file.
+ - In the example, we assume the location is **c:\iso\win10-eval.iso**.
+2. The name of the network interface that connects to the Internet.
+ - In the example, we use a Windows PowerShell command to determine this automatically.
+
+After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
+
+### Set ISO file location
+
+You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
+- When asked to select a platform, choose **64 bit**.
+
+After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
+
+1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
+2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
+3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
+
+### Determine network adapter name
+
+The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
+
+```powershell
+(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+```
+
+The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name.
+
+For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
+
+### Use Windows PowerShell to create the demo VM
+
+All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
+
+>[!IMPORTANT]
+>**VM switch**: a VM switch is how Hyper-V connects VMs to a network.
If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
If you have never created an external VM switch before, then just run the commands below.
+
+```powershell
+New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
+Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
+Start-VM -VMName WindowsAutopilot
+```
+
+After entering these commands, connect to the VM that you just created and wait for a prompt to press a key and boot from the DVD. You can connect to the VM by double-clicking it in Hyper-V Manager.
+
+See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
+
+
+
+### Install Windows 10
+
+Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
+
+ 
+ 
+ 
+ 
+ 
+ 
+
+>After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
+
+ 
+
+Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
+
+ 
+
+To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
+
+```powershell
+Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
+```
+
+Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane.
+
+## Capture the hardware ID
+
+>NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
+
+Follow these steps to run the PS script:
+
+1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
+
+ ```powershell
+ md c:\HWID
+ Set-Location c:\HWID
+ Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+ Install-Script -Name Get-WindowsAutopilotInfo -Force
+ $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+ Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+ ```
+
+When you are prompted to install the NuGet package, choose **Yes**.
+
+See the sample output below.
+
+
+PS C:\> md c:\HWID
+
+ Directory: C:\
+
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+d----- 3/14/2019 11:33 AM HWID
+
+PS C:\> Set-Location c:\HWID
+PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
+
+NuGet provider is required to continue
+PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
+ provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
+'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
+ 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
+import the NuGet provider now?
+[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
+PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+PS C:\HWID> dir
+
+ Directory: C:\HWID
+
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+-a---- 3/14/2019 11:33 AM 8184 AutopilotHWID.csv
+
+PS C:\HWID>
+
+
+Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
+
+**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
+
+
+
+You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
+
+If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
+
+>[!NOTE]
+>When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
+
+## Reset the VM back to Out-Of-Box-Experience (OOBE)
+
+With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
+
+On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
+Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**.
+
+
+
+Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process.
+
+
+
+## Verify subscription level
+
+For this lab, you need an AAD Premium subscription. You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example:
+
+**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
+
+
+
+If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
+
+To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
+
+
+
+## Configure company branding
+
+If you already have company branding configured in Azure Active Directory, you can skip this step.
+
+>[!IMPORTANT]
+>Make sure to sign-in with a Global Administrator account.
+
+Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
+
+
+
+When you are finished, click **Save**.
+
+>[!NOTE]
+>Changes to company branding can take up to 30 minutes to apply.
+
+## Configure Microsoft Intune auto-enrollment
+
+If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step.
+
+Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**.
+
+For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
+
+
+
+## Register your VM
+
+Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but only pick one for purposes of this lab. We highly recommend using Intune rather than MSfB.
+
+### Autopilot registration using Intune
+
+1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**.
+
+ 
+
+ >[!NOTE]
+ >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
+
+2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank.
+
+ 
+
+ You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
+
+3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
+
+4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example.
+
+ 
+
+### Autopilot registration using MSfB
+
+>[!IMPORTANT]
+>If you've already registered your VM (or device) using Intune, then skip this step.
+
+Optional: see the following video for an overview of the process.
+
+
+
+> [!video https://www.youtube.com/embed/IpLIZU_j7Z0]
+
+First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one.
+
+Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page.
+
+Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
+
+
+
+Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
+
+
+
+## Create and assign a Windows Autopilot deployment profile
+
+>[!IMPORTANT]
+>Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab:
+
+Pick one:
+- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
+- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
+
+### Create a Windows Autopilot deployment profile using Intune
+
+>[!NOTE]
+>Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
+
+
+
+>The example above lists both a physical device and a VM. Your list should only include only one of these.
+
+To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles**
+
+
+
+Click on **Create profile**.
+
+
+
+On the **Create profile** blade, use the following values:
+
+| Setting | Value |
+|---|---|
+| Name | Autopilot Lab profile |
+| Description | blank |
+| Convert all targeted devices to Autopilot | No |
+| Deployment mode | User-driven |
+| Join to Azure AD as | Azure AD joined |
+
+Click on **Out-of-box experience (OOBE)** and configure the following settings:
+
+| Setting | Value |
+|---|---|
+| EULA | Hide |
+| Privacy Settings | Hide |
+| Hide change account options | Hide |
+| User account type | Standard |
+| Apply device name template | No |
+
+See the following example:
+
+
+
+Click on **OK** and then click on **Create**.
+
+>If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
+
+#### Assign the profile
+
+Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading.
+
+To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**:
+
+
+
+Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type:
+
+Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
+
+
+
+Now click **Create** to finish creating the new group.
+
+Click on **All groups** and click **Refresh** to verify that your new group has been successfully created.
+
+With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results).
+
+From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile:
+
+
+
+Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**).
+
+
+
+Click **Select** and then click **Save**.
+
+
+
+It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
+
+### Create a Windows Autopilot deployment profile using MSfB
+
+If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section.
+
+A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below.
+
+First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab.
+
+Click **Manage** from the top menu, then click **Devices** from the left navigation tree.
+
+
+
+Click the **Windows Autopilot Deployment Program** link in the **Devices** tile.
+
+To CREATE the profile:
+
+Select your device from the **Devices** list:
+
+
+
+On the Autopilot deployment dropdown menu, select **Create new profile**:
+
+
+
+Name the profile, choose your desired settings, and then click **Create**:
+
+
+
+The new profile is added to the Autopilot deployment list.
+
+To ASSIGN the profile:
+
+To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
+
+
+
+Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
+
+
+
+>[!IMPORTANT]
+>The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
+
+## See Windows Autopilot in action
+
+If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
+
+
+
+Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
+
+>[!TIP]
+>If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
+
+- Ensure your device has an internet connection.
+- Turn on the device
+- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
+
+
+
+Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
+
+
+
+Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
+
+Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
+
+## Remove devices from Autopilot
+
+To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
+
+### Delete (deregister) Autopilot device
+
+You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
+
+
+
+Click **X** when challenged to complete the operation:
+
+
+
+This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
+
+
+
+The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
+
+To remove the device from the Autopilot program, select the device and click Delete.
+
+
+
+A warning message appears reminding you to first remove the device from Intune, which we previously did.
+
+
+
+At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
+
+
+
+Once the device no longer appears, you are free to reuse it for other purposes.
+
+If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
+
+
+
+## Appendix A: Verify support for Hyper-V
+
+Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
+
+To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
+
+
+C:>systeminfo
+
+...
+Hyper-V Requirements: VM Monitor Mode Extensions: Yes
+ Virtualization Enabled In Firmware: Yes
+ Second Level Address Translation: Yes
+ Data Execution Prevention Available: Yes
+
+
+In this example, the computer supports SLAT and Hyper-V.
+
+>If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
+
+You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
+
+
+C:>coreinfo -v
+
+Coreinfo v3.31 - Dump information on system CPU and memory topology
+Copyright (C) 2008-2014 Mark Russinovich
+Sysinternals - www.sysinternals.com
+
+Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
+Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
+Microcode signature: 0000001B
+HYPERVISOR - Hypervisor is present
+VMX * Supports Intel hardware-assisted virtualization
+EPT * Supports Intel extended page tables (SLAT)
+
+
+Note: A 64-bit operating system is required to run Hyper-V.
+
+## Appendix B: Adding apps to your profile
+
+### Add a Win32 app
+
+#### Prepare the app for Intune
+
+Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool:
+
+1. The source folder for your application
+2. The name of the setup executable file
+3. The output folder for the new file
+
+For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app.
+
+Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi.
+
+Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
+
+
+
+After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
+
+#### Create app in Intune
+
+Log into the Azure portal and select **Intune**.
+
+Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
+
+
+
+Under **App Type**, select **Windows app (Win32)**:
+
+
+
+On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
+
+
+
+On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
+
+
+
+On the **Program Configuration** blade, supply the install and uninstall commands:
+
+Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
+Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
+
+NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
+
+
+
+Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
+
+Click **OK** to save your input and activate the **Requirements** blade.
+
+On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
+
+
+
+Next, configure the **Detection rules**. For our purposes, we will select manual format:
+
+
+
+Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
+
+
+
+Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
+
+**Return codes**: For our purposes, leave the return codes at their default values:
+
+
+
+Click **OK** to exit.
+
+You may skip configuring the final **Scope (Tags)** blade.
+
+Click the **Add** button to finalize and save your app package.
+
+Once the indicator message says the addition has completed.
+
+
+
+You will be able to find your app in your app list:
+
+
+
+#### Assign the app to your Intune profile
+
+**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+
+In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
+
+
+
+Select **Add Group** to open the **Add group** pane that is related to the app.
+
+For our purposes, select *8Required** from the **Assignment type** dropdown menu:
+
+>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+
+Select **Included Groups** and assign the groups you previously created that will use this app:
+
+
+
+
+
+In the **Select groups** pane, click the **Select** button.
+
+In the **Assign group** pane, select **OK**.
+
+In the **Add group** pane, select **OK**.
+
+In the app **Assignments** pane, select **Save**.
+
+
+
+At this point, you have completed steps to add a Win32 app to Intune.
+
+For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management).
+
+### Add Office 365
+
+#### Create app in Intune
+
+Log into the Azure portal and select **Intune**.
+
+Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
+
+
+
+Under **App Type**, select **Office 365 Suite > Windows 10**:
+
+
+
+Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
+
+
+
+Click **OK**.
+
+In the **App Suite Information** pane, enter a unique suite name, and a suitable description.
+
+>Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
+
+
+
+Click **OK**.
+
+In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
+
+
+
+Click **OK** and then click **Add**.
+
+#### Assign the app to your Intune profile
+
+**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+
+In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
+
+
+
+Select **Add Group** to open the **Add group** pane that is related to the app.
+
+For our purposes, select **Required** from the **Assignment type** dropdown menu:
+
+>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+
+Select **Included Groups** and assign the groups you previously created that will use this app:
+
+
+
+
+
+In the **Select groups** pane, click the **Select** button.
+
+In the **Assign group** pane, select **OK**.
+
+In the **Add group** pane, select **OK**.
+
+In the app **Assignments** pane, select **Save**.
+
+
+
+At this point, you have completed steps to add Office to Intune.
+
+For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365).
+
+If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
+
+
+
+## Glossary
+
+
+
OEM
Original Equipment Manufacturer
+
CSV
Comma Separated Values
+
MPC
Microsoft Partner Center
+
CSP
Cloud Solution Provider
+
MSfB
Microsoft Store for Business
+
AAD
Azure Active Directory
+
4K HH
4K Hardware Hash
+
CBR
Computer Build Report
+
EC
Enterprise Commerce (server)
+
DDS
Device Directory Service
+
OOBE
Out of the Box Experience
+
VM
Virtual Machine
+
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
index a9317ae207..4fcd4811c2 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@@ -84,13 +84,13 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti
Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required:
- - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business)
- - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline)
- - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx)
- - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
- - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features.
- - [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
- - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service).
+- [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business)
+- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline)
+- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx)
+- [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
+- [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features.
+- [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
+- [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service).
Additionally, the following are also recommended (but not required):
- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services).
diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md
index 088f0adccd..524f34b78a 100644
--- a/windows/privacy/gdpr-it-guidance.md
+++ b/windows/privacy/gdpr-it-guidance.md
@@ -159,7 +159,7 @@ The following table lists in what GDPR mode – controller or processor – Wind
*/*Depending on which application/feature this is referring to.*
-## Windows diagnostic data and Windows 10
+## Windows diagnostic data and Windows 10
### Recommended Windows 10 settings
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index e2fa73f5c7..d507296ac2 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -9,32 +9,34 @@ ms.sitesec: library
ms.localizationpriority: medium
author: medgarmedgar
ms.author: v-medgar
-ms.date: 7/9/2019
+ms.date: 8/23/2019
---
-# Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server
+# Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server
**Applies to**
- Windows 10 Enterprise 1903 version and newer
-You can use Microsoft InTune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
-To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
+This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
-You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
+>[!IMPORTANT]
+>- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
+> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+> - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
+>- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
+>- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
+>- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings.
-Note, there is some traffic which is required (i.e. "whitelisted") for the operation of Windows and the Microsoft InTune based management. This traffic includes CRL and OCSP network traffic which will show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Additional whitelisted traffic specifically for MDM managed devices includes Windows Notification Service related traffic as well as some specific Microsoft InTune and Windows Update related traffic.
+For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
-For more information on Microsoft InTune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
+For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
-For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**.
-The endpoints for the MDM “whitelisted” traffic are in the [Whitelisted Traffic](#bkmk-mdm-whitelist).
-
-
-### Settings for Windows 10 Enterprise edition 1903 and newer
+## Settings for Windows 10 Enterprise edition 1903 and newer
The following table lists management options for each setting.
@@ -150,7 +152,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
1. Windows Update Service URL - [Update/UpdateServiceUrl](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value:
1. **\\$CmdID$\\\chr\text/plain\\ \./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl\\http://abcd-srv:8530\\**
-### Allowed traffic ("Whitelisted traffic") for Microsoft InTune / MDM configurations
+### Allowed traffic for Microsoft Intune / MDM configurations
|**Allowed traffic endpoints** |
| --- |
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index a7aec9de77..33f7ec2b4b 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1,5 +1,5 @@
---
-title: Manage connections from Windows operating system components to Microsoft services (Windows 10)
+title: Manage connections from Windows 10 operating system components to Microsoft services
description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
ms.reviewer:
@@ -14,10 +14,10 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 05/16/2019
+ms.date: 8/23/2019
---
-# Manage connections from Windows operating system components to Microsoft services
+# Manage connections from Windows 10 operating system components to Microsoft services
**Applies to**
@@ -25,29 +25,24 @@ ms.date: 05/16/2019
- Windows Server 2016
- Windows Server 2019
-If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
+This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
-Learn about the network connections that Windows components make to Microsoft in addition to the privacy settings that affect the data which is shared with either Microsoft or apps and how they can be managed by an IT Pro.
+Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
-If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
+>[!IMPORTANT]
+> - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic)
+> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
+> - It is recommended that you restart a device after making configuration changes to it.
+> - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
-You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
+To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
-To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887), but **before application please ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors. This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state.
-Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure you've chosen the right settings configuration for your environment before applying.
-You should not extract this package to the windows\\system32 folder because it will not apply correctly.
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
-Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article.
-It is recommended that you restart a device after making configuration changes to it.
-Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
+## Management options for each setting
-To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm).
-
-We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-
-## Management options for each setting
-
-The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.
+The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections
### Settings for Windows 10 Enterprise edition
@@ -230,7 +225,7 @@ For more information, see [Automatic Root Certificates Update Configuration](htt
Although not recommended, you can turn off Automatic Root Certificates Update, which also prevents updates to the disallowed certificate list and the pin rules list.
> [!CAUTION]
-> By not automatically downloading the root certificates, the device might have not been able to connect to some websites.
+> By not automatically downloading the root certificates the device may not be able to connect to some websites.
For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core:
@@ -260,7 +255,7 @@ On Windows Server 2016 Nano Server:
- Create the registry path **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot** and then add a REG_DWORD registry setting, named **DisableRootAutoUpdate**, with a value of 1.
>[!NOTE]
->CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+>CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
### 2. Cortana and Search
@@ -390,7 +385,7 @@ Windows Insider Preview builds only apply to Windows 10 and are not available fo
> [!NOTE]
-> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for zero exhaust) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
+> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
To turn off Insider Preview builds for a released version of Windows 10:
@@ -1049,11 +1044,11 @@ To turn off dictation of your voice, speaking to Cortana and other apps, and to
If you're running at Windows 10, version 1703 up to and including Windows 10, version 1803, you can turn off updates to the speech recognition and speech synthesis models:
- - **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatic update of Speech Data**
+- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatic update of Speech Data**
-or-
- - Create a REG_DWORD registry setting named **AllowSpeechModelUpdate** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Speech** with a **value of 0 (zero)**
+- Create a REG_DWORD registry setting named **AllowSpeechModelUpdate** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Speech** with a **value of 0 (zero)**
@@ -1260,7 +1255,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
### 18.16 Feedback & diagnostics
-In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
+In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
To change how frequently **Windows should ask for my feedback**:
@@ -1415,11 +1410,11 @@ In the **Inking & Typing** area you can configure the functionality as such:
To turn off Inking & Typing data collection (note: there is no Group Policy for this setting):
- - In the UI go to **Settings -> Privacy -> Diagnostics & Feedback -> Inking and typing** and turn **Improve inking & typing** to **Off**
+- In the UI go to **Settings -> Privacy -> Diagnostics & Feedback -> Inking and typing** and turn **Improve inking & typing** to **Off**
-or-
- - Set **RestrictImplicitTextCollection** registry REG_DWORD setting in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** to a **value of 1 (one)**
+- Set **RestrictImplicitTextCollection** registry REG_DWORD setting in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** to a **value of 1 (one)**
### 18.22 Activity History
@@ -1484,29 +1479,29 @@ To turn this Off in the UI:
Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
- **For Windows 10:**
+**For Windows 10:**
- - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
-or-
- - Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a **value of 1 (one)**.
+- Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a **value of 1 (one)**.
**For Windows Server 2019 or later:**
- - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
-or-
- - Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
**For Windows Server 2016:**
- - Create a REG_DWORD registry setting named **NoAcquireGT** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **NoAcquireGT** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
- >[!NOTE]
- >Due to a known issue the **Turn off KMS Client Online AVS Validation** group policy does not work as intended on Windows Server 2016, the **NoAcquireGT** value needs to be set instead.
- >The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
+>[!NOTE]
+>Due to a known issue the **Turn off KMS Client Online AVS Validation** group policy does not work as intended on Windows Server 2016, the **NoAcquireGT** value needs to be set instead.
+>The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
### 20. Storage health
@@ -1584,7 +1579,7 @@ You can disconnect from the Microsoft Antimalware Protection Service.
>[!IMPORTANT]
>**Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903**
>1. Ensure Windows and Windows Defender are fully up to date.
->2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to >the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make >the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link >and then scroll down to the Tamper Protection toggle to set it to **Off**.
+>2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**.
- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS**
@@ -1623,7 +1618,7 @@ You can stop downloading **Definition Updates**:
- **Remove** the **DefinitionUpdateFileSharesSources** reg value if it exists under **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Signature Updates**
-You can turn off **Malicious Software Reporting Tool diagnostic data**:
+You can turn off **Malicious Software Reporting Tool (MSRT) diagnostic data**:
- Set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to **1**.
@@ -1730,7 +1725,7 @@ If you're running Windows 10, version 1607 or later, you need to:
> The Group Policy for the **LockScreenOverlaysDisabled** regkey is **Force a specific default lock screen and logon image** that is under **Control Panel** **Personalization**.
--AND-
+ \-AND-
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips** to **Enabled**
@@ -1740,7 +1735,7 @@ If you're running Windows 10, version 1607 or later, you need to:
- Create a new REG_DWORD registry setting named **DisableSoftLanding** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a **value of 1 (one)**
--AND-
+ \-AND-
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences** to **Enabled**
@@ -1881,7 +1876,16 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre
- Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the value to 0.
+
+### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
+
+|**Allowed traffic endpoints** |
+| --- |
+|activation-v2.sls.microsoft.com/*|
+|crl.microsoft.com/pki/crl/*|
+|ocsp.digicert.com/*|
+|www.microsoft.com/pkiops/*|
To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx).
diff --git a/windows/release-information/TOC.md b/windows/release-information/TOC.md
index c905dea447..41ca5d90c0 100644
--- a/windows/release-information/TOC.md
+++ b/windows/release-information/TOC.md
@@ -24,7 +24,7 @@
# Previous versions
## Windows 8.1 and Windows Server 2012 R2
### [Known issues and notifications](status-windows-8.1-and-windows-server-2012-r2.yml)
-###[Resolved issues](resolved-issues-windows-8.1-and-windows-server-2012-r2.yml)
+### [Resolved issues](resolved-issues-windows-8.1-and-windows-server-2012-r2.yml)
## Windows Server 2012
### [Known issues and notifications](status-windows-server-2012.yml)
### [Resolved issues](resolved-issues-windows-server-2012.yml)
@@ -33,4 +33,4 @@
### [Resolved issues](resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml)
## Windows Server 2008 SP2
### [Known issues and notifications](status-windows-server-2008-sp2.yml)
-### [Resolved issues](resolved-issues-windows-server-2008-sp2.yml)
\ No newline at end of file
+### [Resolved issues](resolved-issues-windows-server-2008-sp2.yml)
diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml
index 798d3fa659..6eb7bd7645 100644
--- a/windows/release-information/resolved-issues-windows-10-1507.yml
+++ b/windows/release-information/resolved-issues-windows-10-1507.yml
@@ -32,13 +32,13 @@ sections:
- type: markdown
text: "
Summary
Originating update
Status
Date resolved
+
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
Error 1309 when installing/uninstalling MSI or MSP files Users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.
First character of Japanese era name not recognized The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512497, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517276. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4517276 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503291) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Error 1309 when installing/uninstalling MSI or MSP files
After installing KB4487018, users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
After installing KB4487018, Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
First character of Japanese era name not recognized
After installing KB4487018, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
Internet Explorer 11 and apps using the WebBrowser control may fail to render JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup.
MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
Error 1309 when installing/uninstalling MSI or MSP files Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
First character of the Japanese era name not recognized as an abbreviation The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Issue hosting multiple terminal server sessions and a user logs off on Windows Server In some cases, Windows Server will stop working and restart when hosting multiple terminal server sessions and a user logs off.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512517, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512495. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512495 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503267) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503267 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512517. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Internet Explorer 11 and apps using the WebBrowser control may fail to render
Internet Explorer 11 may fail to render some JavaScript after installing KB4507460. You may also have issues with apps using JavaScript or the WebBrowser control, such as the present PowerPoint feature of Skype Meeting Broadcast.
Affected platforms:
Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Error 1309 when installing/uninstalling MSI or MSP files
After installing KB4487026, users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
After installing KB4487026, Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Issue hosting multiple terminal server sessions and a user logs off on Windows Server
In some cases, Windows Server will stop working and restart when hosting multiple terminal server sessions and a user logs off. The faulting driver is win32kbase.sys.
Affected platforms:
Client: Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480961, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Cache size and location show zero or empty.
Keyboard shortcuts may not work properly.
Webpages may intermittently fail to load or render correctly.
Issues with credential prompts.
Issues when downloading files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
After installing KB4480961, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480977, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000 Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.
End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.
MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
Error 1309 when installing/uninstalling MSI or MSP files Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
First character of the Japanese era name not recognized as an abbreviation The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512507, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512474. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512474 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503279) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Error 1309 when installing/uninstalling MSI or MSP files
After installing KB4487011, users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
After installing KB4487020, Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
After installing KB4480973, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480959, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.
MSXML6 causes applications to stop responding if an exception was thrown MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
Error 1309 when installing/uninstalling MSI or MSP files Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
First character of the Japanese era name not recognized as an abbreviation The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Stop error when attempting to start SSH from WSL A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512516, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512494. The ‘optional’ update will be available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512494 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503284) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503284 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512516. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Error 1309 when installing/uninstalling MSI or MSP files
After installing KB4486996, users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
After installing KB4486996, Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
MSXML6 causes applications to stop responding if an exception was thrown
After installing KB4480978, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480967, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.
MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
Error 1309 when installing/uninstalling MSI or MSP files Users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.
First character of the Japanese era name not recognized The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
Stop error when attempting to start SSH from WSL A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512501, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512509. The ‘optional’ update will be available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512509 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503286) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503286 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512501. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Error 1309 when installing/uninstalling MSI or MSP files
After installing KB4487017, users may received \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
After installing KB4487017, Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
After installing KB4480966, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
First character of the Japanese era name not recognized
After installing KB4480976, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4511553, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512534. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512534 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503327) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503327 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4511553. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
IA64-based devices may fail to start after installing updates After installing updates released on or after August 13, 2019, IA64-based devices may fail to start.
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
IE11 may stop working when loading or interacting with Power BI reports Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
Devices may not respond at login or Welcome screen if running certain Avast software Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.
Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
First character of the Japanese era name not recognized as an abbreviation The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
Event Viewer may not show some event descriptions for network interface cards The Event Viewer may not show some event descriptions for network interface cards (NIC).
IA64-based devices may fail to start after installing updates
After installing KB4512506, IA64-based devices may fail to start with the following error:
\"File: \\Windows\\system32\\winload.efi
Status: 0xc0000428
Info: Windows cannot verify the digital signature for this file.\"
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Resolution: This issue has been resolved in the latest version of KB4474419 (released on or after August 13, 2019).Please verify that KB4474419 is installed and restart your machine before installing KB4512506 released August 13th, 2019 or later.
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Symantec identified the potential for a negative interaction that may occur after Windows Updates code signed with SHA-2 only certificates are installed on devices with Symantec or Norton antivirus programs installed. The software may not correctly identify files included in the update as code signed by Microsoft, putting the device at risk for a delayed or incomplete update.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Resolution: The safeguard hold has been removed. Symantec has completed its evaluation of the impact of this update and future updates to Windows 7/Windows 2008 R2 and has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection and Norton antivirus programs. See the Symantec support article for additional detail and please reach out to Symantec or Norton support if you encounter any issues.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512506, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517297. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503292 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493472.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
After installing KB4486563, Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480955, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480970, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Cache size and location show zero or empty.
Keyboard shortcuts may not work properly.
Webpages may intermittently fail to load or render correctly.
Issues with credential prompts.
Issues when downloading files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
After installing KB4480970, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”
This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
IE11 may stop working when loading or interacting with Power BI reports Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
System may be unresponsive after restart if ArcaBit antivirus software installed Devices with ArcaBit antivirus software installed may become unresponsive upon restart.
System unresponsive after restart if Sophos Endpoint Protection installed Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
System may be unresponsive after restart if Avira antivirus software installed Devices with Avira antivirus software installed may become unresponsive upon restart.
First character of the Japanese era name not recognized as an abbreviation The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
Devices may not respond at login or Welcome screen if running certain Avast software Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.
Error 1309 when installing/uninstalling MSI or MSP files Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
MSXML6 may cause applications to stop responding. MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512488, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517298. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503276) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503276 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493446.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.
After installing KB4487000, Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.
Affected platforms
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Error 1309 when installing/uninstalling MSI or MSP files
After installing KB4487016, users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480969, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
After installing KB4480963, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480963, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Cache size and location show zero or empty.
Keyboard shortcuts may not work properly.
Webpages may intermittently fail to load or render correctly.
Issues with credential prompts.
Issues when downloading files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
After installing KB4480963, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”
This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
System unresponsive after restart if Sophos Endpoint Protection installed Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
System may be unresponsive after restart if Avira antivirus software installed Devices with Avira antivirus software installed may become unresponsive upon restart.
Authentication may fail for services after the Kerberos ticket expires Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.
Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
First character of the Japanese era name not recognized as an abbreviation The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512476, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517301. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503273) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503273 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.
Affected platforms
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480974, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
After installing KB4480968, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”
This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Some devices and generation 2 Hyper-V VMs may have issues installing updates Some devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing some updates when Secure Boot is enabled.
IE11 may stop working when loading or interacting with Power BI reports Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
System unresponsive after restart if Sophos Endpoint Protection installed Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
System may be unresponsive after restart if Avira antivirus software installed Devices with Avira antivirus software installed may become unresponsive upon restart.
Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
First character of the Japanese era name not recognized as an abbreviation The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
Error 1309 when installing/uninstalling MSI or MSP files Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
Event Viewer may not show some event descriptions for network interface cards The Event Viewer may not show some event descriptions for network interface cards (NIC).
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512518, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517302. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503285) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503285 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.
Affected platforms
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Error 1309 when installing/uninstalling MSI or MSP files
After installing KB4487025, users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480971, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480975, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Cache size and location show zero or empty.
Keyboard shortcuts may not work properly.
Webpages may intermittently fail to load or render correctly.
Issues with credential prompts.
Issues when downloading files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
After installing KB4480975, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
After installing KB4480975, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, \"Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).\"
This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512497, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517276. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4517276 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503291) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
Internet Explorer 11 and apps using the WebBrowser control may fail to render JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.
SCVMM cannot enumerate and manage logical switches deployed on the host For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.
Some applications may fail to run as expected on clients of AD FS 2016 Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
Cluster service may fail if the minimum password length is set to greater than 14 The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512517, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512495. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512495 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503267) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Apps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”
Affected platforms:
Server: Windows Server 2019; Windows Server 2016
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503267 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512517. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Internet Explorer 11 and apps using the WebBrowser control may fail to render
Internet Explorer 11 may fail to render some JavaScript after installing KB4507460. You may also have issues with apps using JavaScript or the WebBrowser control, such as the present PowerPoint feature of Skype Meeting Broadcast.
Affected platforms:
Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503267 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM:
In WDS TFTP settings, verify Variable Window Extension is enabled.
In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of KB4493473 on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set toDENY.
SCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host after installing KB4467684.
Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the hosts.
Affected platforms:
Client: Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
Cluster service may fail if the minimum password length is set to greater than 14
After installing KB4467684, the cluster service may fail to start with the error \"2245 (NERR_PasswordTooShort)\" if the Group Policy \"Minimum Password Length\" is configured with greater than 14 characters.
Affected platforms:
Client: Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
Server: Windows Server 2016
Workaround: Set the domain default \"Minimum Password Length\" policy to less than or equal to 14 characters.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml
index 895bd3c1db..dbe7b4e91e 100644
--- a/windows/release-information/status-windows-10-1703.yml
+++ b/windows/release-information/status-windows-10-1703.yml
@@ -20,6 +20,12 @@ sections:
text: "
Find information on known issues for Windows 10, version 1703. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+
+
Current status as of August 23, 2019:
+
The Enterprise and Education editions of Windows 10, version 1703 (the Windows 10 Creators Update) will reach end of life on October 9, 2019. The Home, Pro, Pro for Workstations, and IoT Core editions reached end of service on October 8, 2018.
There is no extended support available for any edition of Windows 10, version 1703. Therefore, it will no longer be supported after October 9, 2019 and will not receive monthly security and quality updates containing protections from the latest security threats.
To continue receiving security and quality updates, Microsoft recommends that you update your devices to the latest version of Windows 10. For more information on end of service dates and currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
+
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512507, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512474. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512474 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503279) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512516, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512494. The ‘optional’ update will be available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512494 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503284) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503284 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512516. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503284 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM:
In WDS TFTP settings, verify Variable Window Extension is enabled.
In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512501, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512509. The ‘optional’ update will be available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512509 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503286) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503286 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512501. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503286 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM:
In WDS TFTP settings, verify Variable Window Extension is enabled.
In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Devices with some Asian language packs installed may receive an error After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4511553, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512534. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512534 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503327) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Apps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”
Affected platforms:
Server: Windows Server 2019; Windows Server 2016
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503327 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4511553. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503327 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM:
In WDS TFTP settings, verify Variable Window Extension is enabled.
In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Updates may fail to install and you may receive Error 0x80073701 Installation of updates may fail and you may receive an error, \"Updates Failed, There were problems installing some updates, but we'll try again later\" and \"Error 0x80073701.\"
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Issues updating when certain versions of Intel storage drivers are installed Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.
Gamma ramps, color profiles, and night light settings do not apply in some cases Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
Display brightness may not respond to adjustments Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.
RASMAN service may stop working and result in the error “0xc0000005” The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.
The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU Some apps or games that needs to perform graphics intensive operations may close or fail to open on Surface Book 2 devices with Nvidia dGPU.
Initiating a Remote Desktop connection may result in black screen When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates
Unable to discover or connect to Bluetooth devices Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers.
Intel Audio displays an intcdaud.sys notification Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in battery drain.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512508, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Microsoft is working on a resolution and estimates a solution will be available late August. The ‘optional’ update will be available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive the update once it is released.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive the error message, \"Updates Failed, There were problems installing some updates, but we'll try again later\" or \"Error 0x80073701\" on the Windows Update dialog or within Update history.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Next steps: We are working on a resolution and will provide an update in an upcoming release.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503293) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4497935. We are working on a resolution and estimate a solution will be available in late August.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4497935. We are working on a resolution and estimate a solution will be available in late August.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Issues updating when certain versions of Intel storage drivers are installed
Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).
To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing or being offered Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.
Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.8.1050.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Workaround: To mitigate this issue before the resolution is released, you will need to update the Intel RST drivers for your device to version 15.5.2.1054 or a later. Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver. Once your drivers are updated, you can restart the installation process for Windows 10, version 1903. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool.
Next Steps: We are working on a resolution and estimate a solution will be available in late August.
The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU
Microsoft has identified a compatibility issue on some Surface Book 2 devices configured with Nvidia discrete graphics processing unit (dGPU). After updating to Windows 10, version 1903 (May 2019 Feature Update), some apps or games that needs to perform graphics intensive operations may close or fail to open.
To safeguard your update experience, we have applied a compatibility hold on Surface Book 2 devices with Nvidia dGPUs from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Workaround: To mitigate the issue if you are already on Windows 10, version 1903, you can restart the device or select the Scan for hardware changes button in the Action menu or on the toolbar in Device Manager.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Initiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen. Any version of Windows may encounter this issue when initiating a Remote Desktop connection to a Windows 10, version 1903 device which is running an affected display driver, including the drivers for the Intel 4 series chipset integrated GPU (iGPU).
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Next steps: We are working on a resolution that will be made available in upcoming release.
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0. You may also receive an error in the Application section of Windows LogsinEvent Viewer with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.
This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
Affected platforms:
Client: Windows 10, version 1903
Next steps: We are working on a resolution and estimates a solution will be available in late August.
Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).
To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.
Affected platforms:
Client: Windows 10, version 1903
Workaround: Before updating to Windows 10, version 1903, you will need to download and install an updated Wi-Fi driver from your device manufacturer (OEM).
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
Connecting to (or disconnecting from) an external monitor, dock, or projector
Rotating the screen
Updating display drivers or making other display mode changes
Closing full screen applications
Applying custom color profiles
Running applications that rely on custom gamma ramps
Affected platforms:
Client: Windows 10, version 1903
Workaround: If you find that your night light has stopped working, try turning the night light off and on, or restarting your computer. For other color setting issues, restart your computer to correct the issue.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.
To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
Affected platforms:
Client: Windows 10, version 1903
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Unable to discover or connect to Bluetooth devices
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek and Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek or Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Workaround: Check with your device manufacturer (OEM) to see if an updated driver is available and install it.
For Qualcomm drivers, you will need to install a driver version greater than 10.0.1.11.
For Realtek drivers, you will need to install a driver version greater than 1.5.1011.0.
Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool.
Next steps: Microsoft is working with Realtek and Qualcomm to release new drivers for all affected system via Windows Update.
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809
Workaround:
On the “What needs your attention\" notification, click the Back button to remain on your current version of Windows 10. (Do not click Confirm as this will proceed with the update and you may experience compatibility issues.) Affected devices will automatically revert to the previous working configuration.
Note We recommend you do not attempt to update your devices until newer device drivers are installed.
Next steps: You can opt to wait for newer drivers to be installed automatically through Windows Update or check with the computer manufacturer for the latest device driver software availability and installation procedures.
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:
\"Close other apps, error code: 0XA00F4243.”
To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Workaround: To temporarily resolve this issue, perform one of the following:
Unplug your camera and plug it back in.
or
Disable and re-enable the driver in Device Manager. In the Search box, type \"Device Manager\" and press Enter. In the Device Manager dialog box, expand Cameras, then right-click on any RealSense driver listed and select Disable device. Right click on the driver again and select Enable device.
or
Restart the RealSense service. In the Search box, type \"Task Manager\" and hit Enter. In the Task Manager dialog box, click on the Services tab, right-click on RealSense, and select Restart.
Note This workaround will only resolve the issue until your next system restart.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
IA64-based devices may fail to start after installing updates After installing updates released on or after August 13, 2019, IA64-based devices may fail to start.
Windows updates that are SHA-2 signed may not be offered Windows udates that are SHA-2 signed are not available with Symantec Endpoint Protection installed
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
IA64 and x64 devices may fail to start after installing updates After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
IA64-based devices may fail to start after installing updates
After installing KB4512506, IA64-based devices may fail to start with the following error:
\"File: \\Windows\\system32\\winload.efi
Status: 0xc0000428
Info: Windows cannot verify the digital signature for this file.\"
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Resolution: This issue has been resolved in the latest version of KB4474419 (released on or after August 13, 2019).Please verify that KB4474419 is installed and restart your machine before installing KB4512506 released August 13th, 2019 or later.
Windows updates that are SHA-2 signed may not be offered
Symantec has identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.
Next steps: To safeguard your update experience, Microsoft and Symantec have partnered to place a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available.
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Symantec identified the potential for a negative interaction that may occur after Windows Updates code signed with SHA-2 only certificates are installed on devices with Symantec or Norton antivirus programs installed. The software may not correctly identify files included in the update as code signed by Microsoft, putting the device at risk for a delayed or incomplete update.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Resolution: The safeguard hold has been removed. Symantec has completed its evaluation of the impact of this update and future updates to Windows 7/Windows 2008 R2 and has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection and Norton antivirus programs. See the Symantec support article for additional detail and please reach out to Symantec or Norton support if you encounter any issues.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512506, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517297. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
IA64 and x64 devices may fail to start after installing updates
IA64 devices (in any configuration) and x64 devices using EFI boot that were provisioned after the July 9th updates and/or skipped the recommended update (KB3133977), may fail to start with the following error:
\"File: \\Windows\\system32\\winload.efi
Status: 0xc0000428
Info: Windows cannot verify the digital signature for this file.\"
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Take Action: To resolve this issue please follow the steps outlined in the SHA-2 support FAQ article for error code 0xc0000428.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503292 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM:
In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503292 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Japanese IME doesn't show the new Japanese Era name as a text input option If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512488, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517298. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503276) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503276 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM:
In WDS TFTP settings, verify Variable Window Extension is enabled.
In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503276 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512476, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517301. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503273) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503273 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM:
In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503273 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Japanese IME doesn't show the new Japanese Era name as a text input option If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512518, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517302. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503285) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503285 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM:
In WDS TFTP settings, verify Variable Window Extension is enabled.
In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503285 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Windows 7 SP1 and Windows Server 2008 R2 SP1 update signatures are now SHA-2 based signatures and requires that SHA-2 support to be installed. For important customer guidance on installation and troubleshooting tips, please read the knowledge base article 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
August 23, 2019 03:35 PM PT
+
Take action: Windows 10, version 1703 (the Windows 10 Creators Update) reaches end of life on October 9, 2019
The Enterprise and Education editions of Windows 10, version 1703 (the Windows 10 Creators Update) will reach end of life on October 9, 2019. The Home, Pro, Pro for Workstations, and IoT Core editions reached end of service on October 8, 2018.
There is no extended support available for any edition of Windows 10, version 1703. Therefore, it will no longer be supported after October 9, 2019 and will not receive monthly security and quality updates containing protections from the latest security threats.
To continue receiving security and quality updates, Microsoft recommends that you update your devices to the latest version of Windows 10. For more information on end of service dates and currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
August 23, 2019 02:17 PM PT
+
Resolved: Delays starting Internet Explorer 11
On August 16, 2019 at 7:16 AM a server required for downloading the Internet Explorer 11 (IE11) startup page, went down. As a result of the server outage, IE 11 became unresponsive for some customers who had not yet installed the August 2019 security updates. Customers who had the August 2019 security update installed were not affected. In order to ensure your devices remain in a serviced and secure state, we recommend you install the latest monthly update.
This issue was resolved on the server side at 1:00 pm PST.
The August 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. A “B” release is the primary, regular update event for each month and is the only regular release that contains security fixes. As a result, we recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
On August 13, 2019, Microsoft released security updates to address a Bluetooth key length encryption vulnerability. To exploit this vulnerability, an attacker would need specialized hardware and would be limited by the signal range of the Bluetooth devices in use. For more information about this industry-wide issue, see CVE-2019-9506 | Bluetooth Encryption Key Size Vulnerability in the Microsoft Security Update Guide and important guidance for IT pros in KB4514157. (Note: we are documenting this vulnerability together with guidance for IT admins as part of a coordinated industry disclosure effort.)
On August 13, 2019, Google Project Zero (GPZ) disclosed an Elevation of Privilege (EoP) vulnerability in the Windows Collaborative Translation Framework (CTF) service that affects Windows operating systems, versions 8.1 and higher. An attacker must already have code execution on the target system to leverage these vulnerabilities. Microsoft released security updates on August 13, 2019 that partially address this issue. Other items disclosed by GPZ require more time to address and we are working to release a resolution in mid-September. For more information, see CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability
As of August 13, 2019, Windows 7 SP1 and Windows Server 2008 R2 SP1 updates signatures only support SHA-2 code signing. As outlined in 2019 SHA-2 Code Signing Support requirement for Windows and WSUS, we are requiring that SHA-2 code signing support be installed. If you have Windows Update enabled and have applied the security updates released in March 2019 (KB4490628) and August 2019 (KB4474419), you are protected automatically; no further configuration is necessary. If you have not installed the March 2019 updates, you will need to do so in order to continue to receive updates on devices running Windows 7 SP1 and Windows Server 2008 R2 SP1.
On August 13, 2019, Google Project Zero (GPZ) disclosed an Elevation of Privilege (EoP) vulnerability in how Windows handles calls to Advanced Local Procedure Call (ALPC) that affects Windows operating systems, versions 8.1 and higher. An attacker must already have code execution on the target system to leverage these vulnerabilities. Microsoft released security updates on August 13, 2019 that partially address this issue. Other items disclosed by GPZ require more time to address and we are working to release a resolution in mid-September. For more information, see CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability
Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019 for Home and Pro editions. We will begin updating devices running Windows 10, version 1803 to Windows 10, version 1903 (the May 2019 Update) starting July 16, 2019 to help ensure that these devices remain in a serviced and secure state. For more information, see the Windows 10, version 1903 section of the Windows release health dashboard.
August 13, 2019 10:00 AM PT
Advisory: Windows Kernel Information Disclosure Vulnerability (CVE-2019-1125)
On July 9, 2019, Microsoft released a security update for a Windows kernel information disclosure vulnerability (CVE-2019-1125). Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically; no further configuration is necessary. For more information, see CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability in the Microsoft Security Update Guide. (Note: we are documenting this mitigation publicly today, instead of back in July, as part of a coordinated industry disclosure effort.)
August 06, 2019 10:00 AM PT
Resolved August 1, 2019 16:00 PT: Microsoft Store users may encounter blank screens when clicking on certain buttons
Some customers running the version of the Microsoft Store app released on July 29, 2019 encountered a blank screen when selecting “Switch out of S mode,” “Get Genuine,” or some “Upgrade to [version]” OS upgrade options. This issue has now been resolved and a new version of the Microsoft Store app has been released. Users who encountered this issue will need to update the Microsoft Store app on their device. If you are still encountering an issue, please see Fix problems with apps from Microsoft Store.
August 01, 2019 02:00 PM PT
@@ -78,8 +80,8 @@ Given the potential impact to customers and their businesses, we have also relea
This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence:
April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
-
May 1, 2019 was an \"optional,\" out of band non-security update (OOB) for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
-
May 3, 2019 was the \"optional\" Windows 10, version 1809 \"C\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \"required\" (instead of \"optional\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
+
May 1, 2019 was an \\\"optional,\\\" out of band non-security update (OOB) for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
+
May 3, 2019 was the \\\"optional\\\" Windows 10, version 1809 \\\"C\\\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \\\"required\\\" (instead of \\\"optional\\\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog.
May 10, 2019 10:00 AM PT
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index e50ae1fdfb..b9b11df607 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -16,7 +16,7 @@ ms.date: 08/17/2017
ms.reviewer:
---
-# Windows Defender Credential Guard: Known issues
+# Windows Defender Credential Guard: Known issues
**Applies to**
- Windows 10
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 60e829af0c..4563787217 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -38,7 +38,7 @@ A new Active Directory Federation Services farm should have a minimum of two fed
Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing.
-## Update Windows Server 2016
+## Update Windows Server 2016
Sign-in the federation server with _local admin_ equivalent credentials.
1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
deleted file mode 100644
index 30b809ce8c..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
+++ /dev/null
@@ -1,549 +0,0 @@
----
-title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business)
-description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
-author: mapalko
-ms.author: mapalko
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 08/19/2018
-ms.reviewer:
----
-# Configure or Deploy Multifactor Authentication Services
-
-**Applies to**
-- Windows 10, version 1703 or later
-- On-premises deployment
-- Certificate trust
-
-
-On-premises deployments must use an on-premises MFA Server that provides an AD FS Multifactor authentication adapter. It can be an Azure Multi-Factor Authentication Server or a third-party MFA solution.
-
->[!TIP]
->Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further.
-
-## Prerequisites
-
-The Azure MFA Server and User Portal servers have several prerequisites and must have connectivity to the Internet.
-
-### Primary MFA Server
-
-The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers.
-
-For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server.
-
-The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched.
-
-#### Enroll for Server Authentication
-
-The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate.
-
-Sign-in the primary MFA server with _domain admin_ equivalent credentials.
-1. Start the Local Computer **Certificate Manager** (certlm.msc).
-2. Expand the **Personal** node in the navigation pane.
-3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
-4. Click **Next** on the **Before You Begin** page.
-5. Click **Next** on the **Select Certificate Enrollment Policy** page.
-6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
-8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com). Click **Add**. Click **OK** when finished.
-9. Click **Enroll**.
-
-A server authentication certificate should appear in the computer’s Personal certificate store.
-
-#### Install the Web Server Role
-
-The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile Application server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role.
-
-To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use.
-
-The following services are required:
-* Common Parameters > Default Document.
-* Common Parameters > Directory Browsing.
-* Common Parameters > HTTP Errors.
-* Common Parameters > Static Content.
-* Health and Diagnostics > HTTP Logging.
-* Performance > Static Content Compression.
-* Security > Request Filtering.
-* Security > Basic Authentication.
-* Management Tools > IIS Management Console.
-* Management Tools > IIS 6 Management Compatibility.
-* Application Development > ASP.NET 4.5.
-
-#### Update the Server
-
-Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.
-
-#### Configure the IIS Server Certificate
-
-The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate.
-
-Sign in the primary MFA server with _administrator_ equivalent credentials.
-1. From **Administrators**, Start the **Internet Information Services (IIS) Manager** console
-2. In the navigation pane, expand the node with the same name as the local computer. Expand **Settings** and select **Default Web Site**.
-3. In the **Actions** pane, click **Bindings**.
-4. In the **Site Bindings** dialog, Click **Add**.
-5. In the **Add Site Binding** dialog, select **https** from the **Type** list. In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer.
-6. Click **OK**. Click **Close**. From the **Action** pane, click **Restart**.
-
-#### Configure the Web Service’s Security
-
-The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the **Phonefactor Admins** security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile Application servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the **Phonefactor Admins** security group.
-
-Sign in the domain controller with _domain administrator_ equivalent credentials.
-
-##### Create Phonefactor Admin group
-
-1. Open **Active Directory Users and Computers**
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **Group**.
-3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name.
-4. Click **OK**.
-
-##### Add accounts to the Phonefactor Admins group
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactor Admins** security group and select **Properties**.
-3. Click the **Members** tab.
-4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**.
- * The computer account for the primary MFA Server
- * Group or user account that will manage the User Portal server.
-
-
-#### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
-* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names.
- * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
- * Certificate serial number
- * Certificate thumbprint
- * Common name of the certificate
- * Subject alternate name of the certificate
- * Name of the physical host server
- * The issued date
- * The expiration date
- * Issuing CA Vendor (if a third-party certificate)
-
-* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc).
-* Confirm the host has all the available updates from Windows Update.
-* Confirm you bound the server authentication certificate to the IIS web site.
-* Confirm you created the Phonefactor Admins group.
-* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal.
-
-### User Portal Server
-
-The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users.
-
-The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers. While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design.
-
-#### Enroll for Server Authentication
-
-Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate. You can use an enterprise certificate to protect communication to internal User Portal servers.
-
-For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority. Contact a public certificate authority for more information on requesting a certificate for public use. Follow the procedures below to enroll an enterprise certificate on your User Portal server.
-
-Sign-in the User Portal server with _domain admin_ equivalent credentials.
-1. Start the Local Computer **Certificate Manager** (certlm.msc).
-2. Expand the **Personal** node in the navigation pane.
-3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
-4. Click **Next** on the **Before You Begin** page.
-5. Click **Next** on the **Select Certificate Enrollment Policy** page.
-6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
-8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com).
-9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com).
-10. Click **Add**. Click **OK** when finished.
-11. Click **Enroll**.
-
-A server authentication certificate should appear in the computer’s Personal certificate store.
-
-#### Install the Web Server Role
-
-To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. However, do **not** install Security > Basic Authentication. The user portal server does not require this.
-
-#### Update the Server
-
-Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.
-
-#### Set the IIS Server Certificate
-
-To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server-certificate) section.
-
-#### Create WebServices SDK user account
-
-The User Portal and Mobile Application web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**.
-3. In the **New Object – User** dialog box, type **PFWSDK_\** in the **First name** and **User logon name** boxes, where *\* is the name of the primary MFA server running the Web Services SDK. Click **Next**.
-4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account.
-
-#### Add the MFA SDK user account to the Phonefactor Admins group
-
-Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK.
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactor Admins** security group and select Properties.
-3. Click the Members tab.
-4. Click **Add**. Click **Object Types..** Type the PFWSDK_\ user name in the **Enter the object names to select** box and then click **OK**.
- * The computer account for the primary MFA Server
- * The Webservices SDK user account
- * Group or user account that will manage the User Portal server.
-
-
-#### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
-* Confirm the hosts of the user portal are properly configure for load balancing and high-availability.
-* Confirm the hosts of the user portal have enrolled a server authentication certificate with the proper names.
- * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
- * Certificate serial number
- * Certificate thumbprint
- * Common name of the certificate
- * Subject alternate name of the certificate
- * Name of the physical host server
- * The issued date
- * The expiration date
- * Issuing CA Vendor (if a third-party certificate)
-
-* Confirm the Web Server Role was properly configured on all servers.
-* Confirm all the hosts have the latest updates from Windows Update.
-* Confirm you created the web service SDK domain account and the account is a member of the Phonefactor Admins group.
-
-## Installing Primary Azure MFA Server
-
-When you install Azure Multi-Factor Authentication Server, you have the following options:
-1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS
-2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments)
-
-See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12) to view detailed installation and configuration options.
-
-Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server.
-
->[!IMPORTANT]
->Only follow the above mention article to install Azure MFA Server. Once it is intstalled, continue configuration using this article.
-
-### Configuring Company Settings
-
-You need to configure the MFA server with the default settings it applies to each user account when it is imported or synchronized from Active Directory.
-
-Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
-1. Start the **Multi-Factor Server** application
-2. Click **Company Settings**.
-3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list.
-4. In **User defaults**, select **Phone Call** or **Text Message**
- **Note:** You can use the mobile application; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile application multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help.
-5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge.
-6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration.
-7. Select **Fail Authentication** from the **When user is disabled** list. Users should provision their account through the user portal.
-8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists.
-9. Under default PIN rules, Select the User can change PIN check box to enable users to change their PIN during multi-factor authentication and through the user portal.
-10. Configure the minimum length for the PIN.
-11. Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN.
-12. Select the **Expiration days** check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid.
-13. Select the **PIN history** check box if you want to remember previously used PINs for the user. PIN History stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN History is stored. The default value is 5 and range is 1 to 10.
-
-
-
-### Configuring Email Settings and Content
-
-If you are deploying in a lab or proof-of-concept, then you have the option of skipping this step. In a production environment, ideally, you’ll want to setup the Azure Multifactor Authentication Server and its user portal web interface prior to sending the email. The email gives your users time to visit the user portal and configure the multi-factor settings.
-
-Now that you have imported or synchronized with your Azure Multi-Factor Authentication server, it is advised that you send your users an email that informs them that they have been enrolled in multi-factor authentication.
-
-With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on.
-
-The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile application). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication.
-
-If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile application for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal.
-
-#### Settings
-
-By clicking the email icon on the left you can setup the settings for sending these emails. This is where you can enter the SMTP information of your mail server and it allows you to send a blanket wide email by adding a check to the Send mails to users check box.
-
-#### Content
-
-On the Email Content tab, you will see all of the various email templates that are available to choose from. So, depending on how you have configured your users to use multi-factor authentication, you can choose the template that best suits you.
-
-##### Edit the Content Settings
-
-The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab.
-
-Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
-1. Open the **Multi-Factor Authentication Server** console.
-2. Click **Email** from the list of icons and click the **Email Content** tab.
-3. Select an email template from the list of templates. Click **Edit**.
-4. In the **Edit Email** dialog, in the **From** text box, type the email address of the person or group that should appear to have sent the email.
- 
-
-5. Optionally, customize other options in the email template.
-6. When finished editing the template, Click **Apply**.
-7. Click **Next** to move to the next email in the list. Repeat steps 4 and 6 to edit the changes.
-8. Click **Close** when you are done editing the email templates.
-
-### Configuring Directory Integration Settings and Synchronization
-
-Synchronization keeps the Multi-Factor Authentication user database synchronized with the users in Active Directory or another LDAP Lightweight Directory Access Protocol directory. The process is similar to Importing Users from Active Directory, but periodically polls for Active Directory user and security group changes to process. It also provides for disabling or removing users removed from a container or security group and removing users deleted from Active Directory.
-
-It is important to use a different group memberships for synchronizing users from Active Directory and for enabling Windows Hello for Business. Keeping the group memberships separated enables you to synchronize users and configure MFA options without immediately deploying Windows Hello for Business to that user. This deployment approach provides the maximum flexibility, which gives users the ability to configure their settings before they provision Windows Hello for Business. To start provisioning, simply add the group used for synchronization to the Windows Hello for Business Users group (or equivalent if you use custom names).
-
-#### MultiFactorAuthAdSync Service
-
-The MultiFactorAuthAdSync service is a Windows service that performs the periodic polling of Active Directory. It is installed in a Stopped state and is started by the MultiFactorAuth service when configured to run. If you have a multi-server Multi-Factor Authentication configuration, the MultiFactorAuthAdSync may only be run on a single server.
-
-The MultiFactorAuthAdSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes. This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right. By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers. The MultiFactorAuthAdSync service is configured to run as LocalSystem by default. Therefore, it is simplest to run the service on a domain controller. The service can run as an account with lesser permissions if you configure it to always perform a full synchronization. This is less efficient, but requires less account privileges.
-
-#### Settings
-
-Configuring the directory synchronization between Active Directory and the Azure MFA server is easy.
-
-Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
-1. Open the **Multi-Factor Authentication Server** console.
-2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
-3. Click the **Synchronization** tab.
-4. Select **Use Active Directory**.
-5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the check box to improve performance.
-
-#### Synchronization
-
-The MFA server uses synchronization items to synchronize users from Active Directory to the MFA server database. Synchronization items enables you to synchronize a collection of users based security groups or Active Directory containers.
-
-You can configure synchronization items based on different criteria and filters. For the purpose of configuring Windows Hello for Business, you need to create a synchronization item based membership of the Windows Hello for Business user group. This ensures the same users who receive Windows Hello for Business policy settings are the same users synchronized to the MFA server (and are the same users with permission to enroll in the certificate). This significantly simplifies deployment and troubleshooting.
-
-See [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint) for more details.
-
-##### To add a synchronization item
-
-Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
-1. Open the **Multi-Factor Authentication Server** console.
-2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
-3. Select the **Synchronization** tab.
-4. On the **Synchronization** tab, click **Add**.
- 
-
-5. In the **Add Synchronization Item** dialog, select **Security Groups** from the **View** list.
-6. Select the group you are using for replication from the list of groups
-7. Select **Selected Security Groups – Recursive** or, select **Security Group** from the **Import** list if you do not plan to nest groups.
-8. Select **Add new users and Update existing users**.
-9. Select **Disable/Remove users no longer a member** and select **Disable** from the list.
-10. Select the attributes appropriate for your environment for **Import phone** and **Backup**.
-11. Select **Enabled** and select **Only New Users with Phone Number** from the list.
-12. Select **Send email** and select **New and Updated Users**.
-
-##### Configure synchronization item defaults
-
-1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Method Defaults** tab.
-2. Select the default second factor authentication method. For example, if the second factor of authentication is a text message, select **Text message**. Select if the direction of text message authentication and if the authentication should use a one-time password or one-time password and PIN (Ensure users are configured to create a PIN if the default second factor of communication requires a PIN).
-
-##### Configure synchronization language defaults
-
-1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Language Defaults** tab.
-2. Select the appropriate default language for these groups of users synchronized by these synchronization item.
-3. If creating a new synchronization item, click **Add** to save the item. If editing an existing synchronization item, click **Apply** and then click **Close**.
-
->[!TIP]
->For more information on these settings and the behaviors they control, see [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint).
-
-### Installing the MFA Web Services SDK
-
-The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK. The Web Service SDK is an IIS (Internet Information Server) web service that provides an interface for integrating the full features of the Multi-Factor Authentication Server into most any application. The Web Service SDK uses the Multi-Factor Authentication Server as the data store.
-
-Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed.
-
-Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to install the MFA Web Services SDK.
-
-## Install Secondary MFA Servers
-
-Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers. Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit.
-
-Follow the same procedures for installing the primary MFA server software for each additional server. Remember that each server must be activated.
-
-Sign in the secondary MFA server with _domain administrator_ equivalent credentials.
-1. Once the Multi-Factor Authentication Server console starts, you must configure the current server’s replication group membership. You have the option to join an existing group or create a new group. When joining an existing group, the server becomes a secondary server in the existing replication group. When creating a new group, the server becomes the primary server of that replication group. Click **OK**.
- **Note:** Group membership cannot be changed after activation. If a server was joined to the wrong group, it must be activated again to join a different group. Please contact support for assistance with deactivating and reactivating a server.
-2. The console asks you if you want to enable replication by running the **Multi-Server Configuration Wizard**. Click **Yes**.
-3. In the **Multi-Server Configuration Wizard**, leave **Active Directory** selected and clear **Certificates**. Click **Next**.
-4. On the **Active Directory** page, the wizard determines what configuration is needed to enable replication. Typically, the wizard recommends adding the computer account for the current server to the **PhoneFactor Admin** group. Click **Next** to add the computer account to the group.
-5. On the **Multi-Server Configuration Complete** page, click **Finish** to reboot the computer to update its group membership.
-
-### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm you downloaded the latest Azure MFA Server from the Azure Portal.
-* Confirm the server has Internet connectivity.
-* Confirm you installed and activated the Azure MFA Server.
-* Confirm your Azure MFA Server configuration meets your organization’s needs (Company Settings, Email Settings, etc).
-* Confirm you created Directory Synchronization items based on your deployment to synchronize users from Active Directory to the Azure MFA server.
- * For example, you have security groups representing each collection of users that represent a phase of your deployment and a corresponding synchronization item for each of those groups.
-
-* Confirm the Azure MFA server properly communicates with the Azure MFA cloud service by testing multifactor authentication with a newly synchronized user account.
-* Confirm you installed the Web Service SDK on the primary MFA server.
-* Confirm your MFA servers have adequate redundancy, should you need to promote a secondary server to the primary server.
-
-
-## Installing the User Portal Server
-
-You previously configured the User Portal settings on the primary MFA server. The User Portal web application communicates to the primary MFA server using the Web Services SDK to retrieve these settings. This configuration is ideal to ensure you can scale up the User Portal application to meet the needs of your internal users.
-
-### Copying the User Portal Installation file
-
-Sign in the primary MFA server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer.
-2. Browse to the C:\Program Files\MultiFactor Authentication Server folder.
-3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server.
-
-### Configure Virtual Directory name
-
-Sign in the User Portal server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer and browse to the folder to which you saved the installation file from the previous step.
-2. Run the **MultiFactorAuthenticationUserPortalSetup64.msi**. The installation package asks if you want to download **Visual Studio C++ Redistributable for Visual Studio 2015**. Click **Yes**. When prompted, select **Save As**. The downloaded file is missing its file extension. **Save the file with a .exe extension and install the runtime**.
-3. Run the installation package again. The installer package asks about the C++ runtime again; however, this is for the X64 version (the previous prompt was for x86). Click **Yes** to download the installation package and select **Save As** so you can save the downloaded file with a .exe extension. **Install** the run time.
-4. Run the User Portal installation package. On the **Select Installation Address** page, use the default settings for **Site** and **Application Pool** settings. You can modify the Virtual directory to use a name that is more fitting for the environment, such as **mfa** (This virtual directory must match the virtual directory specified in the User Portal settings). Click **Next**.
-5. Click **Close**.
-
-### Edit MFA User Portal config file
-
-Sign in the User Portal server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file.
-2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**.
-3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username.
-4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
-
-### Create a DNS entry for the User Portal web site
-
-Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials.
-1. Open the **DNS Management** console.
-2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
-3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
-4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**.
-5. In the **name** box, type the host name of the User Portal, such as *mfaweb* (this name must match the name of the certificate used to secure communication to the User Portal). In the IP address box, type the load balanced **IP address** of the User Portal. Click **Add Host**.
-6. Close the **DNS Management** console.
-
-### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm the user portal application is properly installed on all user portal hosts
-* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true.
-* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME
-* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account.
-* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server.
-* Confirm you saved the changes to the web.config file.
-
-### Validating your work
-
-Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase.
-
-Using a web browser, navigate to the URL provided in the *pf_up_pfwssdk_PfWsSdk* named value in the web.config file of any one of the user portal servers. The URL should be protected by a server authentication certificate and should prompt you for authentication. Authenticate to the web site using the username and password provided in the web.config file. Successful authentication and page view confirms the Web SDK configured on the primary MFA server is correctly configured and ready to work with the user portal.
-
-### Configuring the User Portal
-
-The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal.
-User Portal Administrators may be set up and granted permission to add new users and update existing users.
-
-#### Settings
-
-Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
-1. Open the Multi-Factor Authentication Server console.
-2. From the Multi-Factor Authentication Server window, click the User Portal icon.
- 
-
-3. On the Settings tab, type the URL your users use to access the User Portal. The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`.
-The Multi-Factor Authentication Server uses this information when sending emails to users.
-4. Select Allow users to log in and Allow user enrollment check boxes.
-5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile application later once you have deployed the Mobile application web service). Select Automatically trigger user’s default method.
-6. Select Allow users to select language.
-7. Select Use security questions for fallback and select 4 from the Questions to answer list.
-
->[!TIP]
->For more information on these settings and the behaviors they control, see [Deploy the user portal for the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal).
-
-#### Administrators
-
-The User Portal Settings tab allows the administrator to install and configure the User Portal.
-1. Open the Multi-Factor Authentication Server console.
-2. From the Multi-Factor Authentication Server window, click the User Portal icon.
-3. On the Administrators tab, Click Add
-4. In the Add Administrator dialog, Click Select User… to pick a user to install and manage the User Portal. Use the default permissions.
-5. Click Add.
-
->[!TIP]
->For more information on these settings and the behaviors they control, read the **Multi-Factor Authentication Server Help content**.
-
-#### Security Questions
-
-[Security questions](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#security-questions) for the User Portal may be customized to meet your requirements. The questions defined here will be offered as options for each of the four security questions a user is prompted to configure during their first log on to User Portal. The order of the questions is important since the first four items in the list will be used as defaults for the four security questions.
-
-#### Trusted IPs
-
-The [Trusted IPs](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#trusted-ips) tab allows you to skip Multi-Factor Authentication for User Portal log ins originating from specific IPs. For example, if users use the User Portal from the office and from home, you may decide you don't want their phones ringing for Multi-Factor Authentication while at the office. For this, you would specify the office subnet as a trusted IP entry.
-
-## Configure the AD FS Server to use the MFA for multifactor authentication
-
-You need to configure the AD FS server to use the MFA server. You do this by Installing the MFA Adapter on the primary AD FS Server.
-
-### Install the MFA AD FS Adapter
-
-Follow [Install a standalone instance of the AD FS adapter by using the Web Service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#install-a-standalone-instance-of-the-ad-fs-adapter-by-using-the-web-service-sdk). You should follow this instructions on all AD FS servers. You can find the files needed on the MFA server.
-
-### Edit the MFA AD FS Adapter config file on all ADFS Servers
-
-Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file.
-2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**.
-3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username.
-4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “ to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
-
-### Edit the AD FS Adapter Windows PowerShell cmdlet
-
-Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-
-Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **\** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
-
-### Run the AD FS Adapter PowerShell cmdlet
-
-Sign in the primary AD FS server with local administrator equivalent credentials.
-
-Run **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script in PowerShell to register the adapter. The adapter is registered as **WindowsAzureMultiFactorAuthentication**.
-
->[!NOTE]
->You must restart the AD FS service for the registration to take effect.
-
-### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm the user portal application is properly installed on all user portal hosts
-* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true.
-* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME
-* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account.
-* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server.
-* Confirm you saved the changes to the web.config file.
-* Confirm you restarted the AD FS Service after completing the configuration.
-
-## Test Multifactor Authentication
-
-Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment. The AD FS and Azure Multi-Factor Authentication server configurations are complete.
-
-1. In the **Multi-Factor Authentication** server, on the left, click **Users**.
-2. In the list of users, select a user that is enabled and has a valid phone number to which you have access.
-3. Click **Test**.
-4. In the **Test User** dialog, provide the user’s password to authenticate the user to Active Directory.
-
-The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user. The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user. Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog.
-
-
-## Follow the Windows Hello for Business on premises certificate trust deployment guide
-1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
-2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
-3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
-4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index 13beb24a52..ff7f5deec6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -16,36 +16,19 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
-# Validate and Deploy Multifactor Authentication Services (MFA)
+# Validate and Deploy Multi-factor Authentication (MFA)
**Applies to**
-- Windows 10, version 1703 or later
-- On-premises deployment
-- Certificate trust
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Certificate trust
-Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory.
+Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
-Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected.
-* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks.
-* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom applications. This protection is even extended to your high-volume, mission-critical scenarios.
-* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards.
-* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification.
+For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](https://docs.microsoft.com/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
-## On-Premises Azure MFA Server
-
-On-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory.
-
-### Infrastructure
-
-A lab or proof-of-concept environment does not need high-availability or scalability. However, a production environment needs both of these. Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing.
-
-Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server.
-
->[!IMPORTANT]
->Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use installation instructions provided in the article.
-
-Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md).
+Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-authentication-policies).
## Follow the Windows Hello for Business on premises certificate trust deployment guide
1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 48fdad4ba0..2e79df76db 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -85,8 +85,8 @@ Sign-in to a certificate authority or management workstations with _Enterprise A
3. In the **Certificate Templates Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
4. Click the **Superseded Templates** tab. Click **Add**.
5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**.
-6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **Add**.
-7. From the **Add Superseded Template** dialog, select the **Kerberos Authentication** certificate template and click **Add**.
+6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. Click **Add**.
+7. From the **Add Superseded Template** dialog, select the **Kerberos Authentication** certificate template and click **OK**. Click **Add**.
8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
9. Click **OK** and close the **Certificate Templates** console.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 26b5607798..f32db55329 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -71,7 +71,7 @@ Azure AD Join is intended for organizations that desire to be cloud-first or clo
[Join Type](#join-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined)
### More information
- - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction).
+- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction).
[Return to Top](hello-how-it-works-technology.md)
## Azure AD Registered
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 847bbfdf0e..d1c11a2a8c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -309,13 +309,13 @@ Sign-in a workstation with access equivalent to a _domain user_.
11. Select the appropriate configuration for the following settings.
- * **Lowercase letters in PIN**
- * **Uppercase letters in PIN**
- * **Special characters in PIN**
- * **PIN expiration (days)**
- * **Remember PIN history**
- > [!NOTE]
- > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
+ * **Lowercase letters in PIN**
+ * **Uppercase letters in PIN**
+ * **Special characters in PIN**
+ * **PIN expiration (days)**
+ * **Remember PIN history**
+ > [!NOTE]
+ > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
12. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**.
13. Select **No** to **Allow phone sign-in**. This feature has been deprecated.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 73c0ca23ab..8eb13e3cb1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -535,7 +535,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/).
2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
-3. Select **Device Configuration**, and then select **Certificate Authority**.
+3. Select **Device Configuration**, and then select **Certificate Connectors**.
4. Click **Add**, and then click **Download the certificate connector software** under the **Steps to install connector for SCEP** section.
@@ -610,7 +610,7 @@ Sign-in the NDES server with access equivalent to _domain admin_.
1. Open a command prompt.
2. Type the following command to confirm the NDES Connector's last connection time is current.
-```reg query hklm\software\Micosoft\MicrosoftIntune\NDESConnector\ConnectionStatus```
+```reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus```
3. Close the command prompt.
4. Open **Internet Explorer**.
5. In the navigation bar, type
@@ -636,7 +636,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**.
9. Click **Create**.
-### Create a SCEP Certificte Profile
+### Create a SCEP Certificate Profile
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/).
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 1629f3eb9a..1cf7fcb2cd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -114,7 +114,7 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
-3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**.
+3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent (Offline request)** template in the details pane and click **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index cdc50b7691..1f4f6b976d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -19,11 +19,11 @@ ms.reviewer:
# Hybrid Azure AD joined Key Trust Deployment
**Applies to**
-- Windows 10, version 1703 or later
-- Hybrid deployment
-- Key trust
-
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Key trust
+
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
@@ -31,10 +31,11 @@ It is recommended that you review the Windows Hello for Business planning guide
This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment.
## New Deployment Baseline ##
+
The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
-
+
This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in.
-
+
Your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.
> [!div class="nextstepaction"]
@@ -42,9 +43,8 @@ Your next step is to familiarize yourself with the prerequisites needed for the
-
-
## Follow the Windows Hello for Business hybrid key trust deployment guide
+
1. Overview (*You are here*)
2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 161c10f243..a6364bad59 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -38,7 +38,7 @@ A new Active Directory Federation Services farm should have a minimum of two fed
Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing.
-## Update Windows Server 2016
+## Update Windows Server 2016
Sign-in the federation server with _local admin_ equivalent credentials.
1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please review the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
deleted file mode 100644
index b2c377057f..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
+++ /dev/null
@@ -1,549 +0,0 @@
----
-title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business)
-description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
-author: mapalko
-ms.author: mapalko
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 08/19/2018
-ms.reviewer:
----
-# Configure or Deploy Multifactor Authentication Services
-
-**Applies to**
-- Windows 10, version 1703 or later
-- On-premises deployment
-- Key trust
-
-
-On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter.
-
->[!TIP]
->Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further.
-
-## Prerequisites
-
-The Azure MFA Server and User Portal servers have several perquisites and must have connectivity to the Internet.
-
-### Primary MFA Server
-
-The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers.
-
-For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server.
-
-The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched.
-
-#### Enroll for Server Authentication
-
-The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate.
-
-Sign-in the primary MFA server with _domain admin_ equivalent credentials.
-1. Start the Local Computer **Certificate Manager** (certlm.msc).
-2. Expand the **Personal** node in the navigation pane.
-3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
-4. Click **Next** on the **Before You Begin** page.
-5. Click **Next** on the **Select Certificate Enrollment Policy** page.
-6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
-8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com). Click **Add**. Click **OK** when finished.
-9. Click **Enroll**.
-
-A server authentication certificate should appear in the computer’s Personal certificate store.
-
-#### Install the Web Server Role
-
-The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile Application server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role.
-
-To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use.
-
-The following services are required:
-* Common Parameters > Default Document.
-* Common Parameters > Directory Browsing.
-* Common Parameters > HTTP Errors.
-* Common Parameters > Static Content.
-* Health and Diagnostics > HTTP Logging.
-* Performance > Static Content Compression.
-* Security > Request Filtering.
-* Security > Basic Authentication.
-* Management Tools > IIS Management Console.
-* Management Tools > IIS 6 Management Compatibility.
-* Application Development > ASP.NET 4.5.
-
-#### Update the Server
-
-Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.
-
-#### Configure the IIS Server’s Certificate
-
-The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate.
-
-Sign in the primary MFA server with _administrator_ equivalent credentials.
-1. From **Administrators**, Start the **Internet Information Services (IIS) Manager** console
-2. In the navigation pane, expand the node with the same name as the local computer. Expand **Settings** and select **Default Web Site**.
-3. In the **Actions** pane, click **Bindings**.
-4. In the **Site Bindings** dialog, Click **Add**.
-5. In the **Add Site Binding** dialog, select **https** from the **Type** list. In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer.
-6. Click **OK**. Click **Close**. From the **Action** pane, click **Restart**.
-
-#### Configure the Web Service’s Security
-
-The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the Phonefactor Admins security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile Application servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the Phonefactor Admins security group.
-
-Sign in the domain controller with _domain administrator_ equivalent credentials.
-
-##### Create Phonefactor Admin group
-
-1. Open **Active Directory Users and Computers**
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **Group**.
-3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name.
-4. Click **OK**.
-
-##### Add accounts to the Phonefactor Admins group
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactor Admins** security group and select **Properties**.
-3. Click the **Members** tab.
-4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**.
- * The computer account for the primary MFA Server
- * Group or user account that will manage the User Portal server.
-
-
-#### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
-* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names.
- * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
- * Certificate serial number
- * Certificate thumbprint
- * Common name of the certificate
- * Subject alternate name of the certificate
- * Name of the physical host server
- * The issued date
- * The expiration date
- * Issuing CA Vendor (if a third-party certificate)
-
-* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc).
-* Confirm the host has all the available updates from Windows Update.
-* Confirm you bound the server authentication certificate to the IIS web site.
-* Confirm you created the Phonefactor Admins group.
-* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal.
-
-### User Portal Server
-
-The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users.
-
-The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers. While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design.
-
-#### Enroll for Server Authentication
-
-Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate. You can use an enterprise certificate to protect communication to internal User Portal servers.
-
-For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority. Contact a public certificate authority for more information on requesting a certificate for public use. Follow the procedures below to enroll an enterprise certificate on your User Portal server.
-
-Sign-in the User Portal server with _domain admin_ equivalent credentials.
-1. Start the Local Computer **Certificate Manager** (certlm.msc).
-2. Expand the **Personal** node in the navigation pane.
-3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
-4. Click **Next** on the **Before You Begin** page.
-5. Click **Next** on the **Select Certificate Enrollment Policy** page.
-6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
-8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com).
-9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com).
-10. Click **Add**. Click **OK** when finished.
-11. Click **Enroll**.
-
-A server authentication certificate should appear in the computer’s Personal certificate store.
-
-#### Install the Web Server Role
-
-To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. However, do **not** install Security > Basic Authentication. The user portal server does not require this.
-
-#### Update the Server
-
-Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.
-
-#### Configure the IIS Server’s Certificate
-
-To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-servers-certificate) section.
-
-#### Create WebServices SDK user account
-
-The User Portal and Mobile Application web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**.
-3. In the **New Object – User** dialog box, type **PFWSDK_\** in the **First name** and **User logon name** boxes, where *\* is the name of the primary MFA server running the Web Services SDK. Click **Next**.
-4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account.
-
-#### Add the MFA SDK user account to the Phonefactor Admins group
-
-Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK.
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties.
-3. Click the Members tab.
-4. Click **Add**. Click **Object Types..** Type the PFWSDK_\ user name in the **Enter the object names to select** box and then click **OK**.
- * The computer account for the primary MFA Server
- * The Webservices SDK user account
- * Group or user account that will manage the User Portal server.
-
-
-#### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
-* Confirm the hosts of the user portal are properly configure for load balancing and high-availability.
-* Confirm the hosts of the user portal have enrolled a server authentication certificate with the proper names.
- * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
- * Certificate serial number
- * Certificate thumbprint
- * Common name of the certificate
- * Subject alternate name of the certificate
- * Name of the physical host server
- * The issued date
- * The expiration date
- * Issuing CA Vendor (if a third-party certificate)
-
-* Confirm the Web Server Role was properly configured on all servers.
-* Confirm all the hosts have the latest updates from Windows Update.
-* Confirm you created the web service SDK domain account and the account is a member of the Phonefactor Admins group.
-
-## Installing Primary Azure MFA Server
-
-When you install Azure Multi-Factor Authentication Server, you have the following options:
-1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS
-2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments)
-
-See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12) to view detailed installation and configuration options.
-
-Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server.
-
->[!IMPORTANT]
->Only follow the above mention article to install Azure MFA Server. Once it is installed, continue configuration using this article.
-
-### Configuring Company Settings
-
-You need to configure the MFA server with the default settings it applies to each user account when it is imported or synchronized from Active Directory.
-
-Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
-1. Start the **Multi-Factor Server** application
-2. Click **Company Settings**.
-3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list.
-4. In **User defaults**, select **Phone Call** or **Text Message**
- **Note:** You can use mobile application; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile application multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help.
-5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge.
-6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration.
-7. Select **Fail Authentication** from the **When user is disabled** list. Users should provision their account through the user portal.
-8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists.
-9. Under default PIN rules, Select the User can change PIN check box to enable users to change their PIN during multi-factor authentication and through the user portal.
-10. Configure the minimum length for the PIN.
-11. Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN.
-12. Select the **Expiration days** check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid.
-13. Select the **PIN history** check box if you want to remember previously used PINs for the user. PIN History stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN History is stored. The default value is 5 and range is 1 to 10.
-
-
-
-### Configuring Email Settings and Content
-
-If you are deploying in a lab or proof-of-concept, then you have the option of skipping this step. In a production environment, ideally, you’ll want to setup the Azure Multifactor Authentication Server and its user portal web interface prior to sending the email. The email gives your users time to visit the user portal and configure the multi-factor settings.
-
-Now that you have imported or synchronized with your Azure Multi-Factor Authentication server, it is advised that you send your users an email that informs them that they have been enrolled in multi-factor authentication.
-
-With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on.
-
-The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile application). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication.
-
-If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile application for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal.
-
-#### Settings
-
-By clicking the email icon on the left you can setup the settings for sending these emails. This is where you can enter the SMTP information of your mail server and it allows you to send a blanket wide email by adding a check to the Send mails to users check box.
-
-#### Content
-
-On the Email Content tab, you will see all of the various email templates that are available to choose from. So, depending on how you have configured your users to use multi-factor authentication, you can choose the template that best suits you.
-
-##### Edit the Content Settings
-
-The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab.
-
-Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
-1. Open the **Multi-Factor Authentication Server** console.
-2. Click **Email** from the list of icons and click the **Email Content** tab.
-3. Select an email template from the list of templates. Click **Edit**.
-4. In the **Edit Email** dialog, in the **From** text box, type the email address of the person or group that should appear to have sent the email.
- 
-
-5. Optionally, customize other options in the email template.
-6. When finished editing the template, Click **Apply**.
-7. Click **Next** to move to the next email in the list. Repeat steps 4 and 6 to edit the changes.
-8. Click **Close** when you are done editing the email templates.
-
-### Configuring Directory Integration Settings and Synchronization
-
-Synchronization keeps the Multi-Factor Authentication user database synchronized with the users in Active Directory or another LDAP Lightweight Directory Access Protocol directory. The process is similar to Importing Users from Active Directory, but periodically polls for Active Directory user and security group changes to process. It also provides for disabling or removing users removed from a container or security group and removing users deleted from Active Directory.
-
-It is important to use a different group memberships for synchronizing users from Active Directory and for enabling Windows Hello for Business. Keeping the group memberships separated enables you to synchronize users and configure MFA options without immediately deploying Windows Hello for Business to that user. This deployment approach provides the maximum flexibility, which gives users the ability to configure their settings before they provision Windows Hello for Business. To start provisioning, simply add the group used for synchronization to the Windows Hello for Business Users group (or equivalent if you use custom names).
-
-#### MultiFactorAuthAdSync Service
-
-The MultiFactorAuthAdSync service is a Windows service that performs the periodic polling of Active Directory. It is installed in a Stopped state and is started by the MultiFactorAuth service when configured to run. If you have a multi-server Multi-Factor Authentication configuration, the MultiFactorAuthAdSync may only be run on a single server.
-
-The MultiFactorAuthAdSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes. This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right. By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers. The MultiFactorAuthAdSync service is configured to run as LocalSystem by default. Therefore, it is simplest to run the service on a domain controller. The service can run as an account with lesser permissions if you configure it to always perform a full synchronization. This is less efficient, but requires less account privileges.
-
-#### Settings
-
-Configuring the directory synchronization between Active Directory and the Azure MFA server is easy.
-
-Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
-1. Open the **Multi-Factor Authentication Server** console.
-2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
-3. Click the **Synchronization** tab.
-4. Select **Use Active Directory**.
-5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the check box to improve performance.
-
-#### Synchronization
-
-The MFA server uses synchronization items to synchronize users from Active Directory to the MFA server database. Synchronization items enables you to synchronize a collection of users based security groups or Active Directory containers.
-
-You can configure synchronization items based on different criteria and filters. For the purpose of configuring Windows Hello for Business, you need to create a synchronization item based membership of the Windows Hello for Business user group. This ensures the same users who receive Windows Hello for Business policy settings are the same users synchronized to the MFA server (and are the same users with permission to enroll in the certificate). This significantly simplifies deployment and troubleshooting.
-
-See [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint) for more details.
-
-##### To add a synchronization item
-
-Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
-1. Open the **Multi-Factor Authentication Server** console.
-2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
-3. Select the **Synchronization** tab.
-4. On the **Synchronization** tab, click **Add**.
- 
-
-5. In the **Add Synchronization Item** dialog, select **Security Groups** from the **View** list.
-6. Select the group you are using for replication from the list of groups
-7. Select **Selected Security Groups – Recursive** or, select **Security Group** from the **Import** list if you do not plan to nest groups.
-8. Select **Add new users and Update existing users**.
-9. Select **Disable/Remove users no longer a member** and select **Disable** from the list.
-10. Select the attributes appropriate for your environment for **Import phone** and **Backup**.
-11. Select **Enabled** and select **Only New Users with Phone Number** from the list.
-12. Select **Send email** and select **New and Updated Users**.
-
-##### Configure synchronization item defaults
-
-1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Method Defaults** tab.
-2. Select the default second factor authentication method. For example, if the second factor of authentication is a text message, select **Text message**. Select if the direction of text message authentication and if the authentication should use a one-time password or one-time password and PIN (Ensure users are configured to create a PIN if the default second factor of communication requires a PIN).
-
-##### Configure synchronization language defaults
-
-1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Language Defaults** tab.
-2. Select the appropriate default language for these groups of users synchronized by these synchronization item.
-3. If creating a new synchronization item, click **Add** to save the item. If editing an existing synchronization item, click **Apply** and then click **Close**.
-
->[!TIP]
->For more information on these settings and the behaviors they control, see [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint).
-
-### Installing the MFA Web Services SDK
-
-The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK. The Web Service SDK is an IIS (Internet Information Server) web service that provides an interface for integrating the full features of the Multi-Factor Authentication Server into most any application. The Web Service SDK uses the Multi-Factor Authentication Server as the data store.
-
-Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed.
-
-Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to install the MFA Web Services SDK.
-
-## Install Secondary MFA Servers
-
-Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers. Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit.
-
-Follow the same procedures for installing the primary MFA server software for each additional server. Remember that each server must be activated.
-
-Sign in the secondary MFA server with _domain administrator_ equivalent credentials.
-1. Once the Multi-Factor Authentication Server console starts, you must configure the current server’s replication group membership. You have the option to join an existing group or create a new group. When joining an existing group, the server becomes a secondary server in the existing replication group. When creating a new group, the server becomes the primary server of that replication group. Click **OK**.
- **Note:** Group membership cannot be changed after activation. If a server was joined to the wrong group, it must be activated again to join a different group. Please contact support for assistance with deactivating and reactivating a server.
-2. The console asks you if you want to enable replication by running the **Multi-Server Configuration Wizard**. Click **Yes**.
-3. In the **Multi-Server Configuration Wizard**, leave **Active Directory** selected and clear **Certificates**. Click **Next**.
-4. On the **Active Directory** page, the wizard determines what configuration is needed to enable replication. Typically, the wizard recommends adding the computer account for the current server to the **PhoneFactor Admin** group. Click **Next** to add the computer account to the group.
-5. On the **Multi-Server Configuration Complete** page, click **Finish** to reboot the computer to update its group membership.
-
-### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm you downloaded the latest Azure MFA Server from the Azure Portal.
-* Confirm the server has Internet connectivity.
-* Confirm you installed and activated the Azure MFA Server.
-* Confirm your Azure MFA Server configuration meets your organization’s needs (Company Settings, Email Settings, etc).
-* Confirm you created Directory Synchronization items based on your deployment to synchronize users from Active Directory to the Azure MFA server.
- * For example, you have security groups representing each collection of users that represent a phase of your deployment and a corresponding synchronization item for each of those groups.
-
-* Confirm the Azure MFA server properly communicates with the Azure MFA cloud service by testing multifactor authentication with a newly synchronized user account.
-* Confirm you installed the Web Service SDK on the primary MFA server.
-* Confirm your MFA servers have adequate redundancy, should you need to promote a secondary server to the primary server.
-
-
-## Installing the User Portal Server
-
-You previously configured the User Portal settings on the primary MFA server. The User Portal web application communicates to the primary MFA server using the Web Services SDK to retrieve these settings. This configuration is ideal to ensure you can scale up the User Portal application to meet the needs of your internal users.
-
-### Copying the User Portal Installation file
-
-Sign in the primary MFA server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer.
-2. Browse to the C:\Program Files\MultiFactor Authentication Server folder.
-3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server.
-
-### Configure Virtual Directory name
-
-Sign in the User Portal server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer and browse to the folder to which you saved the installation file from the previous step.
-2. Run the **MultiFactorAuthenticationUserPortalSetup64.msi**. The installation package asks if you want to download **Visual Studio C++ Redistributable for Visual Studio 2015**. Click **Yes**. When prompted, select **Save As**. The downloaded file is missing its file extension. **Save the file with a .exe extension and install the runtime**.
-3. Run the installation package again. The installer package asks about the C++ runtime again; however, this is for the X64 version (the previous prompt was for x86). Click **Yes** to download the installation package and select **Save As** so you can save the downloaded file with a .exe extension. **Install** the run time.
-4. Run the User Portal installation package. On the **Select Installation Address** page, use the default settings for **Site** and **Application Pool** settings. You can modify the Virtual directory to use a name that is more fitting for the environment, such as **mfa** (This virtual directory must match the virtual directory specified in the User Portal settings). Click **Next**.
-5. Click **Close**.
-
-### Edit MFA User Portal config file
-
-Sign in the User Portal server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file.
-2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**.
-3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username.
-4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
-
-### Create a DNS entry for the User Portal web site
-
-Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials.
-1. Open the **DNS Management** console.
-2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
-3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
-4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**.
-5. In the **name** box, type the host name of the User Portal, such as *mfaweb* (this name must match the name of the certificate used to secure communication to the User Portal). In the IP address box, type the load balanced **IP address** of the User Portal. Click **Add Host**.
-6. Close the **DNS Management** console.
-
-### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm the user portal application is properly installed on all user portal hosts
-* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true.
-* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME
-* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account.
-* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server.
-* Confirm you saved the changes to the web.config file.
-
-### Validating your work
-
-Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase.
-
-Using a web browser, navigate to the URL provided in the *pf_up_pfwssdk_PfWsSdk* named value in the web.config file of any one of the user portal servers. The URL should be protected by a server authentication certificate and should prompt you for authentication. Authenticate to the web site using the username and password provided in the web.config file. Successful authentication and page view confirms the Web SDK configured on the primary MFA server is correctly configured and ready to work with the user portal.
-
-### Configuring the User Portal
-
-The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal.
-User Portal Administrators may be set up and granted permission to add new users and update existing users.
-
-#### Settings
-
-Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
-1. Open the Multi-Factor Authentication Server console.
-2. From the Multi-Factor Authentication Server window, click the User Portal icon.
- 
-
-3. On the Settings tab, type the URL your users use to access the User Portal. The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`.
-The Multi-Factor Authentication Server uses this information when sending emails to users.
-4. Select Allow users to log in and Allow user enrollment check boxes.
-5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile application later once you have deployed the Mobile application web service). Select Automatically trigger user’s default method.
-6. Select Allow users to select language.
-7. Select Use security questions for fallback and select 4 from the Questions to answer list.
-
->[!TIP]
->For more information on these settings and the behaviors they control, see [Deploy the user portal for the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal).
-
-#### Administrators
-
-The User Portal Settings tab allows the administrator to install and configure the User Portal.
-1. Open the Multi-Factor Authentication Server console.
-2. From the Multi-Factor Authentication Server window, click the User Portal icon.
-3. On the Administrators tab, Click Add
-4. In the Add Administrator dialog, Click Select User… to pick a user to install and manage the User Portal. Use the default permissions.
-5. Click Add.
-
->[!TIP]
->For more information on these settings and the behaviors they control, read the **Multi-Factor Authentication Server Help content**.
-
-#### Security Questions
-
-[Security questions](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#security-questions) for the User Portal may be customized to meet your requirements. The questions defined here will be offered as options for each of the four security questions a user is prompted to configure during their first log on to User Portal. The order of the questions is important since the first four items in the list will be used as defaults for the four security questions.
-
-#### Trusted IPs
-
-The [Trusted IPs](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#trusted-ips) tab allows you to skip Multi-Factor Authentication for User Portal log ins originating from specific IPs. For example, if users use the User Portal from the office and from home, you may decide you don't want their phones ringing for Multi-Factor Authentication while at the office. For this, you would specify the office subnet as a trusted IP entry.
-
-## Configure the AD FS Server to use the MFA for multifactor authentication
-
-You need to configure the AD FS server to use the MFA server. You do this by Installing the MFA Adapter on the primary AD FS Server.
-
-### Install the MFA AD FS Adapter
-
-Follow [Install a standalone instance of the AD FS adapter by using the Web Service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#install-a-standalone-instance-of-the-ad-fs-adapter-by-using-the-web-service-sdk). You should follow this instructions on all AD FS servers. You can find the files needed on the MFA server.
-
-### Edit the MFA AD FS Adapter config file on all ADFS Servers
-
-Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file.
-2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**.
-3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username.
-4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “ to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
-
-### Edit the AD FS Adapter Windows PowerShell cmdlet
-
-Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-
-Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **\** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
-
-### Run the AD FS Adapter PowerShell cmdlet
-
-Sign in the primary AD FS server with local administrator equivalent credentials.
-
-Run **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script in PowerShell to register the adapter. The adapter is registered as **WindowsAzureMultiFactorAuthentication**.
-
->[!NOTE]
->You must restart the AD FS service for the registration to take effect.
-
-### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm the user portal application is properly installed on all user portal hosts
-* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true.
-* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME
-* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account.
-* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server.
-* Confirm you saved the changes to the web.config file.
-* Confirm you restarted the AD FS Service after completing the configuration.
-
-## Test AD FS with the Multifactor Authentication connector
-
-Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment. The AD FS and Azure Multi-Factor Authentication server configurations are complete.
-
-1. In the **Multi-Factor Authentication** server, on the left, click **Users**.
-2. In the list of users, select a user that is enabled and has a valid phone number to which you have access.
-3. Click **Test**.
-4. In the **Test User** dialog, provide the user’s password to authenticate the user to Active Directory.
-
-The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user. The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user. Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog.
-
-
-## Follow the Windows Hello for Business on premises certificate trust deployment guide
-1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
-2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
-3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
-4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index 06aa82ad4b..f4e3ef2457 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -16,39 +16,22 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
-# Validate and Deploy Multifactor Authentication Services (MFA)
+# Validate and Deploy Multi-factor Authentication (MFA)
> [!IMPORTANT]
> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
**Applies to**
-- Windows 10, version 1703 or later
-- On-premises deployment
-- Key trust
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Key trust
-Windows Hello for Business requires all users perform an additional factor of authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory.
+Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
-Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected.
-* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks.
-* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom applications. This protection is even extended to your high-volume, mission-critical scenarios.
-* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards.
-* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification.
+For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](https://docs.microsoft.com/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
-## On-Premises Azure MFA Server
-
-On-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory.
-
-### Infrastructure
-
-A lab or proof-of-concept environment does not need high-availability or scalability. However, a production environment needs both of these. Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing.
-
-Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server.
-
->[!IMPORTANT]
->Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use installation instructions provided in the article.
-
-Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-key-trust-deploy-mfa.md).
+Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-authentication-policies).
## Follow the Windows Hello for Business on premises certificate trust deployment guide
1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 207675b3e4..2ff12340f3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -47,7 +47,7 @@ There are six major categories you need to consider for a Windows Hello for Busi
### Baseline Prerequisites
-Windows Hello for Business has a few baseline prerequisites with which you can begin. These baseline prerequisites are provided in the worksheet.
+Windows Hello for Business has a few baseline prerequisites with which you can begin. These baseline prerequisites are provided in the worksheet.
### Deployment Options
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index d9a19aed80..57238c3214 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -34,9 +34,9 @@ With Windows Hello for Business and passwords coexisting in your environment, th
### 3. Transition into a passwordless deployment
Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a passwordless world. A world where:
- - the users never type their password
- - the users never change their password
- - the users do not know their password
+- the users never type their password
+- the users never change their password
+- the users do not know their password
In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business.
diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md
index c286b36226..312e43cff6 100644
--- a/windows/security/identity-protection/hello-for-business/toc.md
+++ b/windows/security/identity-protection/hello-for-business/toc.md
@@ -1,6 +1,6 @@
# [Windows Hello for Business](hello-identity-verification.md)
-##[Password-less Strategy](passwordless-strategy.md)
+## [Password-less Strategy](passwordless-strategy.md)
## [Windows Hello for Business Overview](hello-overview.md)
## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
@@ -53,7 +53,6 @@
#### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
#### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
-##### [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md)
#### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
## [Windows Hello and password changes](hello-and-password-changes.md)
@@ -63,4 +62,4 @@
### [Windows Hello for Business Videos](hello-videos.md)
## [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-## [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
\ No newline at end of file
+## [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index df25b0e70c..59a2e070cb 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -15,7 +15,7 @@ ms.localizationpriority: medium
ms.date: 01/12/2018
ms.reviewer:
---
-# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
+# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
**Applies to**
- Windows 10
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 178333b713..3038aa0e34 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -59,7 +59,7 @@ Always On is a feature in Windows 10 which enables the active VPN profile to con
When the trigger occurs, VPN tries to connect. If an error occurs or any user input is needed, the user is shown a toast notification for additional interaction.
-When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**.
+When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. Devices with multiple users have the same restriction: only one profile and therefore only one user will be able to use the Always On triggers.
Preserving user Always On preference
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index b89ced627d..e6b90ed8bc 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -48,7 +48,7 @@ This is applicable to Azure Hybrid AD as well.
For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.
-## Managing servers
+## Managing servers
Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index a0d1ffbf6e..fbb2f028fd 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -24,11 +24,11 @@ The Windows 10 operating system improves most existing security features in the
**See also:**
- - [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)
+- [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)
- - [TPM Fundamentals](tpm-fundamentals.md)
+- [TPM Fundamentals](tpm-fundamentals.md)
- - [TPM Recommendations](tpm-recommendations.md)
+- [TPM Recommendations](tpm-recommendations.md)
## TPM Overview
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index a1a64bebe4..5da4caee6b 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -20,8 +20,9 @@ ms.date: 11/29/2018
# TPM recommendations
**Applies to**
-- Windows 10
-- Windows Server 2016
+
+- Windows 10
+- Windows Server 2016
This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
@@ -47,27 +48,27 @@ From an industry standard, Microsoft has been an industry leader in moving and s
TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
-- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
+- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
-- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
+- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
-- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
+- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
- - TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs do not support all algorithms.
+ - TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs do not support all algorithms.
- - For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx).
+ - For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx).
- - TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
+ - TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
- - Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
+ - Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
-- TPM 2.0 offers a more **consistent experience** across different implementations.
+- TPM 2.0 offers a more **consistent experience** across different implementations.
- - TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
+ - TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
- - TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
+ - TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
-- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
+- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
> [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
@@ -78,11 +79,11 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
There are three implementation options for TPMs:
-- Discrete TPM chip as a separate component in its own semiconductor package
+- Discrete TPM chip as a separate component in its own semiconductor package
-- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
+- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
-- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
+- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs.
@@ -94,39 +95,37 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
-- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
+- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
### IoT Core
-- TPM is optional on IoT Core.
+- TPM is optional on IoT Core.
### Windows Server 2016
-- TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
+- TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
## TPM and Windows Features
The following table defines which Windows features require TPM support.
-| Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
-|-------------------------|--------------|--------------------|--------------------|----------|
-| Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot |
-| BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support |
-| Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. |
-| Windows Defender Application Control (Device Guard) | No | Yes | Yes | |
-| Windows Defender Exploit Guard | No | N/A | N/A | |
-| Windows Defender System Guard | Yes | No | Yes | |
-| Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. |
-| Device Health Attestation| Yes | Yes | Yes | |
-| Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. |
-| UEFI Secure Boot | No | Yes | Yes | |
-| TPM Platform Crypto Provider Key Storage Provider| Yes | Yes| Yes | |
-| Virtual Smart Card | Yes | Yes | Yes | |
-| Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. |
-| Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
-| SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
-| DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
-
+ Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
+-|-|-|-|-
+ Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot
+ BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support
+ Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
+ Windows Defender Application Control (Device Guard) | No | Yes | Yes
+ Windows Defender System Guard | Yes | No | Yes
+ Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported.
+ Device Health Attestation| Yes | Yes | Yes
+ Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support.
+ UEFI Secure Boot | No | Yes | Yes
+ TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes
+ Virtual Smart Card | Yes | Yes | Yes
+ Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM.
+ Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
+ SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
+ DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
## OEM Status on TPM 2.0 system availability and certified parts
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 441e6d2b75..5ee54b85a9 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -43,6 +43,8 @@ Apps can be enlightened or unenlightened:
## List of enlightened Microsoft apps
Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
+- Microsoft 3D Viewer
+
- Microsoft Edge
- Internet Explorer 11
@@ -85,6 +87,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
| Product name | App info |
|------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Microsoft 3D Viewer | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Product Name:** Microsoft.Microsoft3DViewer **App Type:** Universal app |
| Microsoft Edge | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Product Name:** Microsoft.MicrosoftEdge **App Type:** Universal app |
| Microsoft People | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Product Name:** Microsoft.People **App Type:** Universal app |
| Word Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Product Name:** Microsoft.Office.Word **App Type:** Universal app |
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index cf6a9871cb..3bb9e5537f 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -17,6 +17,7 @@
### [Attack surface reduction]()
+#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
#### [Hardware-based isolation]()
##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
@@ -27,10 +28,10 @@
##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
#### [Application control](windows-defender-application-control/windows-defender-application-control.md)
-#### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-#### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
-#### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
-#### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+#### [Exploit protection](microsoft-defender-atp/exploit-protection.md)
+#### [Network protection](microsoft-defender-atp/network-protection.md)
+#### [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
+#### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md)
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
@@ -58,46 +59,40 @@
#### [Machines list]()
##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
-##### [Alerts related to this machine](microsoft-defender-atp/investigate-machines.md#alerts-related-to-this-machine)
-##### [Machine timeline]()
-###### [View machine profile](microsoft-defender-atp/investigate-machines.md#machine-timeline)
-###### [Search for specific events](microsoft-defender-atp/investigate-machines.md#search-for-specific-events)
-###### [Filter events from a specific date](microsoft-defender-atp/investigate-machines.md#filter-events-from-a-specific-date)
-###### [Export machine timeline events](microsoft-defender-atp/investigate-machines.md#export-machine-timeline-events)
-###### [Navigate between pages](microsoft-defender-atp/investigate-machines.md#navigate-between-pages)
#### [Take response actions]()
##### [Take response actions on a machine]()
###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
+###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
+###### [Initiate Automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
+###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
-###### [Remove app restriction](microsoft-defender-atp/respond-machine-alerts.md#remove-app-restriction)
###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
-###### [Release machine from isolation](microsoft-defender-atp/respond-machine-alerts.md#release-machine-from-isolation)
####### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
##### [Take response actions on a file]()
###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
-###### [Remove file from quarantine](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-quarantine)
-###### [Block files in your network](microsoft-defender-atp/respond-file-alerts.md#block-files-in-your-network)
-###### [Remove file from blocked list](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-blocked-list)
+###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
+###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
+###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
-####### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
+###### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
##### [Investigate entities using Live response]()
###### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
-######[Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
+###### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
### [Automated investigation and remediation]()
#### [Automated investigation and remediation overview](microsoft-defender-atp/automated-investigations.md)
#### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
-#####[Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
+##### [Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
### [Secure score](microsoft-defender-atp/overview-secure-score.md)
### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
@@ -105,21 +100,19 @@
### [Advanced hunting]()
#### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md)
#### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)
-
-##### [Advanced hunting schema reference]()
-###### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
-###### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
-###### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
-###### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
-###### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
-###### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
-###### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
-###### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
-###### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
-###### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
-###### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
-
-##### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
+#### [Advanced hunting schema reference]()
+##### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
+##### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
+##### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
+##### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
+##### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
+##### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
+##### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
+##### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
+##### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
+##### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
+##### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
+#### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
#### [Custom detections]()
##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
@@ -133,7 +126,7 @@
#### [Integrations]()
##### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md)
-##### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
+##### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
##### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md)
#### [Information protection in Windows overview]()
@@ -162,37 +155,27 @@
##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md)
##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
-##### [Exploit protection](windows-defender-exploit-guard/evaluate-exploit-protection.md)
-##### [Network Protection](windows-defender-exploit-guard/evaluate-network-protection.md)
-##### [Controlled folder access](windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
-##### [Attack surface reduction](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
+##### [Exploit protection](microsoft-defender-atp/evaluate-exploit-protection.md)
+##### [Network Protection](microsoft-defender-atp/evaluate-network-protection.md)
+##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
+##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
##### [Evaluate next generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community.md)
## [Configure and manage capabilities]()
+
### [Configure attack surface reduction]()
#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
-### [Configure and manage capabilities](microsoft-defender-atp/onboard.md)
-#### [Microsoft Defender Advanced Threat Protection for Mac](windows-defender-antivirus/microsoft-defender-atp-mac.md)
-##### [Deploy Microsoft Defender Advanced Threat Protection for Mac]()
-###### [Microsoft Intune-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md)
-###### [JAMF-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md)
-###### [Deployment with a different Mobile Device Management (MDM) system](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md)
-###### [Manual deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md)
-##### [Update Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-updates.md)
-##### [Set preferences for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md)
-##### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md)
-##### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md)
-#### [Hardware-based isolation]()
-##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
+### [Hardware-based isolation]()
+#### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
-##### [Application isolation]()
-###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
-###### [Application control](windows-defender-application-control/windows-defender-application-control.md)
+#### [Application isolation]()
+##### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
+##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
#### [Device control]()
##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
@@ -201,24 +184,29 @@
###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
###### [Memory integrity]()
-####### [Understand memory integrity](windows-defender-exploit-guard/memory-integrity.md)
-####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
+####### [Understand memory integrity](device-guard/memory-integrity.md)
+####### [Hardware qualifications](device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+####### [Enable HVCI](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
#### [Exploit protection]()
-##### [Enable exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
-##### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
+##### [Import/export configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
-#### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
-#### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
+#### [Network protection](microsoft-defender-atp/enable-network-protection.md)
+#### [Controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
#### [Attack surface reduction controls]()
-##### [Enable attack surface reduction rules](windows-defender-exploit-guard/enable-attack-surface-reduction.md)
-##### [Customize attack surface reduction](windows-defender-exploit-guard/customize-attack-surface-reduction.md)
+##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
+##### [Customize attack surface reduction](microsoft-defender-atp/customize-attack-surface-reduction.md)
+
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
+
+
+
### [Configure next generation protection]()
#### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
+
#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
##### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
##### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
@@ -309,6 +297,21 @@
##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
##### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+
+### [Microsoft Defender Advanced Threat Protection for Mac](windows-defender-antivirus/microsoft-defender-atp-mac.md)
+#### [Deploy Microsoft Defender Advanced Threat Protection for Mac]()
+##### [Microsoft Intune-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md)
+##### [JAMF-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md)
+##### [Deployment with a different Mobile Device Management (MDM) system](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md)
+##### [Manual deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md)
+#### [Update Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-updates.md)
+#### [Set preferences for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md)
+#### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md)
+#### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md)
+
+
+
+
### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
@@ -331,6 +334,8 @@
##### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md)
##### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md)
##### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
+##### [Create an onboarding or offboarding notification rule](microsoft-defender-atp/onboarding-notification.md)
+
##### [Troubleshoot onboarding issues]()
###### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md)
@@ -415,15 +420,10 @@
####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
##### [How to use APIs - Samples]()
-###### [Advanced Hunting API]()
-####### [Schedule advanced Hunting using Microsoft Flow](microsoft-defender-atp/run-advanced-query-sample-ms-flow.md)
-####### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
-####### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
-####### [Create custom Power BI reports](microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md)
-
-###### [Multiple APIs]()
-####### [PowerShell](microsoft-defender-atp/exposed-apis-full-sample-powershell.md)
-
+###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md)
+###### [Power BI](microsoft-defender-atp/api-power-bi.md)
+###### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
+###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
#### [Windows updates (KB) info]()
@@ -481,6 +481,7 @@
#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
### [Configure portal settings]()
+#### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
#### [General]()
##### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
@@ -510,7 +511,7 @@
##### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
##### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
-#### [Configure Windows Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
+#### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
## [Troubleshoot Microsoft Defender ATP]()
@@ -529,8 +530,8 @@
#### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md)
### [Troubleshoot attack surface reduction]()
-#### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
-#### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
+#### [Network protection](microsoft-defender-atp/troubleshoot-np.md)
+#### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
@@ -1049,7 +1050,7 @@
###### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md)
###### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md)
###### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
-###### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
+###### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
###### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md)
###### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md)
###### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index d72c39898d..f623632235 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -49,7 +49,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad
- **This folder and files**
- **Subfolders and files only**
- **Subfolders only**
- - **Files only**
+ - **Files only**
7. By default, the selected **Basic Permissions** to audit are the following:
- **Read and execute**
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
index e8f58439cb..f900f5ea9c 100644
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -18,31 +18,30 @@ audience: ITPro
**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Windows Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
+Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Windows Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
-1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
- - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware.
- - The [Exploit Guard Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB.
- - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in.
-
-2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events)
- - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
+1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
+ - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware.
+ - The [Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB.
+ - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in.
+
+2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events)
+ - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
3. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral:
- - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination.
- - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
-
-![Create device configuration profile]
-These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Windows Defender ATP and Azure Information Protection.
+ - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination.
+ - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
+>[!Note]
+>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Windows Defender ATP and Azure Information Protection.
## Prevent threats from removable storage
Windows Defender ATP can help identify and block malicious files on allowed removable storage peripherals.
-### Enable Windows Defender Antivirus Scanning
+### Enable Windows Defender Antivirus Scanning
-Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans.
+Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans.
- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting.
@@ -55,32 +54,32 @@ Protecting authorized removable storage with Windows Defender Antivirus requires
### Block untrusted and unsigned processes on USB peripherals
-End-users might plug in removable devices that are infected with malware.
-To prevent infections, a company can block USB files that are unsigned or untrusted.
-Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral.
-This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively.
-With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards.
+End-users might plug in removable devices that are infected with malware.
+To prevent infections, a company can block USB files that are unsigned or untrusted.
+Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral.
+This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively.
+With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards.
Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
-These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
-2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
+2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
3. Use the following settings:
- - Name: Type a name for the profile
- - Description: Type a description
- - Platform: Windows 10 or later
- - Profile type: Endpoint protection
+ - Name: Type a name for the profile
+ - Description: Type a description
+ - Platform: Windows 10 or later
+ - Profile type: Endpoint protection
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**.
+4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**.
-5. For **Unsigned and untrusted processes that run from USB**, choose **Block**.
+5. For **Unsigned and untrusted processes that run from USB**, choose **Block**.
@@ -92,11 +91,11 @@ These settings require [enabling real-time protection](https://docs.microsoft.co
DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA attacks:
-1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.
+1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.
Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the [DMA Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-deviceenumerationpolicy). This is an additional control for peripherals that don't support device memory isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral (memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
-
- Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
+
+ Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
2. On Windows 10 systems that do not suppprt Kernel DMA Protection, you can:
@@ -107,107 +106,77 @@ DMA attacks can lead to disclosure of sensitive information residing on a PC, or
To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender Advanced Threat Protection can help prevent installation and usage of USB drives and other peripherals.
-| Control | Description |
-|----------|-------------|
-| Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types |
-| Prevent installation and usage of USB drives and other peripherals| Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types |
+ Control | Description
+-|-
+ Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types
+ Prevent installation and usage of USB drives and other peripherals | Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types
-All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/en-us/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates:
+All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates:
>[!Note]
>Using Intune, you can apply device configuration policies to AAD user and/or device groups.
-The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb530324(v=msdn.10)).
+The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/previous-versions/dotnet/articles/bb530324(v=msdn.10)).
->[!Note]
->Always test and refine these settings with a pilot group of users and devices first before applying them in production.
+> [!Note]
+> Always test and refine these settings with a pilot group of users and devices first before applying them in production.
For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/).
### Allow installation and usage of USB drives and other peripherals
-One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals.
+One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals.
>[!Note]
>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
->1. Enable **prevent installation of devices not described by other policy settings** to all users.
->2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
+>
+>1. Enable **prevent installation of devices not described by other policy settings** to all users.
+>2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
To enforce the policy for already installed devices, apply the prevent policies that have this setting.
+When configuring the allow device installation policy, you will need to allow all parent attributes as well. You can view the parents of a device by opening device manager and view by connection.
+
+
+
+In this example, the following classesneeded to be added: HID, Keboard, and {36fc9e60-c465-11cf-8056-444553540000}. More information on [Microsoft-provided USB drivers](https://docs.microsoft.com/windows-hardware/drivers/usbcon/supported-usb-classes).
+
+
+
If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device id that you want to add. For example,
-1. Remove class USBDevice from the **allow installation of devices using drivers that match these device setup**
-2. Add the VID/PID to allow in the **allow installation of device that match any of these device IDs**
+1. Remove class USBDevice from the **allow installation of devices using drivers that match these device setup**
+2. Add the VID/PID to allow in the **allow installation of device that match any of these device IDs**
->[!Note]
->How to locate the VID/PID: Using Device Manager; right click on the device and select properties. Click details tab, click property drop down list, and choose hardware Ids. Right click the top ID value and select copy.
+> [!Note]
+> How to locate the VID/PID: Using Device Manager; right click on the device and select properties. Click details tab, click property drop down list, and choose hardware Ids. Right click the top ID value and select copy.
>Using PowerShell: Get-WMIObject -Class Win32_DiskDrive |
Select-Object -Property *
->For the typical format for the USB ID please reference the following link; (https://docs.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers)
+>For the typical format for the USB ID please reference the following link; (https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers)
### Prevent installation and usage of USB drives and other peripherals
-If you want to prevent a device class or certain devices, you can use the prevent device installation policies.
-1. Enable **Prevent installation of devices that match any of these device IDs**.
-2. Enable the **Prevent installation of devices that match these device setup classes policy**.
+If you want to prevent a device class or certain devices, you can use the prevent device installation policies.
->[!Note]
->The prevent device installation policies take precedence over the allow device installation policies.
+1. Enable **Prevent installation of devices that match any of these device IDs**.
+2. Enable the **Prevent installation of devices that match these device setup classes policy**.
-### Security Baseline
-
-The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, represent the recommended configuration for ATP. Configuration settings for baseline are located here in the edit profile page of the configuration settings.
-
-
-
-### Bluetooth
-
-Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked.
-
-
-
-
-
-
-## Detect plug and play connected events
-
-You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
-For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
-Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
-
-## Respond to threats
-
-Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
-
->[!NOTE]
->Always test and refine these settings with a pilot group of users and devices first before applying them in production.
-
-The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals.
-For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog).
-
-| Control | Description |
-|----------|-------------|
-| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage |
-| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware |
-| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware |
-
->[!NOTE]
->Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
+> [!Note]
+> The prevent device installation policies take precedence over the allow device installation policies.
### Block installation and usage of removable storage
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
-2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
+2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
-3. Use the following settings:
+3. Use the following settings:
- - Name: Type a name for the profile
- - Description: Type a description
- - Platform: Windows 10 and later
- - Profile type: Device restrictions
+ - Name: Type a name for the profile
+ - Description: Type a description
+ - Platform: Windows 10 and later
+ - Profile type: Device restrictions
@@ -235,6 +204,60 @@ Windows Defender ATP blocks installation and usage of prohibited peripherals by
- [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class.
- [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses).
+### Security Baseline
+
+The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, represent the recommended configuration for ATP. Configuration settings for baseline are located here in the edit profile page of the configuration settings.
+
+
+
+### Bluetooth
+
+Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked.
+
+
+
+## Detect plug and play connected events
+
+You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
+For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
+Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
+
+## Respond to threats
+
+Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
+
+> [!NOTE]
+> Always test and refine these settings with a pilot group of users and devices first before applying them in production.
+
+The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals.
+For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog).
+
+ Control | Description
+-|-
+ [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage
+ [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware
+ [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware
+
+> [!NOTE]
+> Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
+
+### Custom Alerts and Response Actions
+
+You can create custom alerts and response actions with the WDATP Connector and the Custom Detection Rules:
+
+**Wdatp Connector response Actions:**
+
+**Investigate:** Initiate investigations, collect investigation package, and isolate a machine.
+
+**Threat Scanning** on USB devices
+
+**Restrict execution of all applications** on the machine except a predefined set
+MDATP connector is one of over 200 pre-defined connectors including Outlook, Teams, Slack, etc. Custom connectors can be built.
+- [More information on WDATP Connector Response Actions](https://docs.microsoft.com/connectors/wdatp/)
+
+**Custom Detection Rules Response Action:**
+Both machine and file level actions can be applied.
+- [More information on Custom Detection Rules Response Actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules)
## Related topics
@@ -242,8 +265,6 @@ Windows Defender ATP blocks installation and usage of prohibited peripherals by
- [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning)
- [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation)
- [Perform a custom scan of a removable device](https://aka.ms/scanusb)
+- [Device Control PowerBI Template for custom reporting](https://github.com/microsoft/MDATP-PowerBI-Templates)
- [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
- [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure)
-
-
-
diff --git a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg b/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg
new file mode 100644
index 0000000000..fd0666ef4c
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg differ
diff --git a/windows/security/threat-protection/device-control/images/devicesbyconnection.png b/windows/security/threat-protection/device-control/images/devicesbyconnection.png
new file mode 100644
index 0000000000..089a1b70fe
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/devicesbyconnection.png differ
diff --git a/windows/security/threat-protection/device-control/images/devicevendorid.jpg b/windows/security/threat-protection/device-control/images/devicevendorid.jpg
new file mode 100644
index 0000000000..10b636fc0d
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/devicevendorid.jpg differ
diff --git a/windows/security/threat-protection/device-control/images/sortbyconnection.jpg b/windows/security/threat-protection/device-control/images/sortbyconnection.jpg
new file mode 100644
index 0000000000..c86eab1470
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/sortbyconnection.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
similarity index 78%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
rename to windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 07172573b3..91f7206e6d 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -14,16 +14,16 @@ ms.date: 04/01/2019
ms.reviewer:
---
-# Enable virtualization-based protection of code integrity
+# Enable virtualization-based protection of code integrity
**Applies to**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
-Some applications, including device drivers, may be incompatible with HVCI.
-This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
-If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
+This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
+Some applications, including device drivers, may be incompatible with HVCI.
+This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
+If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
>[!NOTE]
>HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*. AMD CPUs do not have MBE.
@@ -37,13 +37,13 @@ If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
* HVCI also ensure your other Truslets, like Credential Guard have a valid certificate.
* Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.
-## How to turn on HVCI in Windows 10
+## How to turn on HVCI in Windows 10
To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options:
- [Windows Security app](#windows-security-app)
- [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune)
- [Group Policy](#enable-hvci-using-group-policy)
-- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
+- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
- [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity)
### Windows Security app
@@ -52,7 +52,7 @@ HVCI is labeled **Memory integrity** in the Windows Security app and it can be a
### Enable HVCI using Intune
-Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
+Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
### Enable HVCI using Group Policy
@@ -61,11 +61,11 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
3. Double-click **Turn on Virtualization Based Security**.
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
- 
+ 
5. Click **Ok** to close the editor.
-To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt.
+To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt.
### Use registry keys to enable virtualization-based protection of code integrity
@@ -185,64 +185,64 @@ Windows 10 and Windows Server 2016 have a WMI class for related properties and f
> [!NOTE]
> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803.
-The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.
+The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.
#### AvailableSecurityProperties
This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.
-| Value | Description |
-|--------|-------------|
-| **0.** | If present, no relevant properties exist on the device. |
-| **1.** | If present, hypervisor support is available. |
-| **2.** | If present, Secure Boot is available. |
-| **3.** | If present, DMA protection is available. |
-| **4.** | If present, Secure Memory Overwrite is available. |
-| **5.** | If present, NX protections are available. |
-| **6.** | If present, SMM mitigations are available. |
-| **7.** | If present, Mode Based Execution Control is available. |
+Value | Description
+-|-
+**0.** | If present, no relevant properties exist on the device.
+**1.** | If present, hypervisor support is available.
+**2.** | If present, Secure Boot is available.
+**3.** | If present, DMA protection is available.
+**4.** | If present, Secure Memory Overwrite is available.
+**5.** | If present, NX protections are available.
+**6.** | If present, SMM mitigations are available.
+**7.** | If present, Mode Based Execution Control is available.
#### InstanceIdentifier
-A string that is unique to a particular device. Valid values are determined by WMI.
+A string that is unique to a particular device. Valid values are determined by WMI.
#### RequiredSecurityProperties
This field describes the required security properties to enable virtualization-based security.
-| Value | Description |
-|--------|-------------|
-| **0.** | Nothing is required. |
-| **1.** | If present, hypervisor support is needed. |
-| **2.** | If present, Secure Boot is needed. |
-| **3.** | If present, DMA protection is needed. |
-| **4.** | If present, Secure Memory Overwrite is needed. |
-| **5.** | If present, NX protections are needed. |
-| **6.** | If present, SMM mitigations are needed. |
-| **7.** | If present, Mode Based Execution Control is needed. |
+Value | Description
+-|-
+**0.** | Nothing is required.
+**1.** | If present, hypervisor support is needed.
+**2.** | If present, Secure Boot is needed.
+**3.** | If present, DMA protection is needed.
+**4.** | If present, Secure Memory Overwrite is needed.
+**5.** | If present, NX protections are needed.
+**6.** | If present, SMM mitigations are needed.
+**7.** | If present, Mode Based Execution Control is needed.
-#### SecurityServicesConfigured
+#### SecurityServicesConfigured
This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.
-| Value | Description |
-|--------|-------------|
-| **0.** | No services configured. |
-| **1.** | If present, Windows Defender Credential Guard is configured. |
-| **2.** | If present, HVCI is configured. |
-| **3.** | If present, System Guard Secure Launch is configured. |
+Value | Description
+-|-
+**0.** | No services configured.
+**1.** | If present, Windows Defender Credential Guard is configured.
+**2.** | If present, HVCI is configured.
+**3.** | If present, System Guard Secure Launch is configured.
#### SecurityServicesRunning
This field indicates whether the Windows Defender Credential Guard or HVCI service is running.
-| Value | Description |
-|--------|-------------|
-| **0.** | No services running. |
-| **1.** | If present, Windows Defender Credential Guard is running. |
-| **2.** | If present, HVCI is running. |
-| **3.** | If present, System Guard Secure Launch is running. |
+Value | Description
+-|-
+**0.** | No services running.
+**1.** | If present, Windows Defender Credential Guard is running.
+**2.** | If present, HVCI is running.
+**3.** | If present, System Guard Secure Launch is running.
#### Version
@@ -252,12 +252,11 @@ This field lists the version of this WMI class. The only valid value now is **1.
This field indicates whether VBS is enabled and running.
-| Value | Description |
-|--------|-------------|
-| **0.** | VBS is not enabled. |
-| **1.** | VBS is enabled but not running. |
-| **2.** | VBS is enabled and running. |
-
+Value | Description
+-|-
+**0.** | VBS is not enabled.
+**1.** | VBS is enabled but not running.
+**2.** | VBS is enabled and running.
#### PSComputerName
@@ -265,8 +264,7 @@ This field lists the computer name. All valid values for computer name.
Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
-
-
+
## Troubleshooting
@@ -293,8 +291,8 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
```
### Requirements for running HVCI in Hyper-V virtual machines
- - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
- - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
- - HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
- - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
- - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
+- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
+- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
+- HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
+- Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
+- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/device-guard/memory-integrity.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md
rename to windows/security/threat-protection/device-guard/memory-integrity.md
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
rename to windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index ac3e78109d..5548e18dd5 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -18,14 +18,14 @@ ms.reviewer:
On this page
- - [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo)
- - [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd)
- - [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd)
- - [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve)
- - [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac)
- - [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac)
- - [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac)
- - [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg)
+- [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo)
+- [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd)
+- [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd)
+- [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve)
+- [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac)
+- [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac)
+- [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac)
+- [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg)
Updated: March 2018
@@ -103,12 +103,12 @@ Rather than validate individual components and products, Microsoft chooses to va
The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic modules:
- - Schannel Security Package
- - Remote Desktop Protocol (RDP) Client
- - Encrypting File System (EFS)
- - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
- - BitLocker® Drive Full-volume Encryption
- - IPsec Settings of Windows Firewall
+- Schannel Security Package
+- Remote Desktop Protocol (RDP) Client
+- Encrypting File System (EFS)
+- Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
+- BitLocker® Drive Full-volume Encryption
+- IPsec Settings of Windows Firewall
## Information for System Integrators
@@ -145,12 +145,12 @@ While there are alternative methods for setting the FIPS local/group security po
The following list details some of the Microsoft components that use the cryptographic functionality implemented by either CNG or legacy CAPI. When the FIPS Local/Group Security Policy is set, the following components will enforce the validated module Security Policy.
- - Schannel Security Package
- - Remote Desktop Protocol (RDP) Client
- - Encrypting File System (EFS)
- - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
- - BitLocker® Drive Full-volume Encryption
- - IPsec Settings of Windows Firewall
+- Schannel Security Package
+- Remote Desktop Protocol (RDP) Client
+- Encrypting File System (EFS)
+- Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
+- BitLocker® Drive Full-volume Encryption
+- IPsec Settings of Windows Firewall
#### Effects of Setting FIPS Local/Group Security Policy Flag
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/Untitled-1.png b/windows/security/threat-protection/images/Untitled-1.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/Untitled-1.png
rename to windows/security/threat-protection/images/Untitled-1.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/asr-notif.png b/windows/security/threat-protection/images/asr-notif.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/asr-notif.png
rename to windows/security/threat-protection/images/asr-notif.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png b/windows/security/threat-protection/images/asr-rules-gp.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png
rename to windows/security/threat-protection/images/asr-rules-gp.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png b/windows/security/threat-protection/images/asr-test-tool.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png
rename to windows/security/threat-protection/images/asr-test-tool.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png b/windows/security/threat-protection/images/cfa-allow-app-ps.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png
rename to windows/security/threat-protection/images/cfa-allow-app-ps.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png b/windows/security/threat-protection/images/cfa-allow-app.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png
rename to windows/security/threat-protection/images/cfa-allow-app.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png b/windows/security/threat-protection/images/cfa-allow-folder-ps.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png
rename to windows/security/threat-protection/images/cfa-allow-folder-ps.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png b/windows/security/threat-protection/images/cfa-audit-gp.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png
rename to windows/security/threat-protection/images/cfa-audit-gp.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png b/windows/security/threat-protection/images/cfa-filecreator.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png
rename to windows/security/threat-protection/images/cfa-filecreator.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png b/windows/security/threat-protection/images/cfa-gp-enable.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png
rename to windows/security/threat-protection/images/cfa-gp-enable.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png b/windows/security/threat-protection/images/cfa-notif.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png
rename to windows/security/threat-protection/images/cfa-notif.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-on.png b/windows/security/threat-protection/images/cfa-on.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-on.png
rename to windows/security/threat-protection/images/cfa-on.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png b/windows/security/threat-protection/images/cfa-prot-folders.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png
rename to windows/security/threat-protection/images/cfa-prot-folders.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/check-no.png b/windows/security/threat-protection/images/check-no.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/check-no.png
rename to windows/security/threat-protection/images/check-no.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/images/create-endpoint-protection-profile.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/create-endpoint-protection-profile.png
rename to windows/security/threat-protection/images/create-endpoint-protection-profile.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/create-exploit-guard-policy.png b/windows/security/threat-protection/images/create-exploit-guard-policy.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/create-exploit-guard-policy.png
rename to windows/security/threat-protection/images/create-exploit-guard-policy.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/dg-fig11-dgproperties.png b/windows/security/threat-protection/images/dg-fig11-dgproperties.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/dg-fig11-dgproperties.png
rename to windows/security/threat-protection/images/dg-fig11-dgproperties.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-allow.png b/windows/security/threat-protection/images/enable-cfa-app-allow.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-allow.png
rename to windows/security/threat-protection/images/enable-cfa-app-allow.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-folder.png b/windows/security/threat-protection/images/enable-cfa-app-folder.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-folder.png
rename to windows/security/threat-protection/images/enable-cfa-app-folder.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app.png b/windows/security/threat-protection/images/enable-cfa-app.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app.png
rename to windows/security/threat-protection/images/enable-cfa-app.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-intune.png b/windows/security/threat-protection/images/enable-cfa-intune.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-intune.png
rename to windows/security/threat-protection/images/enable-cfa-intune.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-ep-intune.png b/windows/security/threat-protection/images/enable-ep-intune.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-ep-intune.png
rename to windows/security/threat-protection/images/enable-ep-intune.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-hvci-gp.png b/windows/security/threat-protection/images/enable-hvci-gp.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-hvci-gp.png
rename to windows/security/threat-protection/images/enable-hvci-gp.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-np-intune.png b/windows/security/threat-protection/images/enable-np-intune.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-np-intune.png
rename to windows/security/threat-protection/images/enable-np-intune.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ep-default.png b/windows/security/threat-protection/images/ep-default.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/ep-default.png
rename to windows/security/threat-protection/images/ep-default.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ep-prog.png b/windows/security/threat-protection/images/ep-prog.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/ep-prog.png
rename to windows/security/threat-protection/images/ep-prog.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png b/windows/security/threat-protection/images/event-viewer-import.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png
rename to windows/security/threat-protection/images/event-viewer-import.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer.gif b/windows/security/threat-protection/images/event-viewer.gif
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer.gif
rename to windows/security/threat-protection/images/event-viewer.gif
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/events-create.gif b/windows/security/threat-protection/images/events-create.gif
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/events-create.gif
rename to windows/security/threat-protection/images/events-create.gif
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/events-import.gif b/windows/security/threat-protection/images/events-import.gif
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/events-import.gif
rename to windows/security/threat-protection/images/events-import.gif
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png b/windows/security/threat-protection/images/exp-prot-gp.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png
rename to windows/security/threat-protection/images/exp-prot-gp.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/np-notif.png b/windows/security/threat-protection/images/np-notif.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/np-notif.png
rename to windows/security/threat-protection/images/np-notif.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-blocks.png b/windows/security/threat-protection/images/sccm-asr-blocks.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-blocks.png
rename to windows/security/threat-protection/images/sccm-asr-blocks.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-rules.png b/windows/security/threat-protection/images/sccm-asr-rules.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-rules.png
rename to windows/security/threat-protection/images/sccm-asr-rules.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa-block.png b/windows/security/threat-protection/images/sccm-cfa-block.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa-block.png
rename to windows/security/threat-protection/images/sccm-cfa-block.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa.png b/windows/security/threat-protection/images/sccm-cfa.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa.png
rename to windows/security/threat-protection/images/sccm-cfa.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep-xml.png b/windows/security/threat-protection/images/sccm-ep-xml.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep-xml.png
rename to windows/security/threat-protection/images/sccm-ep-xml.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep.png b/windows/security/threat-protection/images/sccm-ep.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep.png
rename to windows/security/threat-protection/images/sccm-ep.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np-block.png b/windows/security/threat-protection/images/sccm-np-block.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np-block.png
rename to windows/security/threat-protection/images/sccm-np-block.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np.png b/windows/security/threat-protection/images/sccm-np.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np.png
rename to windows/security/threat-protection/images/sccm-np.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg b/windows/security/threat-protection/images/svg/check-no.svg
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg
rename to windows/security/threat-protection/images/svg/check-no.svg
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg b/windows/security/threat-protection/images/svg/check-yes.svg
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg
rename to windows/security/threat-protection/images/svg/check-yes.svg
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdeg.png b/windows/security/threat-protection/images/wdeg.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdeg.png
rename to windows/security/threat-protection/images/wdeg.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png
rename to windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png
rename to windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png b/windows/security/threat-protection/images/wdsc-exp-prot-export.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png
rename to windows/security/threat-protection/images/wdsc-exp-prot-export.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png
rename to windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png b/windows/security/threat-protection/images/wdsc-exp-prot.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png
rename to windows/security/threat-protection/images/wdsc-exp-prot.png
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 97a809c8de..ed4ed90c14 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -58,16 +58,16 @@ This built-in capability uses a game-changing risk-based approach to the discove
**[Attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
+The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
-- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
+- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
- [Application control](windows-defender-application-control/windows-defender-application-control.md)
- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-- [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-- [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
-- [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
+- [Exploit protection](microsoft-defender-atp/exploit-protection.md)
+- [Network protection](microsoft-defender-atp/network-protection.md)
+- [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
- [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
-- [Attack surface reduction rules](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+- [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/intelligence/images/prevalent-malware-aug-small.png b/windows/security/threat-protection/intelligence/images/prevalent-malware-aug-small.png
new file mode 100644
index 0000000000..f797263dba
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/prevalent-malware-aug-small.png differ
diff --git a/windows/security/threat-protection/intelligence/images/real-world-aug-small.png b/windows/security/threat-protection/intelligence/images/real-world-aug-small.png
new file mode 100644
index 0000000000..303df698eb
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/real-world-aug-small.png differ
diff --git a/windows/security/threat-protection/intelligence/images/real-world-protection-aug-small.png b/windows/security/threat-protection/intelligence/images/real-world-protection-aug-small.png
new file mode 100644
index 0000000000..3a188fbf75
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/real-world-protection-aug-small.png differ
diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
index c1d189ea17..aba371a6c3 100644
--- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
+++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
@@ -27,76 +27,58 @@ Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://
Windows Defender Antivirus is part of the [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Microsoft Defender ATP security stack which addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies.
- **Download the latest transparency report: [Examining industry test results, May 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)**
+ **Download the latest transparency report: [Examining industry test results, August 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)**
### AV-TEST: Protection score of 6.0/6.0 in the latest test
The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
-- March - April 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2019/microsoft-windows-defender-antivirus-4.18-191517/) **Latest**
+- May - June 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2019/microsoft-windows-defender-antivirus-4.18-192415/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) **Latest**
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 6,849 malware samples used. This is the sixth consecutive cycle that Windows Defender Antivirus achieved a perfect Protection score.
+ Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 2,735 malware samples used. This is the seventh consecutive cycle that Windows Defender Antivirus achieved a perfect Protection score.
+
+- March - April 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2019/microsoft-windows-defender-antivirus-4.18-191517/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
- January - February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 13,977 malware samples used.
-
- November - December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9)
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 19,956 malware samples.
-
- September - October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD)
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, protecting against 21,566 of 21,568 tested malware samples.
-
- July - August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y)
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 20,022 malware samples.
-
-- May - June 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports)
-
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 5,790 malware samples.
-
|||
|---|---|
-|||
+|||
-### AV-Comparatives: Protection rating of 99.7% in the latest test
+### AV-Comparatives: Protection rating of 99.9% in the latest test
-AV-Comparatives is an independent organization offering systematic testing for security software such as PC/Mac-based antivirus products and mobile security solutions.
+Business Security Test consists of three main parts: the Real-World Protection Test which mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (e.g. USB), and the Performance Test which looks at the impact on the system’s performance.
-- Real-World Protection Test Enterprise March - April 2019: [Protection Rate 99.7%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-march-april-2019-testresult/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd) **Latest**
+- Business Security Test 2019 (March - June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) **Latest**
- This test, as defined by AV-Comparatives, attempts to assess the effectiveness of each security program to protect a computer against active malware threats while online. The test set contained 389 test cases (such as malicious URLs).
+ Windows Defender Antivirus has consistently improved in Real-World Protection Rates over the past year, with 99.9% in the latest test.
-- Real-World Protection Test Enterprise August - November 2018: [Protection Rate 99.6%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-august-november-2018-testresult/)
+- Business Security Test 2018 (August - November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2018-august-november/)
- The test set contained 1,207 test cases (such as malicious URLs).
+- Business Security Test 2018 (March - June): [Real-World Protection Rate 98.7%](https://www.av-comparatives.org/tests/business-security-test-2018-march-june/)
-- Malware Protection Test Enterprise August 2018: [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-august-2018-testresult/)
-
- This test, as defined by AV-Comparatives, attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. The results are based on testing against 1,556 malware samples.
-
-- Real-World Protection Test Enterprise March - June 2018: [Protection Rate 98.7%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-march-june-2018-testresult/)
-
- The test set contained 1,163 test cases (such as malicious URLs).
+
### SE Labs: Total accuracy rating of AAA in the latest test
SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services.
+- Enterprise Endpoint Protection April - June 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/apr-jun-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
+
+ Microsoft's next-gen protection was named as one of the leading products, stopping all of the targeted attacks and all but one public threat. It also handled the legitimate applications correctly.
+
+- Enterprise Endpoint Protection January - March 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jan-mar-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
+
- Enterprise Endpoint Protection October - December 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/oct-dec-2018-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)
- Microsoft's next-gen protection was named as one of the leading products, stopping all of the public and targeted attacks.
-
- Enterprise Endpoint Protection July - September 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/jul-sep-2018-enterprise.pdf) **pdf**
- Microsoft's next-gen protection was named as one of the most effective products, stopping all public and targeted attacks. It showcased its ability to block malicious URLs, deal with exploits, and classify legitimate apps and websites correctly.
-
-- Enterprise Endpoint Protection April - June 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/apr-jun-2018-enterprise.pdf) **pdf**
-
- Microsoft's next-gen protection was named as one of the most effective products, stopping all targeted attacks and the vast majority of public threats.
-
## Endpoint detection & response
Microsoft Defender ATP [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
index 0379951dbd..652e76f78d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@@ -38,7 +38,7 @@ On the top navigation you can:
-## Sort, filter, and group the alerts queue
+## Sort, filter, and group the alerts queue
You can apply the following filters to limit the list of alerts and get a more focused view the alerts.
### Severity
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
new file mode 100644
index 0000000000..4af26a7805
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
@@ -0,0 +1,81 @@
+---
+title: Microsoft Defender ATP Flow connector
+ms.reviewer:
+description: Microsoft Defender ATP Flow connector
+keywords: flow, supported apis, api, Microsoft flow, query, automation
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Microsoft Defender ATP Flow connector
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional Cyber defenders, forces SOC to work in the most efficient way and automation is a must. MS flow supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within few minutes.
+
+Microsoft Defender API has an official Flow Connector with a lot of capabilities:
+
+
+
+## Usage example
+
+The following example demonstrates how you can create a Flow that will be triggered any time a new Alert occurs on your tenant.
+
+- Login to [Microsoft Flow](https://flow.microsoft.com)
+
+- Go to: My flows > New > Automated
+
+
+
+- Choose a name for your Flow, Search for **Microsoft Defender ATP Triggers** as the trigger and choose the new Alerts trigger.
+
+
+
+- Now you have a Flow that is triggered every time a new Alert occurs.
+
+
+
+All you need to do now, is to choose your next steps.
+Lets, for example, Isolate the machine if the Severity of the Alert is **High** and mail about it.
+The Alert trigger gives us only the Alert ID and the Machine ID. We can use the Connector to expand these entities.
+
+### Get the Alert entity using the connector
+
+- Choose Microsoft Defender ATP for new step.
+
+- Choose Alerts - Get single alert API.
+
+- Set the Alert Id from the last step as Input.
+
+
+
+### Isolate the machine if the Alert's severity is High
+
+- Add **Condition** as a new step .
+
+- Check if Alert severity equals to **High**.
+
+- If yes, add Microsoft Defender ATP - Isolate machine action with the Machine Id and a comment.
+
+
+
+Now you can add a new step for mailing about the Alert and the Isolation.
+There are multiple Email connectors that are very easy to use, e.g. Outlook, GMail, etc..
+Save your flow and that's all.
+
+- You can also create **scheduled** flow that will run Advanced Hunting queries and much more!
+
+## Related topic
+- [Microsoft Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
index 4c97c07b2e..9706e81443 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@@ -28,7 +28,7 @@ ms.date: 10/16/2017
Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
-## Alert API fields and portal mapping
+## Alert API fields and portal mapping
The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
similarity index 50%
rename from windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md
rename to windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
index c292829e80..4c582017dc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
@@ -1,8 +1,8 @@
---
-title: Advanced Hunting API
+title: Microsoft Defender ATP APIs connection to Power BI
ms.reviewer:
-description: Use this API to run advanced queries
-keywords: apis, supported apis, advanced hunting, query
+description: Create custom reports using Power BI
+keywords: apis, supported apis, Power BI, reports
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -17,24 +17,17 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Create custom reports using Power BI (user authentication)
+# Create custom reports using Power BI
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-[!include[Prerelease information](prerelease.md)]
+In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs.
-Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
+The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs (e.g. Machine Actions, Alerts, etc..)
-In this section we share Power BI query sample to run a query using **user token**.
-
-If you want to use **application token** instead please refer to [this](run-advanced-query-sample-power-bi-app-token.md) tutorial.
-
-## Before you begin
-You first need to [create an app](exposed-apis-create-app-nativeapp.md).
-
-## Run a query
+## Connect Power BI to Advanced Hunting API
- Open Microsoft Power BI
@@ -46,18 +39,15 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
-- Copy the below and paste it in the editor, after you update the values of Query
+- Copy the below and paste it in the editor:
- ```
+```
let
+ AdvancedHuntingQuery = "MiscEvents | where ActionType contains 'Anti'",
- Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId",
+ HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries",
- FormattedQuery= Uri.EscapeDataString(Query),
-
- AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries?key=" & FormattedQuery,
-
- Response = Json.Document(Web.Contents(AdvancedHuntingUrl)),
+ Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),
TypeMap = #table(
{ "Type", "PowerBiType" },
@@ -88,12 +78,10 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
in Table
- ```
+```
- Click **Done**
- 
-
- Click **Edit Credentials**
@@ -108,13 +96,32 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
-- View the results of your query
+- Now the results of your query will appear as table and you can start build visualizations on top of it!
- 
+- You can duplicate this table, rename it and edit the Advanced Hunting query inside to get any data you would like.
+
+## Connect Power BI to OData APIs
+
+- The only difference from the above example is the query inside the editor.
+
+- Copy the below and paste it in the editor to pull all **Machine Actions** from your organization:
+
+```
+ let
+
+ Query = "MachineActions",
+
+ Source = OData.Feed("https://api.securitycenter.windows.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true])
+ in
+ Source
+
+```
+
+- You can do the same for **Alerts** and **Machines**.
+
+- You also can use OData queries for queries filters, see [Using OData Queries](exposed-apis-odata-samples.md)
## Related topic
-- [Create custom Power BI reports with app authentication](run-advanced-query-sample-power-bi-app-token.md)
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
-- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
-- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
+- [Using OData Queries](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
rename to windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
similarity index 80%
rename from windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index e78eb77ef5..311f6803b0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/07/2019
@@ -16,32 +17,28 @@ ms.reviewer:
manager: dansimp
---
-# Reduce attack surfaces with attack surface reduction rules
+# Reduce attack surfaces with attack surface reduction rules
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-
-Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019.
-
+Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019.
To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
-
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
-- Executable files and scripts used in Office apps or web mail that attempt to download or run files
-- Obfuscated or otherwise suspicious scripts
-- Behaviors that apps don't usually initiate during normal day-to-day work
+* Executable files and scripts used in Office apps or web mail that attempt to download or run files
+* Obfuscated or otherwise suspicious scripts
+* Behaviors that apps don't usually initiate during normal day-to-day work
-You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
+You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
-Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center.
+Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center.
For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
@@ -49,11 +46,11 @@ For information about configuring attack surface reduction rules, see [Enable at
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment.
-Here is an example query:
+Here is an example query:
-```
+```PowerShell
MiscEvents
| where ActionType startswith 'Asr'
```
@@ -62,13 +59,13 @@ MiscEvents
You can review the Windows event log to view events that are created when attack surface reduction rules fire:
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
2. Type **Event Viewer** in the Start menu to open the Windows Event Viewer.
3. Click **Import custom view...** on the left panel, under **Actions**.
-
-4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md).
5. Click **OK**.
@@ -82,13 +79,12 @@ Event ID | Description
The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed.
-
## Attack surface reduction rules
The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs:
-Rule name | GUID | File & folder exclusions
--|-|-
+ Rule name | GUID | File & folder exclusions
+-----------|------|--------------------------
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
@@ -111,8 +107,8 @@ Each rule description indicates which apps or file types the rule applies to. In
This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers:
-- Executable files (such as .exe, .dll, or .scr)
-- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+* Executable files (such as .exe, .dll, or .scr)
+* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
@@ -138,7 +134,7 @@ GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
### Block Office applications from creating executable content
-This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
+This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
@@ -154,7 +150,7 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899
Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection.
-This rule applies to Word, Excel, and PowerPoint.
+This rule applies to Word, Excel, and PowerPoint.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
@@ -166,12 +162,12 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
### Block JavaScript or VBScript from launching downloaded executable content
-Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
+Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
-Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
+Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
->[!IMPORTANT]
->File and folder exclusions don't apply to this attack surface reduction rule.
+> [!IMPORTANT]
+> File and folder exclusions don't apply to this attack surface reduction rule.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
@@ -206,16 +202,16 @@ SCCM name: Block Win32 API calls from Office macros
GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
-
+
This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list:
-
-- Executable files (such as .exe, .dll, or .scr)
->[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+* Executable files (such as .exe, .dll, or .scr)
->[!IMPORTANT]
->The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
+> [!NOTE]
+> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+
+> [!IMPORTANT]
+> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
>
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
@@ -226,13 +222,13 @@ Intune name: Executables that don't meet a prevalence, age, or trusted list crit
SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
-
+
### Use advanced protection against ransomware
-
+
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.
->[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+> [!NOTE]
+> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
@@ -241,14 +237,14 @@ Intune name: Advanced ransomware protection
SCCM name: Use advanced protection against ransomware
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
-
+
### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
-
+
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
- >[!NOTE]
- >In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
-
+> [!NOTE]
+> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
+
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
Intune name: Flag credential stealing from the Windows local security authority subsystem
@@ -261,26 +257,26 @@ GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
->[!IMPORTANT]
->File and folder exclusions do not apply to this attack surface reduction rule.
+> [!IMPORTANT]
+> File and folder exclusions do not apply to this attack surface reduction rule.
->[!WARNING]
->Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
+> [!WARNING]
+> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
-This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
+This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019
Intune name: Process creation from PSExec and WMI commands
SCCM name: Not applicable
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
-
+
### Block untrusted and unsigned processes that run from USB
-
+
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
-
-- Executable files (such as .exe, .dll, or .scr)
-- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+
+* Executable files (such as .exe, .dll, or .scr)
+* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
@@ -294,10 +290,10 @@ GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
->[!NOTE]
->This rule applies to Outlook and Outlook.com only.
+> [!NOTE]
+> This rule applies to Outlook and Outlook.com only.
-This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810
+This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
Intune name: Process creation from Office communication products (beta)
@@ -307,19 +303,21 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
### Block Adobe Reader from creating child processes
-Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
+Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
-This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810
+This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
Intune name: Process creation from Adobe Reader (beta)
-SCCM name: Not applicable
+SCCM name: Not yet available
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
### Block persistence through WMI event subscription
-Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository.
+Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository.
+
+This rule was introduced in: Windows 10 1903, Windows Server 1903
Intune name: Block persistence through WMI event subscription
@@ -329,7 +327,6 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
## Related topics
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-- [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
-
+* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+* [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
similarity index 65%
rename from windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
index dd9c960c79..cb5f42efe4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/02/2019
@@ -16,12 +17,11 @@ ms.reviewer:
manager: dansimp
---
-
-# Use audit mode
+# Use audit mode
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
@@ -33,25 +33,23 @@ To find the audited entries, go to **Applications and Services** > **Microsoft**
You can use Windows Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
+This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
-
-|Audit options | How to enable audit mode | How to view events |
-|- | - | - |
-|Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) |
-|Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) |
-|Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) |
-|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) |
-
+ Audit options | How to enable audit mode | How to view events
+-|-|-
+Audit applies to all events | [Enable controlled folder access](enable-controlled-folders.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer)
+Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer)
+Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer)
+|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer)
## Related topics
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Protect your network](network-protection-exploit-guard.md)
-- [Protect important folders](controlled-folders-exploit-guard.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Protect your network](network-protection.md)
+* [Protect important folders](controlled-folders.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
index 706f90cf75..d0dfe6add3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
@@ -1,8 +1,7 @@
---
-title:
-ms.reviewer:
-description:
-keywords:
+title: Configure attack surface reduction
+description: Configure attack surface reduction
+keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -23,22 +22,21 @@ ms.date: 07/01/2018
You can configure attack surface reduction with a number of tools, including:
-- Microsoft Intune
-- System Center Configuration Manager
-- Group Policy
-- PowerShell cmdlets
-
+* Microsoft Intune
+* System Center Configuration Manager
+* Group Policy
+* PowerShell cmdlets
The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for the applicable configuration tool (or tools).
## In this section
+
Topic | Description
-:---|:---
+-|-
[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to preprare for and install Application Guard, including hardware and softeware requirements
[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and potect kernel mode processes
-[Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
-[Network protection](../windows-defender-exploit-guard/enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains
-[Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)|How to protect valuable data from malicious apps
-[Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware
+[Exploit protection](./enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
+[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains
+[Controlled folder access](./enable-controlled-folders.md)|How to protect valuable data from malicious apps
+[Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware
[Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
index 785daef982..69c4df40de 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
@@ -20,34 +20,36 @@ ms.topic: article
# Optimize ASR rule deployment and detections
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
*Attack surface management card*
The **Attack surface management** card is an entry point to tools in Microsoft 365 security center that you can use to:
-- Understand how ASR rules are currently deployed in your organization
-- Review ASR detections and identify possible incorrect detections
-- Analyze the impact of exclusions and generate the list of file paths to exclude
+* Understand how ASR rules are currently deployed in your organization
+* Review ASR detections and identify possible incorrect detections
+* Analyze the impact of exclusions and generate the list of file paths to exclude
Selecting **Go to attack surface management** takes you to **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
*Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center*
->[!NOTE]
->To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
+> [!NOTE]
+> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
-For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
+For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
# Related topics
-- [Ensure your machines are configured properly](configure-machines.md)
-- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
-- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
\ No newline at end of file
+
+* [Ensure your machines are configured properly](configure-machines.md)
+* [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
+* [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
index bdc69b1a68..406b15ff97 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
@@ -108,7 +108,7 @@ It is recommended that groups are created for MSSPs to make authorization access
As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups.
-## Access the Windows Defender Security Center MSSP customer portal
+## Access the Windows Defender Security Center MSSP customer portal
>[!NOTE]
>These set of steps are directed towards the MSSP.
@@ -143,8 +143,8 @@ For more information, see [Create rules for alert notifications](configure-email
These check boxes must be checked:
- - **Include organization name** - The customer name will be added to email notifications
- - **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
+- **Include organization name** - The customer name will be added to email notifications
+- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
## Fetch alerts from MSSP customer's tenant into the SIEM system
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index dba3eaf576..3ba4e51fda 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -17,15 +17,13 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-
# Configure machine proxy and Internet connectivity settings
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.
@@ -36,27 +34,26 @@ The embedded Microsoft Defender ATP sensor runs in system context using the Loca
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
- - Auto-discovery methods:
- - Transparent proxy
- - Web Proxy Auto-discovery Protocol (WPAD)
+- Auto-discovery methods:
+ - Transparent proxy
+ - Web Proxy Auto-discovery Protocol (WPAD)
> [!NOTE]
> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
-
- - Manual static proxy configuration:
- - Registry based configuration
- - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
-
-
+- Manual static proxy configuration:
+ - Registry based configuration
+ - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
## Configure the proxy server manually using a registry-based static proxy
+
Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet.
-The static proxy is configurable through Group Policy (GP). The group policy can be found under:
+The static proxy is configurable through Group Policy (GP). The group policy can be found under:
+
- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
- 
+ - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
+ 
- **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**:
- Configure the proxy:
@@ -68,6 +65,7 @@ The static proxy is configurable through Group Policy (GP). The group policy can
```text
:
```
+
For example: 10.0.0.6:8080
The registry value `DisableEnterpriseAuthProxy` should be set to 1.
@@ -87,35 +85,39 @@ Use netsh to configure a system-wide static proxy.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
- ```
+
+ ```PowerShell
netsh winhttp set proxy :
```
+
For example: netsh winhttp set proxy 10.0.0.6:8080
To reset the winhttp proxy, enter the following command and press **Enter**
-```
+
+```PowerShell
netsh winhttp reset proxy
```
+
See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/windows-server/networking/technologies/netsh/netsh-contexts) to learn more.
## Enable access to Microsoft Defender ATP service URLs in the proxy server
+
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443:
->[!NOTE]
-> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later.
+> [!NOTE]
+> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later.
-Service location | Microsoft.com DNS record
-:---|:---
+ Service location | Microsoft.com DNS record
+-|-
Common URLs for all locations | ```*.blob.core.windows.net``` ```crl.microsoft.com``` ```ctldl.windowsupdate.com``` ```events.data.microsoft.com``` ```notify.windows.com```
European Union | ```eu.vortex-win.data.microsoft.com``` ```eu-v20.events.data.microsoft.com``` ```winatp-gw-neu.microsoft.com``` ```winatp-gw-weu.microsoft.com```
United Kingdom | ```uk.vortex-win.data.microsoft.com``` ```uk-v20.events.data.microsoft.com``` ```winatp-gw-uks.microsoft.com``` ```winatp-gw-ukw.microsoft.com```
United States | ```us.vortex-win.data.microsoft.com``` ```us-v20.events.data.microsoft.com``` ```winatp-gw-cus.microsoft.com``` ```winatp-gw-eus.microsoft.com```
-
-
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
-## Microsoft Defender ATP service backend IP range
+## Microsoft Defender ATP service backend IP range
+
If you network devices don't support the URLs white-listed in the prior section, you can use the following information.
Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
@@ -128,13 +130,11 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region
- \+\
- \+\
-
You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653).
->[!NOTE]
+> [!NOTE]
> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
-
## Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs.
@@ -151,11 +151,13 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
4. Enter the following command and press **Enter**:
- ```
+ ```PowerShell
HardDrivePath\WDATPConnectivityAnalyzer.cmd
```
+
Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example
- ```
+
+ ```PowerShell
C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd
```
@@ -163,13 +165,14 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example:
+
```text
Testing URL : https://xxx.microsoft.com/xxx
1 - Default proxy: Succeeded (200)
2 - Proxy auto discovery (WPAD): Succeeded (200)
3 - Proxy disabled: Succeeded (200)
4 - Named proxy: Doesn't exist
- 5 - Command line proxy: Doesn't exist
+ 5 - Command line proxy: Doesn't exist
```
If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method.
@@ -177,9 +180,10 @@ If at least one of the connectivity options returns a (200) status, then the Mic
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
> [!NOTE]
-> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
+> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
## Related topics
+
- [Onboard Windows 10 machines](configure-endpoints.md)
-- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
\ No newline at end of file
+- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
similarity index 78%
rename from windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index 7aa48ea40e..eb5c9b65bb 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
audience: ITPro
@@ -21,7 +22,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the System Center Configuration Manager (SCCM) and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
@@ -35,9 +36,9 @@ Controlled folder access is especially useful in helping to protect your documen
With Controlled folder access in place, a notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
+The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
-You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
@@ -49,7 +50,7 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
Here is an example query
@@ -62,13 +63,13 @@ MiscEvents
You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
1. On the left panel, under **Actions**, click **Import custom view...**.
-1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md).
1. Click **OK**.
@@ -83,7 +84,7 @@ Event ID | Description
## In this section
Topic | Description
----|---
+-|-
[Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
-[Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
-[Customize controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.
+[Enable controlled folder access](enable-controlled-folders.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
+[Customize controlled folder access](customize-controlled-folders.md) | Add additional protected folders, and allow specified apps to access protected folders.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 55180b158c..9561fe831c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -26,7 +26,7 @@ ms.topic: article
Create custom detection rules from [Advanced hunting](overview-hunting.md) queries to automatically check for threat indicators and generate alerts whenever these indicators are found.
>[!NOTE]
->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. For the detection rule to work properly and create alerts, the query must return in each row a set of MachineId, ReportId, EventTime which match to an actual event in advanced hunting.
1. In the navigation pane, select **Advanced hunting**.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
similarity index 74%
rename from windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
rename to windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
index 2b7dec1738..839daef3d1 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
@@ -20,10 +21,10 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
@@ -33,21 +34,20 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
-You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running.
+You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running.
->[!WARNING]
->This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
+> [!WARNING]
+> This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules.
An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
-
-Rule description | GUID
--|:-:|-
+Rule description | GUID
+-|-|-
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
@@ -62,19 +62,19 @@ Block process creations originating from PSExec and WMI commands | d1e49aac-8f56
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
-Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b
+Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b
-See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
+See the [attack surface reduction](attack-surface-reduction.md) topic for details on each rule.
### Use Group Policy to exclude files and folders
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
+3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
-4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
### Use PowerShell to exclude files and folders
@@ -85,10 +85,10 @@ See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) to
Add-MpPreference -AttackSurfaceReductionOnlyExclusions ""
```
-Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list.
+Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list.
->[!IMPORTANT]
->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
+> [!IMPORTANT]
+> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Use MDM CSPs to exclude files and folders
@@ -100,7 +100,6 @@ See the [Windows Security](../windows-defender-security-center/windows-defender-
## Related topics
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
similarity index 74%
rename from windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
index 1acfffd14f..3216d16b87 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
@@ -20,19 +21,19 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
-- [Add additional folders to be protected](#protect-additional-folders)
-- [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
+* [Add additional folders to be protected](#protect-additional-folders)
+* [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
->[!WARNING]
->Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.
+> [!WARNING]
+> Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.
>
->This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender-exploit-guard.md) to fully assess the feature's impact.
+> This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender.md) to fully assess the feature's impact.
## Protect additional folders
@@ -42,7 +43,7 @@ You can add additional folders to be protected, but you cannot remove the defaul
Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
-You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
You can use the Windows Security app or Group Policy to add and remove additional protected folders.
@@ -55,14 +56,14 @@ You can use the Windows Security app or Group Policy to add and remove additiona
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
-
+
### Use Group Policy to protect additional folders
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
@@ -77,10 +78,10 @@ You can use the Windows Security app or Group Policy to add and remove additiona
Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app.
-
+
->[!IMPORTANT]
->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
+> [!IMPORTANT]
+> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Use MDM CSPs to protect additional folders
@@ -88,17 +89,16 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m
## Allow specific apps to make changes to controlled folders
-You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.
+You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.
->[!IMPORTANT]
->By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
->You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
+> [!IMPORTANT]
+> By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
+> You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.
An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-
### Use the Windows Defender Security app to allow specific apps
1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -109,15 +109,15 @@ An allowed application or service only has write access to a controlled folder a
4. Click **Add an allowed app** and follow the prompts to add apps.
- 
+ 
### Use Group Policy to allow specific apps
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
@@ -135,22 +135,24 @@ An allowed application or service only has write access to a controlled folder a
```PowerShell
Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"
```
+
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app.
-
+
->[!IMPORTANT]
->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
+> [!IMPORTANT]
+> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Use MDM CSPs to allow specific apps
-Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
+Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
-- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md)
-- [Evaluate attack surface reduction rules](evaluate-windows-defender-exploit-guard.md)
+
+* [Protect important folders with controlled folder access](controlled-folders.md)
+* [Enable controlled folder access](enable-controlled-folders.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
similarity index 72%
rename from windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
index f6197a0a67..64a77031bf 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 03/26/2019
@@ -20,18 +21,18 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
-
+
You configure these settings using the Windows Security app on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
- This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
+This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
->[!WARNING]
->Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
+> [!WARNING]
+> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
## Exploit protection mitigations
@@ -39,87 +40,87 @@ All mitigations can be configured for individual apps. Some mitigations can also
You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
-Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
+Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
Mitigation | Description | Can be applied to | Audit mode available
-- | - | - | :-:
-Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
+-|-|-|-
+Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
->[!IMPORTANT]
->If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
+> [!IMPORTANT]
+> If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
>
>
->Enabled in **Program settings** | Enabled in **System settings** | Behavior
->:-: | :-: | :-:
->[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
->[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
->[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
->[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option
+> Enabled in **Program settings** | Enabled in **System settings** | Behavior
+> -|-|-
+> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
+> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
+> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
+> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
>
>
->
->- **Example 1**
->
+>
+> * **Example 1**
+>
> Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
->
+>
> Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
->
->The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
->
->
->- **Example 2**
->
+>
+> The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
+>
+>
+> * **Example 2**
+>
> Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
>
-> Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
+> Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
>
> Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
>
->The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
+>The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
>CFG will be enabled for *miles.exe*.
->[!NOTE]
->If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country.
+> [!NOTE]
+> If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country.
### Configure system-level mitigations with the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
+
3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
- - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
+ * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
>[!NOTE]
>You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
- Changing some settings may require a restart.
+ Changing some settings may require a restart.
4. Repeat this for all the system-level mitigations you want to configure.
@@ -127,15 +128,14 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
+ * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
7. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
-
-You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
+You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
@@ -151,33 +151,34 @@ Exporting the configuration as an XML file allows you to copy the configuration
You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
```PowerShell
-Get-ProcessMitigation -Name processName.exe
+Get-ProcessMitigation -Name processName.exe
```
->[!IMPORTANT]
->System-level mitigations that have not been configured will show a status of `NOTSET`.
+> [!IMPORTANT]
+> System-level mitigations that have not been configured will show a status of `NOTSET`.
>
->For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
+> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
>
->For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
+> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
>
->The default setting for each system-level mitigation can be seen in the Windows Security.
+> The default setting for each system-level mitigation can be seen in the Windows Security.
Use `Set` to configure each mitigation in the following format:
```PowerShell
Set-ProcessMitigation - -,,
```
+
Where:
-- \:
- - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
- - `-System` to indicate the mitigation should be applied at the system level
+* \:
+ * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+ * `-System` to indicate the mitigation should be applied at the system level
- \:
- - `-Enable` to enable the mitigation
- - `-Disable` to disable the mitigation
-- \:
- - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
+ * `-Enable` to enable the mitigation
+ * `-Disable` to disable the mitigation
+* \:
+ * The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
@@ -185,8 +186,8 @@ Where:
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
```
- >[!IMPORTANT]
- >Separate each mitigation option with commas.
+ > [!IMPORTANT]
+ > Separate each mitigation option with commas.
If you wanted to apply DEP at the system level, you'd use the following command:
@@ -202,8 +203,7 @@ Where:
Set-Processmitigation -Name test.exe -Remove -Disable DEP
```
-
- You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below.
+ You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below.
For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
@@ -215,11 +215,10 @@ You can disable audit mode by using the same command but replacing `-Enable` wit
### PowerShell reference table
-This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
+This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
-
Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
- | - | - | -
Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available
@@ -228,39 +227,36 @@ Force randomization for images (Mandatory ASLR) | System and app-level | Force
Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
Validate heap integrity | System and app-level | TerminateOnError | Audit not available
-Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
-Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
-Block remote images | App-level only | BlockRemoteImages | Audit not available
-Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
-Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
+Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
+Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
+Block remote images | App-level only | BlockRemoteImages | Audit not available
+Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
+Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
Disable extension points | App-level only | ExtensionPoint | Audit not available
Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
-Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available
-Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
-Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
-Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
+Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available
+Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
+Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
+Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
Validate handle usage | App-level only | StrictHandle | Audit not available
-Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
-Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
-
-
+Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
+Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
\[1\]: Use the following format to enable EAF modules for dlls for a process:
```PowerShell
-Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
+Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
-
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md
new file mode 100644
index 0000000000..73df2fb5a4
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md
@@ -0,0 +1,87 @@
+---
+title: Compare the features in Exploit protection with EMET
+keywords: emet, enhanced mitigation experience toolkit, configuration, exploit, compare, difference between, versus, upgrade, convert
+description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+author: levinec
+ms.author: ellevin
+ms.date: 08/08/2018
+ms.reviewer:
+manager: dansimp
+---
+
+# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender
+
+**Applies to:**
+
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> [!IMPORTANT]
+> If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP.
+>
+> You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+
+This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Microsoft Defender ATP.
+
+Exploit protection in Microsoft Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
+
+EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.
+
+After July 31, 2018, it will not be supported.
+
+For more information about the individual features and mitigations available in Microsoft Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
+
+* [Protect devices from exploits](exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+
+## Mitigation comparison
+
+The mitigations available in EMET are included in Windows Defender, under the [exploit protection feature](exploit-protection.md).
+
+The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.
+
+Mitigation | Available in Windows Defender | Available in EMET
+-|-|-
+Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Memory Protection Check"
+Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Load Library Check"
+Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)] Included natively in Windows 10 See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+
+> [!NOTE]
+> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender as part of enabling the anti-ROP mitigations for a process.
+>
+> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
+
+## Related topics
+
+* [Protect devices from exploits with Windows Defender](exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
similarity index 68%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
rename to windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index b346df9a75..80c8e25156 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
@@ -18,7 +19,7 @@ manager: dansimp
# Enable attack surface reduction rules
-[Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
+[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
Each ASR rule contains three settings:
@@ -30,11 +31,11 @@ To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We r
You can enable attack surface reduction rules by using any of these methods:
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
Enterprise-level management such as Intune or SCCM is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
@@ -42,20 +43,20 @@ Enterprise-level management such as Intune or SCCM is recommended. Enterprise-le
You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
->[!WARNING]
->Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
->
->If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
-
->[!IMPORTANT]
->File and folder exclusions do not apply to the following ASR rules:
+> [!WARNING]
+> Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
>
->- Block process creations originating from PSExec and WMI commands
->- Block JavaScript or VBScript from launching downloaded executable content
+> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
+
+> [!IMPORTANT]
+> File and folder exclusions do not apply to the following ASR rules:
+>
+> * Block process creations originating from PSExec and WMI commands
+> * Block JavaScript or VBScript from launching downloaded executable content
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
@@ -66,8 +67,8 @@ The following procedures for enabling ASR rules include instructions for how to
2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
-
- *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*
+
+ *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*
4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
@@ -75,7 +76,7 @@ The following procedures for enabling ASR rules include instructions for how to
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
-The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules).
+The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules).
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
@@ -83,9 +84,9 @@ Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A776
The values to enable, disable, or enable in audit mode are:
-- Disable = 0
-- Block (enable ASR rule) = 1
-- Audit = 2
+* Disable = 0
+* Block (enable ASR rule) = 1
+* Audit = 2
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
@@ -95,8 +96,8 @@ OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExc
Value: c:\path|e:\path|c:\Whitelisted.exe
->[!NOTE]
->Be sure to enter OMA-URI values without spaces.
+> [!NOTE]
+> Be sure to enter OMA-URI values without spaces.
## SCCM
@@ -105,12 +106,12 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
1. Choose which rules will block or audit actions and click **Next**.
1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+1. After the policy is created, click **Close**.
## Group Policy
->[!WARNING]
->If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
+> [!WARNING]
+> If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -119,15 +120,17 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section:
- - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
- - Disable = 0
- - Block (enable ASR rule) = 1
- - Audit = 2
- 
+ * Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
+
+ * Disable = 0
+ * Block (enable ASR rule) = 1
+ * Audit = 2
+
+ 
+
+5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
-5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
-
## PowerShell
>[!WARNING]
@@ -141,32 +144,32 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled
```
- To enable ASR rules in audit mode, use the following cmdlet:
+ To enable ASR rules in audit mode, use the following cmdlet:
- ```PowerShell
- Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode
+ ```PowerShell
+ Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode
```
- To turn off ASR rules, use the following cmdlet:
+ To turn off ASR rules, use the following cmdlet:
- ```PowerShell
- Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled
+ ```PowerShell
+ Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled
```
- >[!IMPORTANT]
- >You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list.
- >
- >In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
- >
- >```PowerShell
- >Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
- >```
+ > [!IMPORTANT]
+ > You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list.
+ >
+ > In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
+ >
+ > ```PowerShell
+ > Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
+ > ```
- You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
+ You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
- >[!WARNING]
- >`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
- >You can obtain a list of rules and their current state by using `Get-MpPreference`
+ > [!WARNING]
+ > `Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
+ > You can obtain a list of rules and their current state by using `Get-MpPreference`
3. To exclude files and folders from ASR rules, use the following cmdlet:
@@ -174,14 +177,13 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
Add-MpPreference -AttackSurfaceReductionOnlyExclusions ""
```
- Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list.
-
- >[!IMPORTANT]
- >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
+ Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list.
+ > [!IMPORTANT]
+ > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
## Related topics
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
-- [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
+* [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
similarity index 58%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index 7ed8ec4621..a7ff6da08f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
@@ -20,24 +21,25 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is included with Windows 10 and Windows Server 2019.
+[Controlled folder access](controlled-folders.md) helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is included with Windows 10 and Windows Server 2019.
You can enable controlled folder access by using any of these methods:
-- [Windows Security app](#windows-security-app)
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Windows Security app](#windows-security-app)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
-- Windows Defender Antivirus **Configure local administrator merge behavior for lists**
-- System Center Endpoint Protection **Allow users to add exclusions and overrides**
+
+* Windows Defender Antivirus **Configure local administrator merge behavior for lists**
+* System Center Endpoint Protection **Allow users to add exclusions and overrides**
For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
@@ -49,9 +51,9 @@ For more information about disabling local list merging, see [Prevent or allow u
3. Set the switch for **Controlled folder access** to **On**.
->[!NOTE]
->If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
->If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
+> [!NOTE]
+> If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
+> If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
>If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive.
@@ -60,21 +62,21 @@ For more information about disabling local list merging, see [Prevent or allow u
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
-1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
-1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
+ 
+1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
+1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
- 
+ 
- >[!NOTE]
- >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
+ > [!NOTE]
+ > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
-1. Click **OK** to save each open blade and click **Create**.
+1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
-## MDM
+## MDM
-Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
+Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
## SCCM
@@ -82,28 +84,28 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
2. Click **Home** > **Create Exploit Guard Policy**.
3. Enter a name and a description, click **Controlled folder access**, and click **Next**.
4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
- >[!NOTE]
- >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
+ > [!NOTE]
+ > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
5. Review the settings and click **Next** to create the policy.
-6. After the policy is created, click **Close**.
+6. After the policy is created, click **Close**.
## Group Policy
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
+3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
-6. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- - **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- - **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
- - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
+4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
+ * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
+ * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
+ * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
- 
+ 
->[!IMPORTANT]
->To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
+> [!IMPORTANT]
+> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
## PowerShell
@@ -121,6 +123,6 @@ Use `Disabled` to turn the feature off.
## Related topics
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
-- [Customize controlled folder access](customize-controlled-folders-exploit-guard.md)
-- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md)
+* [Protect important folders with controlled folder access](controlled-folders.md)
+* [Customize controlled folder access](customize-controlled-folders.md)
+* [Evaluate Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
similarity index 70%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index e3fd820ba9..76bada624f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/09/2019
@@ -20,93 +21,93 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Exploit protection](exploit-protection-exploit-guard.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
+[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
-Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
+Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
You can enable each mitigation separately by using any of these methods:
-- [Windows Security app](#windows-security-app)
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Windows Security app](#windows-security-app)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
-They are configured by default in Windows 10.
+They are configured by default in Windows 10.
-You can set each mitigation to on, off, or to its default value.
+You can set each mitigation to on, off, or to its default value.
Some mitigations have additional options.
-You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
+You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
## Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
+
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
+ * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
-5. Repeat this for all the apps and mitigations you want to configure.
+5. Repeat this for all the apps and mitigations you want to configure.
-3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
- - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
+6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
+ * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
-5. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
Enabled in **Program settings** | Enabled in **System settings** | Behavior
-:-: | :-: | :-:
-[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
-[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
-[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
-[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option
+-|-|-
+[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
+[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
+[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
+[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
+
+**Example 1**
-**Example 1**
-
Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
-
+
The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
**Example 2**
Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
-Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
+Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
-The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
+The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
CFG will be enabled for *miles.exe*.
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
+
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
+ * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
@@ -116,11 +117,11 @@ CFG will be enabled for *miles.exe*.
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
+ 
1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
- 
-1. Click **OK** to save each open blade and click **Create**.
+ 
+1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
## MDM
@@ -134,50 +135,51 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
1. Enter a name and a description, click **Exploit protection**, and click **Next**.
1. Browse to the location of the exploit protection XML file and click **Next**.
1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+1. After the policy is created, click **Close**.
## Group Policy
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
+1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
-6. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
+1. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
## PowerShell
You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
```PowerShell
-Get-ProcessMitigation -Name processName.exe
+Get-ProcessMitigation -Name processName.exe
```
->[!IMPORTANT]
->System-level mitigations that have not been configured will show a status of `NOTSET`.
+> [!IMPORTANT]
+> System-level mitigations that have not been configured will show a status of `NOTSET`.
>
->For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
+> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
>
->For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
+> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
>
->The default setting for each system-level mitigation can be seen in the Windows Security.
+> The default setting for each system-level mitigation can be seen in the Windows Security.
Use `Set` to configure each mitigation in the following format:
```PowerShell
Set-ProcessMitigation - -,,
```
+
Where:
-- \:
- - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
- - `-System` to indicate the mitigation should be applied at the system level
-- \:
- - `-Enable` to enable the mitigation
- - `-Disable` to disable the mitigation
-- \:
- - The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
+* \:
+ * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+ * `-System` to indicate the mitigation should be applied at the system level
+* \:
+ * `-Enable` to enable the mitigation
+ * `-Disable` to disable the mitigation
+* \:
+ * The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
@@ -185,8 +187,8 @@ For example, to enable the Data Execution Prevention (DEP) mitigation with ATL t
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
```
->[!IMPORTANT]
->Separate each mitigation option with commas.
+> [!IMPORTANT]
+> Separate each mitigation option with commas.
If you wanted to apply DEP at the system level, you'd use the following command:
@@ -202,8 +204,7 @@ If you need to restore the mitigation back to the system default, you need to in
Set-Processmitigation -Name test.exe -Remove -Disable DEP
```
-This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
-
+This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
- | - | - | -
@@ -213,39 +214,35 @@ Force randomization for images (Mandatory ASLR) | System and app-level | Force
Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
-Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
-Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
-Block remote images | App-level only | BlockRemoteImages | Audit not available
-Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
-Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
+Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
+Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
+Block remote images | App-level only | BlockRemoteImages | Audit not available
+Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
+Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
Disable extension points | App-level only | ExtensionPoint | Audit not available
Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
-Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available
-Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
-Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
-Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
+Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available
+Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
+Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
+Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
Validate handle usage | App-level only | StrictHandle | Audit not available
-Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
-Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
-
-
+Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
+Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
\[1\]: Use the following format to enable EAF modules for dlls for a process:
```PowerShell
-Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
+Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
-
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
-
## Related topics
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
similarity index 58%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
index dc62facca9..97a6409ed0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.reviewer:
@@ -20,31 +21,29 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.
You can enable network protection by using any of these methods:
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-2. Click **Device configuration** > **Profiles** > **Create profile**.
-3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
-
- 
-
-5. Click **OK** to save each open blade and click **Create**.
-6. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
+1. Click **Device configuration** > **Profiles** > **Create profile**.
+1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+ 
+1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
+ 
+1. Click **OK** to save each open blade and click **Create**.
+1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
## MDM
@@ -57,60 +56,58 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d
1. Enter a name and a description, click **Network protection**, and click **Next**.
1. Choose whether to block or audit access to suspicious domains and click **Next**.
1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+1. After the policy is created, click **Close**.
-## Group Policy
+## Group Policy
-You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
+You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
-1. On a standalone computer, click **Start**, type and then click **Edit group policy**.
+1. On a standalone computer, click **Start**, type and then click **Edit group policy**.
-Or-
-
+
On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
- - **Block** - Users will not be able to access malicious IP addresses and domains
- - **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
- - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
+ * **Block** - Users will not be able to access malicious IP addresses and domains
+ * **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
+ * **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
->[!IMPORTANT]
->To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
+> [!IMPORTANT]
+> To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
You can confirm network protection is enabled on a local computer by using Registry editor:
1. Click **Start** and type **regedit** to open **Registry Editor**.
1. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
-1. Click **EnableNetworkProtection** and confirm the value:
- - 0=Off
- - 1=On
- - 2=Audit
+1. Click **EnableNetworkProtection** and confirm the value:
+ * 0=Off
+ * 1=On
+ * 2=Audit
## PowerShell
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
- ```
+ ```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
```
You can enable the feature in audit mode using the following cmdlet:
-```
+```PowerShell
Set-MpPreference -EnableNetworkProtection AuditMode
```
Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off.
-
## Related topics
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Network protection](network-protection-exploit-guard.md)
-- [Evaluate network protection](evaluate-network-protection.md)
-- [Troubleshoot network protection](troubleshoot-np.md)
+* [Network protection](network-protection.md)
+* [Evaluate network protection](evaluate-network-protection.md)
+* [Troubleshoot network protection](troubleshoot-np.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
index c589b30285..9ccbcfb220 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
@@ -19,25 +19,30 @@ ms.topic: conceptual
---
# Evaluate Microsoft Defender ATP
+
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
You can evaluate Microsoft Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp).
-You can also evaluate the different security capabilities in Microsoft Defender ATP by using the following instructions.
+You can also evaluate the different security capabilities in Microsoft Defender ATP by using the following instructions.
## Evaluate attack surface reduction
+
These capabilities help prevent attacks and exploitations from infecting your organization.
-- [Evaluate attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
-- [Evaluate exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
-- [Evaluate network protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
-- [Evaluate controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
+
+- [Evaluate attack surface reduction](./evaluate-attack-surface-reduction.md)
+- [Evaluate exploit protection](./evaluate-exploit-protection.md)
+- [Evaluate network protection](./evaluate-exploit-protection.md)
+- [Evaluate controlled folder access](./evaluate-controlled-folder-access.md)
- [Evaluate application guard](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
- [Evaluate network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
## Evaluate next generation protection
+
Next gen protections help detect and block the latest threats.
+
- [Evaluate antivirus](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
-
## See Also
+
[Get started with Microsoft Defender Advanced Threat Protection](get-started.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
similarity index 68%
rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
index 145da203d5..271622f774 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/02/2019
@@ -20,14 +21,14 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization.
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use audit mode to measure impact
@@ -43,42 +44,27 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
This enables all attack surface reduction rules in audit mode.
->[!TIP]
->If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md).
+> [!TIP]
+> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md).
## Review attack surface reduction events in Windows Event Viewer
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
-
-| Event ID | Description |
-|----------|-------------|
-|5007 | Event when settings are changed |
-| 1121 | Event when an attack surface reduction rule fires in block mode |
-| 1122 | Event when an attack surface reduction rule fires in audit mode |
+ Event ID | Description
+-|-
+ 5007 | Event when settings are changed
+ 1121 | Event when an attack surface reduction rule fires in block mode
+ 1122 | Event when an attack surface reduction rule fires in audit mode
## Customize attack surface reduction rules
-During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
+During your evaluation, you may wish to configure each rule individually or exclude certain files and processes from being evaluated by the feature.
See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
## Related topics
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
-- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
-
-
-
-
-
-
-
-
-
-
-
-
-
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Use audit mode to evaluate Windows Defender](audit-windows-defender.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
similarity index 61%
rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
index 08d11df095..5f8fc8a0da 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 11/16/2018
@@ -20,16 +21,16 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use audit mode to measure impact
@@ -43,27 +44,28 @@ To enable audit mode, use the following PowerShell cmdlet:
Set-MpPreference -EnableControlledFolderAccess AuditMode
```
->[!TIP]
->If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders-exploit-guard.md).
+> [!TIP]
+> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
## Review controlled folder access events in Windows Event Viewer
The following controlled folder access events appear in Windows Event Viewer under Microsoft/Windows/Windows Defender/Operational folder.
-| Event ID | Description |
-| --- | --- |
-| 5007 | Event when settings are changed |
-| 1124 | Audited controlled folder access event |
-| 1123 | Blocked controlled folder access event |
+Event ID | Description
+-|-
+ 5007 | Event when settings are changed
+ 1124 | Audited controlled folder access event
+ 1123 | Blocked controlled folder access event
## Customize protected folders and apps
-During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
+During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
-See [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
+See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
## Related topics
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
-- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md)
-- [Use audit mode](audit-windows-defender-exploit-guard.md)
+
+* [Protect important folders with controlled folder access](controlled-folders.md)
+* [Evaluate Microsoft Defender ATP]../(microsoft-defender-atp/evaluate-atp.md)
+* [Use audit mode](audit-windows-defender.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
similarity index 57%
rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
index 4d7e28279c..4d70c50373 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/02/2019
@@ -20,70 +21,69 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Exploit protection](exploit-protection-exploit-guard.md) helps protect devices from malware that uses exploits to spread and infect other devices.
+[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices.
It consists of a number of mitigations that can be applied to either the operating system or an individual app.
-Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection.
+Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection.
-This topic helps you enable exploit protection in audit mode and review related events in Event Viewer.
+This topic helps you enable exploit protection in audit mode and review related events in Event Viewer.
You can enable audit mode for certain app-level mitigations to see how they will work in a test environment.
This lets you see a record of what *would* have happened if you had enabled the mitigation in production.
You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur.
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
## Enable exploit protection in audit mode
-You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell.
+You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell.
### Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
+
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
+ * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
### PowerShell
-To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet.
+To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet.
Configure each mitigation in the following format:
-
```PowerShell
Set-ProcessMitigation - -,,
```
Where:
-- \:
- - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
-- \:
- - `-Enable` to enable the mitigation
- - `-Disable` to disable the mitigation
-- \:
- - The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
+* \:
+ * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+* \:
+ * `-Enable` to enable the mitigation
+ * `-Disable` to disable the mitigation
+* \:
+ * The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
-| Mitigation | Audit mode cmdlet |
-| - | - |
-|Arbitrary code guard (ACG) | AuditDynamicCode |
-|Block low integrity images | AuditImageLoad |
-|Block untrusted fonts | AuditFont, FontAuditOnly |
-|Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned |
-|Disable Win32k system calls | AuditSystemCall |
-|Do not allow child processes | AuditChildProcess |
+ Mitigation | Audit mode cmdlet
+-|-
+ Arbitrary code guard (ACG) | AuditDynamicCode
+ Block low integrity images | AuditImageLoad
+ Block untrusted fonts | AuditFont, FontAuditOnly
+ Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned
+ Disable Win32k system calls | AuditSystemCall
+ Do not allow child processes | AuditChildProcess
For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
@@ -98,21 +98,21 @@ You can disable audit mode by replacing `-Enable` with `-Disable`.
To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
Feature | Provider/source | Event ID | Description
-:-|:-|:-:|:-
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
+-|-|-|-
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
## Related topics
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
-- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
-- [Enable network protection](enable-network-protection.md)
-- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md)
-- [Enable attack surface reduction](enable-attack-surface-reduction.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
+* [Enable network protection](enable-network-protection.md)
+* [Enable controlled folder access](enable-controlled-folders.md)
+* [Enable attack surface reduction](enable-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
similarity index 76%
rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
index 5015d0f283..6e3840831e 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/10/2019
@@ -20,15 +21,14 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+[Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.
-
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work.
## Enable network protection in audit mode
@@ -51,10 +51,10 @@ You might want to do this to make sure it doesn't affect line-of-business apps o
The network connection will be allowed and a test message will be displayed.
-
-
+
+
## Review network protection events in Windows Event Viewer
-
+
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1125 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
| Event ID | Provide/Source | Description |
@@ -63,10 +63,8 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev
|1125 | Windows Defender (Operational) | Event when a network connection is audited |
|1126 | Windows Defender (Operational) | Event when a network connection is blocked |
-
## Related topics
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Network protection](network-protection-exploit-guard.md)
-- [Enable network protection](enable-network-protection.md)
-- [Troubleshoot network protection](troubleshoot-np.md)
+* [Network protection](network-protection.md)
+* [Enable network protection](enable-network-protection.md)
+* [Troubleshoot network protection](troubleshoot-np.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index 9b2eecd333..f75898aa98 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -43,25 +43,32 @@ When you access the evaluation lab for the first time, you'll find an introducti
It's a good idea to read the guide before starting the evaluation process so that you can conduct a thorough assessment of the platform.
+>[!NOTE]
+>- Each environment is provisioned with only three test machines.
+>- Each machine will be available for only three days from the day of activation.
+>- When you've used up these three machines, no new machines are provided.
+Deleting a machine does not refresh the available test machine count.
+>- Given the limited resources, it’s advisable to use the machines carefully.
+
## Evaluation setup
When you add a machine to your environment, Microsoft Defender ATP sets up a well-configured machine with connection details. The machine will be configured with the most up to date version of Windows 10 and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals.
The machine will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side.
- The following security components are pre-configured in the test machines:
+ The following security components are pre-configured in the test machines:
- - [Attack Surface Reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
- - [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
- - [Controlled Folder Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)
- - [Exploit Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection)
- - [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)
- - [Potentially unwanted application detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus)
- - [Cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)
- - [Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview)
+- [Attack Surface Reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
+- [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
+- [Controlled Folder Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)
+- [Exploit Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection)
+- [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)
+- [Potentially unwanted application detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus)
+- [Cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)
+- [Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview)
- >[!NOTE]
- > Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+>[!NOTE]
+> Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md).
@@ -78,7 +85,11 @@ Automated investigation settings will be dependent on tenant settings. It will b
3. Select **Add machine**.
>[!WARNING]
- > The evaluation environment can only be provisioned up to three test machines. Each machine will only be available for three days from the day of activation.
+ >- Each environment is provisioned with only three test machines.
+ >- Each machine will be available for only three days from the day of activation.
+ >- When you've used up these three machines, no new machines are provided.
+ Deleting a machine does not refresh the available test machine count.
+ >- Given the limited resources, it’s advisable to use the machines carefully.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
similarity index 90%
rename from windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/event-views.md
index 5652a45bd4..2fe08915a1 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
@@ -11,9 +11,11 @@ ms.sitesec: library
ms.pagetype: security
ms.date: 04/16/2018
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 03/26/2019
+manager: dansimp
---
# View attack surface reduction events
@@ -28,7 +30,7 @@ Reviewing the events is also handy when you are evaluating the features, as you
This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
-You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
+You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
## Use custom views to review attack surface reduction capabilities
@@ -36,45 +38,43 @@ You can create custom views in the Windows Event Viewer to only see events for s
The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page.
-You can also manually navigate to the event area that corresponds to the feature.
+You can also manually navigate to the event area that corresponds to the feature.
### Import an existing XML custom view
1. Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. Do this for each of the custom views you want to use. Rename the files as follows (ensure you change the type from .txt to .xml):
- - Controlled folder access events custom view: *cfa-events.xml*
- - Exploit protection events custom view: *ep-events.xml*
- - Attack surface reduction events custom view: *asr-events.xml*
- - Network/ protection events custom view: *np-events.xml*
+ - Controlled folder access events custom view: *cfa-events.xml*
+ - Exploit protection events custom view: *ep-events.xml*
+ - Attack surface reduction events custom view: *asr-events.xml*
+ - Network/ protection events custom view: *np-events.xml*
1. Type **event viewer** in the Start menu and open **Event Viewer**.
-3. Click **Action** > **Import Custom View...**
+1. Click **Action** > **Import Custom View...**
- 
+ 
-4. Navigate to where you extracted XML file for the custom view you want and select it.
+1. Navigate to where you extracted XML file for the custom view you want and select it.
-4. Click **Open**.
-
-5. This will create a custom view that filters to only show the events related to that feature.
+1. Click **Open**.
+1. This will create a custom view that filters to only show the events related to that feature.
### Copy the XML directly
-
1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
-3. On the left panel, under **Actions**, click **Create Custom View...**
+1. On the left panel, under **Actions**, click **Create Custom View...**
- 
+ 
-4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
+1. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
-5. Paste the XML code for the feature you want to filter events from into the XML section.
+1. Paste the XML code for the feature you want to filter events from into the XML section.
-4. Click **OK**. Specify a name for your filter.
+1. Click **OK**. Specify a name for your filter.
-5. This will create a custom view that filters to only show the events related to that feature.
+1. This will create a custom view that filters to only show the events related to that feature.
### XML for attack surface reduction rule events
@@ -131,7 +131,6 @@ You can also manually navigate to the event area that corresponds to the feature
## List of attack surface reduction events
-
All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
You can access these events in Windows Event viewer:
@@ -140,7 +139,7 @@ You can access these events in Windows Event viewer:
2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below.
3. Double-click on the sub item to see events. Scroll through the events to find the one you are looking.
- 
+ 
Feature | Provider/source | Event ID | Description
:-|:-|:-:|:-
@@ -171,13 +170,13 @@ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 24 | ROP Sim
Exploit protection | WER-Diagnostics | 5 | CFG Block
Exploit protection | Win32K (Operational) | 260 | Untrusted Font
Network protection | Windows Defender (Operational) | 5007 | Event when settings are changed
-Network protection | Windows Defender (Operational) | 1125 | Event when Network protection fires in Audit-mode
-Network protection | Windows Defender (Operational) | 1126 | Event when Network protection fires in Block-mode
+Network protection | Windows Defender (Operational) | 1125 | Event when Network protection fires in Audit-mode
+Network protection | Windows Defender (Operational) | 1126 | Event when Network protection fires in Block-mode
Controlled folder access | Windows Defender (Operational) | 5007 | Event when settings are changed
Controlled folder access | Windows Defender (Operational) | 1124 | Audited Controlled folder access event
Controlled folder access | Windows Defender (Operational) | 1123 | Blocked Controlled folder access event
Controlled folder access | Windows Defender (Operational) | 1127 | Blocked Controlled folder access sector write block event
Controlled folder access | Windows Defender (Operational) | 1128 | Audited Controlled folder access sector write block event
Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
-Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode
-Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode
+Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode
+Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
new file mode 100644
index 0000000000..568f45096f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
@@ -0,0 +1,137 @@
+---
+title: Apply mitigations to help prevent attacks through vulnerabilities
+keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
+description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+author: levinec
+ms.author: ellevin
+ms.date: 04/02/2019
+ms.reviewer:
+manager: dansimp
+---
+
+# Protect devices from exploits
+
+**Applies to:**
+
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803.
+
+> [!TIP]
+> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+
+Exploit protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+
+You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once.
+
+When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+
+You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled.
+
+Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Exploit protection](emet-exploit-protection.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10.
+
+> [!IMPORTANT]
+> If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+
+> [!WARNING]
+> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender.md) before deploying the configuration across a production environment or the rest of your network.
+
+## Review exploit protection events in the Microsoft Security Center
+
+Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
+
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.
+
+Here is an example query:
+
+```PowerShell
+MiscEvents
+| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
+```
+
+## Review exploit protection events in Windows Event Viewer
+
+You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
+
+Provider/source | Event ID | Description
+-|-|-
+Security-Mitigations | 1 | ACG audit
+Security-Mitigations | 2 | ACG enforce
+Security-Mitigations | 3 | Do not allow child processes audit
+Security-Mitigations | 4 | Do not allow child processes block
+Security-Mitigations | 5 | Block low integrity images audit
+Security-Mitigations | 6 | Block low integrity images block
+Security-Mitigations | 7 | Block remote images audit
+Security-Mitigations | 8 | Block remote images block
+Security-Mitigations | 9 | Disable win32k system calls audit
+Security-Mitigations | 10 | Disable win32k system calls block
+Security-Mitigations | 11 | Code integrity guard audit
+Security-Mitigations | 12 | Code integrity guard block
+Security-Mitigations | 13 | EAF audit
+Security-Mitigations | 14 | EAF enforce
+Security-Mitigations | 15 | EAF+ audit
+Security-Mitigations | 16 | EAF+ enforce
+Security-Mitigations | 17 | IAF audit
+Security-Mitigations | 18 | IAF enforce
+Security-Mitigations | 19 | ROP StackPivot audit
+Security-Mitigations | 20 | ROP StackPivot enforce
+Security-Mitigations | 21 | ROP CallerCheck audit
+Security-Mitigations | 22 | ROP CallerCheck enforce
+Security-Mitigations | 23 | ROP SimExec audit
+Security-Mitigations | 24 | ROP SimExec enforce
+WER-Diagnostics | 5 | CFG Block
+Win32K | 260 | Untrusted Font
+
+## Mitigation comparison
+
+The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server 2016 (starting with version 1803), under [Exploit protection](exploit-protection.md).
+
+The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.
+
+Mitigation | Available under Exploit protection | Available in EMET
+-|-|-
+Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Memory Protection Check"
+Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Load Library Check"
+Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)] Included natively in Windows 10 See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+
+> [!NOTE]
+> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process.
+>
+> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
+
+## Related topics
+
+* [Protect devices from exploits](exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
index 34c8475792..b90c36d11c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
@@ -26,9 +26,9 @@ ms.date: 09/24/2018
Full scenario using multiple APIs from Microsoft Defender ATP.
In this section we share PowerShell samples to
- - Retrieve a token
- - Use token to retrieve the latest alerts in Microsoft Defender ATP
- - For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL.
+- Retrieve a token
+- Use token to retrieve the latest alerts in Microsoft Defender ATP
+- For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL.
>**Prerequisite**: You first need to [create an app](apis-intro.md).
@@ -117,4 +117,3 @@ $response
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
- [Advanced Hunting using Python](run-advanced-query-sample-python.md)
-- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
index bd6891a8c2..badfd2aed7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
@@ -53,8 +53,8 @@ Do you expect a machine to be in ‘Active’ status? [Open a support ticket](ht
## Misconfigured machines
Misconfigured machines can further be classified to:
- - Impaired communications
- - No sensor data
+- Impaired communications
+- No sensor data
### Impaired communications
This status indicates that there's limited communication between the machine and the service.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started.md b/windows/security/threat-protection/microsoft-defender-atp/get-started.md
deleted file mode 100644
index 8b6890297b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-started.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Get started with Microsoft Defender Advanced Threat Protection
-ms.reviewer:
-description: Learn about the minimum requirements and initial steps you need to take to get started with Microsoft Defender ATP.
-keywords: get started, minimum requirements, setup, subscription, features, data storage, privacy, user access
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 11/20/2018
----
-
-# Get started with Microsoft Defender Advanced Threat Protection
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->[!TIP]
->- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
->- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
-
-Learn about the minimum requirements and initial steps you need to take to get started with Microsoft Defender ATP.
-
-The following capabilities are available across multiple products that make up the Microsoft Defender ATP platform.
-
-**Threat & Vulnerability Management**
-Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. This infrastructure correlates endpoint detection and response (EDR) insights with endpoint vulnerabilities real-time, thus reducing organizational vulnerability exposure and increasing threat resilience.
-
-**Attack surface reduction**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
-
-**Next generation protection**
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
-
-**Endpoint detection and response**
-Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
-
-**Auto investigation and remediation**
-In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
-
-**Secure score**
-Microsoft Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network.
-
-**Microsoft Threat Experts**
-Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
-
-**Advanced hunting**
-Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Microsoft Defender Security Center.
-
-**Management and APIs**
-Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
-
-**Microsoft threat protection**
-Bring the power of Microsoft Threat Protection to your organization.
-
-## In this section
-Topic | Description
-:---|:---
-[Minimum requirements](minimum-requirements.md) | Learn about the requirements for onboarding machines to the platform.
-[Validate licensing and complete setup](licensing.md) | Get guidance on how to check that licenses have been provisioned to your organization and how to access the portal for the first time.
-[Preview features](preview.md) | Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
-[Data storage and privacy](data-storage-privacy.md) | Explains the data storage and privacy details related to Microsoft Defender ATP.
-[Assign user access to the portal](assign-portal-access.md) | Set permissions to manage who can access the portal. You can set basic permissions or set granular permissions using role-based access control (RBAC).
-[Evaluate Microsoft Defender ATP](evaluate-atp.md) | Evaluate the various capabilities in Microsoft Defender ATP and test features out.
-[Access the Microsoft Defender Security Center Community Center](community.md) | The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png
new file mode 100644
index 0000000000..69836b943c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-0.png b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-0.png
new file mode 100644
index 0000000000..7cbc10748b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-1.png
new file mode 100644
index 0000000000..07d00ddf20
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-2.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-2.PNG
new file mode 100644
index 0000000000..3afdf8262b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-2.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-3.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-3.PNG
new file mode 100644
index 0000000000..1db4fe594a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-3.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-4.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-4.PNG
new file mode 100644
index 0000000000..857188379d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-4.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-5.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-5.PNG
new file mode 100644
index 0000000000..9c85162428
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-5.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png
new file mode 100644
index 0000000000..2f027e9054
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png
new file mode 100644
index 0000000000..741770b06a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png
new file mode 100644
index 0000000000..615e107f78
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/condition1.png b/windows/security/threat-protection/microsoft-defender-atp/images/condition1.png
new file mode 100644
index 0000000000..fb441257c0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/condition1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/condition2.png b/windows/security/threat-protection/microsoft-defender-atp/images/condition2.png
new file mode 100644
index 0000000000..e57b9d3fe4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/condition2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png b/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png
new file mode 100644
index 0000000000..25b0fe742a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png
new file mode 100644
index 0000000000..714a61e399
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png b/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png
new file mode 100644
index 0000000000..13d572f10f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png
new file mode 100644
index 0000000000..3d274ebf9f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow-recurrence.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow-recurrence.png
new file mode 100644
index 0000000000..01ad9116f0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/flow-recurrence.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow2.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow2.png
new file mode 100644
index 0000000000..647008af7d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/flow2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png b/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png
new file mode 100644
index 0000000000..68eb6483c1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/http-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/http-flow.png
new file mode 100644
index 0000000000..71e3aa0e9f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/http-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png
new file mode 100644
index 0000000000..7d64c71ac8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-flow.png
new file mode 100644
index 0000000000..3a2b7563bf
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png
new file mode 100644
index 0000000000..2c6069ab3d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png
new file mode 100644
index 0000000000..6931f21e5a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-query-results.png b/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-query-results.png
deleted file mode 100644
index b94ee3a009..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-query-results.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png b/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png
new file mode 100644
index 0000000000..43a41fbd3b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png b/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png
new file mode 100644
index 0000000000..f4f0bca971
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
similarity index 61%
rename from windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
rename to windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
index 676188aa12..c46302a04f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/30/2018
@@ -20,13 +21,11 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
-It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection.
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection.
You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
@@ -34,7 +33,7 @@ You can also convert and import an existing EMET configuration XML file into an
This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
-The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
+The [Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
## Create and export a configuration file
@@ -50,14 +49,14 @@ When you have configured exploit protection to your desired state (including bot
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
- 
-
+ 
+
3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
-
+
->[!NOTE]
->When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
+> [!NOTE]
+> When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
### Use PowerShell to export a configuration file
@@ -65,7 +64,7 @@ When you have configured exploit protection to your desired state (including bot
2. Enter the following cmdlet:
```PowerShell
- Get-ProcessMitigation -RegistryConfigFilePath filename.xml
+ Get-ProcessMitigation -RegistryConfigFilePath filename.xml
```
Change `filename` to any name or location of your choosing.
@@ -74,7 +73,7 @@ Example command
**Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml**
> [!IMPORTANT]
-> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
## Import a configuration file
@@ -84,12 +83,11 @@ After importing, the settings will be instantly applied and can be reviewed in t
### Use PowerShell to import a configuration file
-
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
- Set-ProcessMitigation -PolicyFilePath filename.xml
+ Set-ProcessMitigation -PolicyFilePath filename.xml
```
Change `filename` to the location and name of the exploit protection XML file.
@@ -97,11 +95,9 @@ Change `filename` to the location and name of the exploit protection XML file.
Example command
**Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml**
-
->[!IMPORTANT]
+> [!IMPORTANT]
>
->Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
-
+> Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
## Convert an EMET configuration file to an exploit protection configuration file
@@ -109,14 +105,13 @@ You can convert an existing EMET configuration file to the new format used by ex
You can only do this conversion in PowerShell.
->[!WARNING]
+> [!WARNING]
>
->You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
+> You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
>
->However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file.
+> However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file.
>
->You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
-
+> You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
@@ -127,46 +122,45 @@ You can only do this conversion in PowerShell.
Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
->[!IMPORTANT]
+> [!IMPORTANT]
>
->If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
+> If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
>
> 1. Open the PowerShell-converted XML file in a text editor.
> 2. Search for `ASLR ForceRelocateImages="false"` and change it to `ASLR ForceRelocateImages="true"` for each app that you want Mandatory ASLR to be enabled.
-
## Manage or deploy a configuration
You can use Group Policy to deploy the configuration you've created to multiple machines in your network.
> [!IMPORTANT]
-> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location.
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location.
### Use Group Policy to distribute the configuration
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
+3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
- 
+ 
-6. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
+4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
-7. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
- - C:\MitigationSettings\Config.XML
- - \\\Server\Share\Config.xml
- - https://localhost:8080/Config.xml
- - C:\ExploitConfigfile.xml
+5. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
-8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+ * C:\MitigationSettings\Config.XML
+ * \\\Server\Share\Config.xml
+ * https://localhost:8080/Config.xml
+ * C:\ExploitConfigfile.xml
+6. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
## Related topics
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md
deleted file mode 100644
index 3defa8692a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Incidents queue in Microsoft Defender ATP
-description:
-keywords: incidents, aggregate, investigations, queue, ttp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Incidents in Microsoft Defender ATP
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Microsoft Defender ATP will quickly trigger alerts and launch matching automatic investigations.
-
-Microsoft Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
-
-
-## In this section
-
-Topic | Description
-:---|:---
-[View and organize the Incidents queue](view-incidents-queue.md)| See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
-[Manage incidents](manage-incidents.md) | Learn how to manage incidents by assigning it, updating its status, or setting its classification and other actions.
-[Investigate incidents](investigate-incidents.md)| See associated alerts, manage the incident, see alert metadata, and visualizations to help you investigate an incident.
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
index 3113e4b4f9..36e579945b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
@@ -36,7 +36,7 @@ Selecting an alert in either of those places brings up the **Alert management pa
You can create a new incident from the alert or link to an existing incident.
## Assign alerts
-If an alert is no yet assigned, you can select **Assign to me** to assign the alert to yourself.
+If an alert is not yet assigned, you can select **Assign to me** to assign the alert to yourself.
## Suppress alerts
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md b/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md
deleted file mode 100644
index c852df752c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Manage allowed/blocked lists
-description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities.
-keywords: manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Manage allowed/blocked lists
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
-
-Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
-
-On the top navigation you can:
-- Import a list
-- Add an indicator
-- Customize columns to add or remove columns
-- Export the entire list in CSV format
-- Select the items to show per page
-- Navigate between pages
-- Apply filters
-
-## Create an indicator
-1. In the navigation pane, select **Settings** > **Allowed/blocked list**.
-
-2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities:
- - File hash
- - IP address
- - URLs/Domains
-
-3. Click **Add indicator**.
-
-4. For each attribute specify the following details:
- - Indicator - Specify the entity details and define the expiration of the indicator.
- - Action - Specify the action to be taken and provide a description.
- - Scope - Define the scope of the machine group.
-
-5. Review the details in the Summary tab, then click **Save**.
-
-
->[!NOTE]
->Blocking IPs, domains, or URLs is currently available on limited preview only.
->This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforced which is an option that will be generally available soon.
->As it is not yet generally available, when Automated investigations finds this indicator during an investigation it will use the allowed/block list as the basis of its decision to automatically remediate (blocked list) or skip (allowed list) the entity.
-
-
-## Manage indicators
-1. In the navigation pane, select **Settings** > **Allowed/blocked list**.
-
-2. Select the tab of the entity type you'd like to manage.
-
-3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
-
-## Import a list
-You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
-
-Download the sample CSV to know the supported column attributes.
-
-
-## Related topics
-- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md)
-
-
-
-
-
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
similarity index 80%
rename from windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index e4fccb655d..eb4b64456b 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/30/2019
@@ -20,40 +21,40 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
Network protection is supported beginning with Windows 10, version 1709.
->[!TIP]
->You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> [!TIP]
+> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Network protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network protection would impact your organization if it were enabled.
+You can also use [audit mode](audit-windows-defender.md) to evaluate how Network protection would impact your organization if it were enabled.
## Requirements
Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection.
Windows 10 version | Windows Defender Antivirus
-- | -
+-|-
Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
## Review network protection events in the Microsoft Defender ATP Security Center
-Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
-Here is an example query
+Here is an example query
-```
+```PowerShell
MiscEvents
| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
```
@@ -62,7 +63,7 @@ MiscEvents
You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain:
-1. [Copy the XML directly](event-views-exploit-guard.md).
+1. [Copy the XML directly](event-views.md).
2. Click **OK**.
@@ -71,12 +72,10 @@ You can review the Windows event log to see events that are created when network
Event ID | Description
-|-
5007 | Event when settings are changed
- 1125 | Event when network protection fires in audit mode
- 1126 | Event when network protection fires in block mode
+ 1125 | Event when network protection fires in audit mode
+ 1126 | Event when network protection fires in block mode
- ## Related topics
+## Related topics
-Topic | Description
----|---
[Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
[Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
index 66a4fdedf6..ada385d846 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
@@ -32,13 +32,13 @@ ms.topic: conceptual
Follow the corresponding instructions depending on your preferred deployment method.
## Offboard Windows 10 machines
- - [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script)
- - [Offboard machines using Group Policy](configure-endpoints-gp.md#offboard-machines-using-group-policy)
- - [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager)
- - [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-machines-using-mobile-device-management-tools)
+- [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script)
+- [Offboard machines using Group Policy](configure-endpoints-gp.md#offboard-machines-using-group-policy)
+- [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager)
+- [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-machines-using-mobile-device-management-tools)
## Offboard Servers
- - [Offboard servers](configure-server-endpoints.md#offboard-servers)
+- [Offboard servers](configure-server-endpoints.md#offboard-servers)
## Offboard non-Windows machines
- - [Offboard non-Windows machines](configure-endpoints-non-windows.md#offboard-non-windows-machines)
+- [Offboard non-Windows machines](configure-endpoints-non-windows.md#offboard-non-windows-machines)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
similarity index 97%
rename from windows/security/threat-protection/microsoft-defender-atp/oldTOC.md
rename to windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
index 48dac8442f..f06995f573 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
@@ -27,10 +27,10 @@
#### [Application control]()
##### [Windows Defender Application Guard](../windows-defender-application-control/windows-defender-application-control.md)
-#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-#### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md)
-#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
-#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md)
+#### [Network protection](../windows-defender-exploit-guard/network-protection.md)
+#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders.md)
+#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction.md)
#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md)
@@ -196,8 +196,8 @@
#### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)
#### [Controlled folder access]()
-##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
-##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
+##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders.md)
+##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders.md)
#### [Attack surface reduction controls]()
##### [Enable attack surface reduction rules](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
@@ -413,15 +413,10 @@
####### [Get user related machines](get-user-related-machines.md)
##### [How to use APIs - Samples]()
-###### [Advanced Hunting API]()
-####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md)
-####### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
-####### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
-####### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
-
-###### [Multiple APIs]()
-####### [PowerShell](exposed-apis-full-sample-powershell.md)
-
+###### [Microsoft Flow](api-microsoft-flow.md)
+###### [Power BI](api-power-bi.md)
+###### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
+###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
###### [Using OData Queries](exposed-apis-odata-samples.md)
#### [API for custom alerts]()
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
new file mode 100644
index 0000000000..ce96f68340
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
@@ -0,0 +1,199 @@
+---
+title: Create an onboarding or offboarding notification rule
+description: Get a notification when a local onboarding or offboarding script is used.
+keywords: onboarding, offboarding, local, script, notification, rule
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Create a notification rule when a local onboarding or offboarding script is used
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Create a notification rule so that when a local onboarding or offboardiing script is used, you'll be notified.
+
+## Before you begin
+You'll need to have access to:
+ - Microsoft Flow (Flow Plan 1 at a minimum). For more information, see [Flow pricing page](https://flow.microsoft.com/pricing/).
+ - Azure Table or SharePoint List or Library / SQL DB
+
+## Create the notification flow
+
+1. In [flow.microsoft.com](https://flow.microsoft.com/).
+
+2. Navigate to **My flows > New > Scheduled - from blank**.
+
+ 
+
+
+3. Build a scheduled flow.
+ 1. Enter a flow name.
+ 2. Specify the start and time.
+ 3. Specify the frequency. For example, every 5 minutes.
+
+ 
+
+4. Select the + button to add a new action. The new action will be an HTTP request to the Microsoft Defender ATP security center machine(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines").
+
+ 
+
+
+5. Enter the following HTTP fields:
+
+ - Method: "GET" as a value to get the list of machines.
+ - URI: Enter `https://api.securitycenter.windows.com/api/machines`.
+ - Authentication: Select "Active Directory OAuth".
+ - Tenant: Sign-in to http://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value.
+ - Audience: `https://securitycenter.onmicrosoft.com/windowsatpservice\`
+ - Client ID: Sign-in to http://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Client ID value.
+ - Credential Type: Select "Secret".
+ - Secret: Sign-in to http://portal.azure.com and navigate tnd navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value.
+
+ 
+
+
+6. Add a new step by selecting **Add new action** then search for **Data Operations** and select
+**Parse JSON**.
+
+ 
+
+7. Add Body in the **Content** field.
+
+ 
+
+8. Select the **Use sample payload to generate schema** link.
+
+ 
+
+9. Copy and paste the following JSON snippet:
+
+ ```
+ {
+ "type": "object",
+ "properties": {
+ "@@odata.context": {
+ "type": "string"
+ },
+ "value": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string"
+ },
+ "computerDnsName": {
+ "type": "string"
+ },
+ "firstSeen": {
+ "type": "string"
+ },
+ "lastSeen": {
+ "type": "string"
+ },
+ "osPlatform": {
+ "type": "string"
+ },
+ "osVersion": {},
+ "lastIpAddress": {
+ "type": "string"
+ },
+ "lastExternalIpAddress": {
+ "type": "string"
+ },
+ "agentVersion": {
+ "type": "string"
+ },
+ "osBuild": {
+ "type": "integer"
+ },
+ "healthStatus": {
+ "type": "string"
+ },
+ "riskScore": {
+ "type": "string"
+ },
+ "exposureScore": {
+ "type": "string"
+ },
+ "aadDeviceId": {},
+ "machineTags": {
+ "type": "array"
+ }
+ },
+ "required": [
+ "id",
+ "computerDnsName",
+ "firstSeen",
+ "lastSeen",
+ "osPlatform",
+ "osVersion",
+ "lastIpAddress",
+ "lastExternalIpAddress",
+ "agentVersion",
+ "osBuild",
+ "healthStatus",
+ "rbacGroupId",
+ "rbacGroupName",
+ "riskScore",
+ "exposureScore",
+ "aadDeviceId",
+ "machineTags"
+ ]
+ }
+ }
+ }
+ }
+
+ ```
+
+10. Extract the values from the JSON call and check if the onboarded machine(s) is / are already registered at the SharePoint list as an example:
+- If yes, no notification will be triggered
+- If no, will register the new onboarded machine(s) in the SharePoint list and a notification will be sent to the Microsoft Defender ATP admin
+
+ 
+
+ 
+
+11. Under **Condition**, add the following expression: "length(body('Get_items')?['value'])" and set the condition to equal to 0.
+
+ 
+ 
+ 
+ 
+
+## Alert notification
+The following image is an example of an email notification.
+
+
+
+
+## Tips
+
+- You can filter here using lastSeen only:
+ - Every 60 min:
+ - Take all machines last seen in the past 7 days.
+
+- For each machine:
+ - If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes ] -> Alert for offboarding possibility.
+ - If first seen is on the past hour -> Alert for onboarding.
+
+In this solution you will not have duplicate alerts:
+There are tenants that have numerous machines. Getting all those machines might be very expensive and might require paging.
+
+You can split it to two queries:
+1. For offboarding take only this interval using the OData $filter and only notify if the conditions are met.
+2. Take all machines last seen in the past hour and check first seen property for them (if the first seen property is on the past hour, the last seen must be there too).
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index 71c91ea9c0..eeaaedc402 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -2,7 +2,7 @@
title: Overview of attack surface reduction
ms.reviewer:
description: Learn about the attack surface reduction capability in Microsoft Defender ATP
-keywords:
+keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender, antivirus, av, windows defender
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -21,16 +21,16 @@ ms.topic: conceptual
# Overview of attack surface reduction
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
+Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
-| Article | Description |
-|------------|-------------|
-| [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. |
-| [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. |
-| [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. |
-| [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) |
-| [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) |
-| [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) |
-| [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. |
+Article | Description
+-|-
+[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites.
+[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run.
+[Exploit protection](./exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions.
+[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) |
+[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus)
+[Attack surface reduction](./attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus)
+[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
index dcaa31ea84..f08e397a67 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
@@ -22,7 +22,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>[!NOTE]
-> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks.
The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
index ea8a219a7d..8a85c8796f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
@@ -202,7 +202,7 @@ In general, if you know of a specific threat name, CVE, or KB, you can identify
## Related topic
-- [**Beta** Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
+- [Create custom Power BI reports](api-power-bi.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
index 8fe6ed0a0c..e5f2d93731 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
@@ -16,6 +16,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
+
# Configure Microsoft Defender Security Center settings
**Applies to:**
@@ -34,4 +35,3 @@ Permissions | Manage portal access using RBAC as well as machine groups.
APIs | Enable the threat intel and SIEM integration.
Rules | Configure suppressions rules and automation settings.
Machine management | Onboard and offboard machines.
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 3f4ceec2f5..3910cda2ff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -157,6 +157,20 @@ When you select this action, a fly-out will appear. From the fly-out, you can re
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a **Collect file** button in the same location. If a file has not been seen in the organization in the past 30 days, **Collect file** will be disabled.
+## Check activity details in Action center
+
+The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the following details:
+
+- Investigation package collection
+- Antivirus scan
+- App restriction
+- Machine isolation
+
+All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.
+
+
+
+
## Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/response-actions.md b/windows/security/threat-protection/microsoft-defender-atp/response-actions.md
deleted file mode 100644
index 36b3d69003..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/response-actions.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: Take response actions on files and machines in Microsoft Defender ATP
-description: Take response actions on files and machines by stopping and quarantining files, blocking a file, isolating machines, or collecting an investigation package.
-keywords: respond, stop and quarantine, block file, deep analysis, isolate machine, collect investigation package, action center
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Take response actions in Microsoft Defender ATP
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responseactions-abovefoldlink)
-
-You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization.
-
->[!NOTE]
-> The machine related response actions are only available for machines on Windows 10 (version 1703 or higher), Windows Server, version 1803 and Windows Server 2019.
-
-## In this section
-Topic | Description
-:---|:---
-[Take response actions on a machine](respond-machine-alerts.md)| Isolate machines or collect an investigation package.
-[Take response actions on a file](respond-file-alerts.md)| Stop and quarantine files or block a file from your network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
index cffc0ad85b..457a33f85a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
@@ -147,4 +147,3 @@ If the 'roles' section in the token does not include the necessary permission:
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting from Portal](advanced-hunting.md)
- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
-- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md
deleted file mode 100644
index 12a021ec3d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md
+++ /dev/null
@@ -1,92 +0,0 @@
----
-title: Advanced Hunting API
-ms.reviewer:
-description: Use this API to run advanced queries
-keywords: apis, supported apis, advanced hunting, query
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Schedule Advanced Hunting using Microsoft Flow
-**Applies to:**
-- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
-
-[!include[Prerelease information](prerelease.md)]
-
-Schedule advanced query.
-
-## Before you begin
-You first need to [create an app](apis-intro.md).
-
-## Use case
-
-A common scenario is scheduling an advanced query and using the results for follow up actions and processing.
-In this section we share sample for this purpose using [Microsoft Flow](https://flow.microsoft.com/) (or [Logic Apps](https://azure.microsoft.com/services/logic-apps/)).
-
-## Define a flow to run query and parse results
-
-Use the following basic flow as an example.
-
-1. Define the trigger – Recurrence by time.
-
-2. Add an action: Select HTTP.
-
- 
-
- - Set method to be POST
- - Uri is https://api.securitycenter.windows.com/api/advancedqueries/run or one of the region specific locations
- - US: https://api-us.securitycenter.windows.com/api/advancedqueries/run
- - Europe: https://api-eu.securitycenter.windows.com/api/advancedqueries/run
- - United Kingdom: https://api-uk.securitycenter.windows.com/api/advancedqueries/run
- - Add the Header: Content-Type application/json
- - In the body write your query surrounded by single quotation mark (')
- - In the Advanced options select Authentication to be Active Directory OAuth
- - Set the Tenant with proper AAD Tenant Id
- - Audience is https://api.securitycenter.windows.com
- - Client ID is your application ID
- - Credential Type should be Secret
- - Secret is the application secret generated in the Azure Active directory.
-
- 
-
-3. You can use the "Parse JSON" action to get the schema of data – just "use sample payload to generate schema" and copy an output from of the expected result.
-
- 
-
-## Expand the flow to use the query results
-
-The following section shows how to use the parsed results to insert them in SQL database.
-
-This is an example only, you can use other actions supported by Microsoft Flow.
-
-- Add an 'Apply to each' action
-- Select the Results json (which was an output of the last parse action)
-- Add an 'Insert row' action – you will need to supply the connection details
-- Select the table you want to update and define the mapping between the WD-ATP output to the SQL. Note it is possible to manipulate the data inside the flow. In the example I changed the type of the EventTime.
-
-
-
-The output in the SQL DB is getting updates and can be used for correlation with other data sources. You can now read from your table:
-
-
-
-## Full flow definition
-
-You can find below the full definition
-
-
-
-## Related topic
-- [Microsoft Defender ATP APIs](apis-intro.md)
-- [Advanced Hunting API](run-advanced-query-api.md)
-- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md
deleted file mode 100644
index 9febf311eb..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md
+++ /dev/null
@@ -1,138 +0,0 @@
----
-title: Advanced Hunting API
-ms.reviewer:
-description: Use this API to run advanced queries
-keywords: apis, supported apis, advanced hunting, query
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Create custom reports using Power BI (app authentication)
-
-Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
-
-In this section we share Power BI query sample to run a query using **application token**.
-
-If you want to use **user token** instead please refer to [this](run-advanced-query-sample-power-bi-user-token.md) tutorial.
-
->**Prerequisite**: You first need to [create an app](exposed-apis-create-app-webapp.md).
-
-## Run a query
-
-- Open Microsoft Power BI
-
-- Click **Get Data** > **Blank Query**
-
- 
-
-- Click **Advanced Editor**
-
- 
-
-- Copy the below and paste it in the editor, after you update the values of TenantId, AppId, AppSecret, Query
-
- ```
- let
-
- TenantId = "00000000-0000-0000-0000-000000000000", // Paste your own tenant ID here
- AppId = "11111111-1111-1111-1111-111111111111", // Paste your own app ID here
- AppSecret = "22222222-2222-2222-2222-222222222222", // Paste your own app secret here
- Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", // Paste your own query here
-
- ResourceAppIdUrl = "https://api.securitycenter.windows.com",
- OAuthUrl = Text.Combine({"https://login.windows.net/", TenantId, "/oauth2/token"}, ""),
-
- Resource = Text.Combine({"resource", Uri.EscapeDataString(ResourceAppIdUrl)}, "="),
- ClientId = Text.Combine({"client_id", AppId}, "="),
- ClientSecret = Text.Combine({"client_secret", Uri.EscapeDataString(AppSecret)}, "="),
- GrantType = Text.Combine({"grant_type", "client_credentials"}, "="),
-
- Body = Text.Combine({Resource, ClientId, ClientSecret, GrantType}, "&"),
-
- AuthResponse= Json.Document(Web.Contents(OAuthUrl, [Content=Text.ToBinary(Body)])),
- AccessToken= AuthResponse[access_token],
- Bearer = Text.Combine({"Bearer", AccessToken}, " "),
-
- AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run",
-
- Response = Json.Document(Web.Contents(
- AdvancedHuntingUrl,
- [
- Headers = [#"Content-Type"="application/json", #"Accept"="application/json", #"Authorization"=Bearer],
- Content=Json.FromValue([#"Query"=Query])
- ]
- )),
-
- TypeMap = #table(
- { "Type", "PowerBiType" },
- {
- { "Double", Double.Type },
- { "Int64", Int64.Type },
- { "Int32", Int32.Type },
- { "Int16", Int16.Type },
- { "UInt64", Number.Type },
- { "UInt32", Number.Type },
- { "UInt16", Number.Type },
- { "Byte", Byte.Type },
- { "Single", Single.Type },
- { "Decimal", Decimal.Type },
- { "TimeSpan", Duration.Type },
- { "DateTime", DateTimeZone.Type },
- { "String", Text.Type },
- { "Boolean", Logical.Type },
- { "SByte", Logical.Type },
- { "Guid", Text.Type }
- }),
-
- Schema = Table.FromRecords(Response[Schema]),
- TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
- Results = Response[Results],
- Rows = Table.FromRecords(Results, Schema[Name]),
- Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
-
- in Table
-
- ```
-
-- Click **Done**
-
- 
-
-- Click **Edit Credentials**
-
- 
-
-- Select **Anonymous** and click **Connect**
-
- 
-
-- Repeat the previous step for the second URL
-
-- Click **Continue**
-
- 
-
-- Select the privacy level you want and click **Save**
-
- 
-
-- View the results of your query
-
- 
-
-## Related topic
-- [Create custom Power BI reports with user authentication](run-advanced-query-sample-power-bi-user-token.md)
-- [Microsoft Defender ATP APIs](apis-intro.md)
-- [Advanced Hunting API](run-advanced-query-api.md)
-- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
-- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
index a5154e0ab4..a5c71022b4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
@@ -117,4 +117,3 @@ $results | ConvertTo-Json | Set-Content file1.json
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
- [Advanced Hunting using Python](run-advanced-query-sample-python.md)
-- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
index 95fe03d4b0..69056ed0d0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
@@ -146,5 +146,4 @@ outputFile.close()
## Related topic
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
-- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
-- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
+- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
index d9a36f6795..2251ec4e49 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Run a detection test on a newly onboarded Microsoft Defender ATP machine
+# Run a detection test on a newly onboarded Microsoft Defender ATP machine
**Applies to:**
- Supported Windows 10 versions
diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
index 1bef9658a6..75423bc86d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
@@ -18,38 +18,44 @@ ms.topic: conceptual
---
# Configure the security controls in Secure score
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->[!NOTE]
-> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+**Applies to:**
+
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> [!NOTE]
+> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
Each security control lists recommendations that you can take to increase the security posture of your organization.
### Endpoint detection and response (EDR) optimization
+
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool.
->[!IMPORTANT]
->This feature is available for machines on Windows 10, version 1607 or later.
+> [!IMPORTANT]
+> This feature is available for machines on Windows 10, version 1607 or later.
-#### Minimum baseline configuration setting for EDR:
-- Microsoft Defender ATP sensor is on
-- Data collection is working correctly
-- Communication to Microsoft Defender ATP service is not impaired
+#### Minimum baseline configuration setting for EDR
+
+* Microsoft Defender ATP sensor is on
+* Data collection is working correctly
+* Communication to Microsoft Defender ATP service is not impaired
+
+##### Recommended actions
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
-- Turn on sensor
-- Fix sensor data collection
-- Fix impaired communications
-For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+* Turn on sensor
+* Fix sensor data collection
+* Fix impaired communications
+
+For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
### Windows Defender Antivirus (Windows Defender AV) optimization
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AV.
->[!IMPORTANT]
->This feature is available for machines on Windows 10, version 1607 or later.
+> [!IMPORTANT]
+> This feature is available for machines on Windows 10, version 1607 or later.
#### Minimum baseline configuration setting for Windows Defender AV:
A well-configured machine for Windows Defender AV meets the following requirements:
@@ -60,7 +66,6 @@ A well-configured machine for Windows Defender AV meets the following requiremen
- Real-time protection is on
- Potentially Unwanted Application (PUA) protection is enabled
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
>[!NOTE]
@@ -75,52 +80,56 @@ You can take the following actions to increase the overall security score of you
For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md).
-
### OS security updates optimization
+
This tile shows you the number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds.
-
->[!IMPORTANT]
->This feature is available for machines on Windows 10, version 1607 or later.
+
+> [!IMPORTANT]
+> This feature is available for machines on Windows 10, version 1607 or later.
You can take the following actions to increase the overall security score of your organization:
-- Install the latest security updates
-- Fix sensor data collection
- - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+
+* Install the latest security updates
+* Fix sensor data collection
+ * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter).
-
### Windows Defender Exploit Guard (Windows Defender EG) optimization
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Windows Defender EG. When endpoints are configured according to the baseline, the Windows Defender EG events shows on the Microsoft Defender ATP Machine timeline.
+
+A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Microsoft Defender EG. When endpoints are configured according to the baseline the Microsoft Defender EG events shows on the Microsoft Defender ATP Machine timeline.
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1709 or later.
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1709 or later.
-#### Minimum baseline configuration setting for Windows Defender EG:
-A well-configured machine for Windows Defender EG meets the following requirements:
+#### Minimum baseline configuration setting for Windows Defender EG
-- System level protection settings are configured correctly
-- Attack Surface Reduction rules are configured correctly
-- Controlled Folder Access setting is configured correctly
+Machines are considered "well configured" for Microsoft Defender EG if the following requirements are met:
+
+* System level protection settings are configured correctly
+* Attack Surface Reduction rules are configured correctly
+* Controlled Folder Access setting is configured correctly
+
+##### System level protection
-##### System level protection:
The following system level configuration settings must be set to **On or Force On**:
-1. Control Flow Guard
+1. Control Flow Guard
2. Data Execution Prevention (DEP)
3. Randomize memory allocations (Bottom-up ASLR)
4. Validate exception chains (SEHOP)
5. Validate heap integrity
->[!NOTE]
->The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline.
->Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection.
+> [!NOTE]
+> The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline.
+> Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection.
+
+##### Attack Surface Reduction (ASR) rules
-##### Attack Surface Reduction (ASR) rules:
The following ASR rules must be configured to **Block mode**:
-Rule description | GUIDs
+Rule description | GUIDs
-|-
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
@@ -129,34 +138,34 @@ Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-5
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-
-
->[!NOTE]
->The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline.
->Consider enabling this rule in **Audit** or **Block mode** for better protection.
-
+> [!NOTE]
+> The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline.
+> Consider enabling this rule in **Audit** or **Block mode** for better protection.
##### Controlled Folder Access
+
The Controlled Folder Access setting must be configured to **Audit mode** or **Enabled**.
->[!NOTE]
+> [!NOTE]
> Audit mode, allows you to see audit events in the Microsoft Defender ATP Machine timeline however it does not block suspicious applications.
->Consider enabling Controlled Folder Access for better protection.
+> Consider enabling Controlled Folder Access for better protection.
+
+##### Recommended actions
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
+
- Turn on all system-level Exploit Protection settings
- Set all ASR rules to enabled or audit mode
- Turn on Controlled Folder Access
- Turn on Windows Defender Antivirus on compatible machines
-For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md).
-
### Windows Defender Application Guard (Windows Defender AG) optimization
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AG. When endpoints are configured according to the baseline, Windows Defender AG events shows on the Microsoft Defender ATP Machine timeline.
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1709 or later.
+A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AG. When endpoints are configured according to the baseline, Microsoft Defender AG events shows on the Microsoft Defender ATP Machine timeline.
+
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1709 or later.
#### Minimum baseline configuration setting for Windows Defender AG:
A well-configured machine for Windows Defender AG meets the following requirements:
@@ -165,104 +174,114 @@ A well-configured machine for Windows Defender AG meets the following requiremen
- Windows Defender AG is turned on compatible machines
- Managed mode is turned on
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
-- Ensure that you meet the hardware and software prerequisites
-
- >[!NOTE]
- >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on.
-- Turn on Windows Defender AG on compatible machines
-- Turn on managed mode
+* Ensure hardware and software prerequisites are met
+
+ > [!NOTE]
+ > This improvement item does not contribute to the security score in itself because it's not a prerequisite for Microsoft Defender AG. It gives an indication of a potential reason why Microsoft Defender AG is not turned on.
+
+* Turn on Microsoft Defender AG on compatible machines
+* Turn on managed mode
-For more information, see [Windows Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
+For more information, see [Microsoft Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
+### Windows Defender SmartScreen optimization
-### Windows Defender SmartScreen optimization
-A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender SmartScreen.
+A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender SmartScreen.
->[!WARNING]
-> Data collected by Windows Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data.
+> [!WARNING]
+> Data collected by Microsoft Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data.
-
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1709 or later.
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1709 or later.
#### Minimum baseline configuration setting for Windows Defender SmartScreen:
-The following settings must be configured with the following settings:
-- Check apps and files: **Warn** or **Block**
-- SmartScreen for Microsoft Edge: **Warn** or **Block**
-- SmartScreen for Microsoft store apps: **Warn** or **Off**
+The following settings must be configured with the following settings:
+
+* Check apps and files: **Warn** or **Block**
+* SmartScreen for Microsoft Edge: **Warn** or **Block**
+* SmartScreen for Microsoft store apps: **Warn** or **Off**
You can take the following actions to increase the overall security score of your organization:
+
- Set **Check app and files** to **Warn** or **Block**
- Set **SmartScreen for Microsoft Edge** to **Warn** or **Block**
- Set **SmartScreen for Microsoft store apps** to **Warn** or **Off**
For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
+* Set **Check app and files** to **Warn** or **Block**
+* Set **SmartScreen for Microsoft Edge** to **Warn** or **Block**
+* Set **SmartScreen for Microsoft store apps** to **Warn** or **Off**
+For more information, see [Microsoft Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
### Windows Defender Firewall optimization
-A well-configured machine must have Windows Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Firewall.
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1709 or later.
+A well-configured machine must have Microsoft Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Firewall.
-#### Minimum baseline configuration setting for Windows Defender Firewall
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1709 or later.
-- Windows Defender Firewall is turned on for all network connections
-- Secure domain profile by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked
-- Secure private profile by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked
-- Secure public profile is configured by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked
+#### Minimum baseline configuration setting for Windows Defender Firewall
+
+* Microsoft Defender Firewall is turned on for all network connections
+* Secure domain profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
+* Secure private profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
+* Secure public profile is configured by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
For more information on Windows Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy).
->[!NOTE]
+> [!NOTE]
> If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely.
+##### Recommended actions
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
-- Turn on firewall
-- Secure domain profile
-- Secure private profile
-- Secure public profile
-- Verify secure configuration of third-party firewall
-- Fix sensor data collection
- - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+
+* Turn on firewall
+* Secure domain profile
+* Secure private profile
+* Secure public profile
+* Verify secure configuration of third-party firewall
+* Fix sensor data collection
+ * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security).
### BitLocker optimization
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker.
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1803 or later.
+A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker.
+
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1803 or later.
#### Minimum baseline configuration setting for BitLocker
-- Ensure all supported drives are encrypted
-- Ensure that all suspended protection on drives resume protection
-- Ensure that drives are compatible
+* Ensure all supported drives are encrypted
+* Ensure that all suspended protection on drives resume protection
+* Ensure that drives are compatible
+
+##### Recommended actions
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
-- Encrypt all supported drives
-- Resume protection on all drives
-- Ensure drive compatibility
-- Fix sensor data collection
- - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+
+* Encrypt all supported drives
+* Resume protection on all drives
+* Ensure drive compatibility
+* Fix sensor data collection
+ * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview).
### Windows Defender Credential Guard optimization
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Credential Guard.
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1709 or later.
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1709 or later.
#### Minimum baseline configuration setting for Windows Defender Credential Guard:
Well-configured machines for Windows Defender Credential Guard meets the following requirements:
@@ -270,31 +289,28 @@ Well-configured machines for Windows Defender Credential Guard meets the followi
- Hardware and software prerequisites are met
- Windows Defender Credential Guard is turned on compatible machines
+##### Recommended actions
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
-- Ensure hardware and software prerequisites are met
-- Turn on Credential Guard
-- Fix sensor data collection
- - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+* Ensure hardware and software prerequisites are met
+* Turn on Credential Guard
+* Fix sensor data collection
+ * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage).
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
## Related topics
-- [Overview of Secure score](overview-secure-score.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-
-
-
+* [Overview of Secure score](overview-secure-score.md)
+* [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+* [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+* [Exposure score](tvm-exposure-score.md)
+* [Configuration score](configuration-score.md)
+* [Security recommendations](tvm-security-recommendation.md)
+* [Remediation](tvm-remediation.md)
+* [Software inventory](tvm-software-inventory.md)
+* [Weaknesses](tvm-weaknesses.md)
+* [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
index 7b758a94bc..0be4b4e073 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
@@ -44,9 +44,9 @@ In the context of Microsoft Defender ATP, alert definitions are containers for I
Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Microsoft Defender ATP console.
Here is an example of an IOC:
- - Type: Sha1
- - Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56
- - Action: Equals
+- Type: Sha1
+- Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56
+- Action: Equals
IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
index 9c38688bb0..d527fa77fd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
@@ -18,7 +18,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Microsoft Threat Protection
+# Microsoft Defender ATP in Microsoft Threat Protection
**Applies to:**
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
similarity index 84%
rename from windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
index 373d0c8387..aec7204fc9 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: dansimp
ms.author: dansimp
ms.date: 03/27/2019
@@ -20,44 +21,44 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-When you use [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as:
+When you use [attack surface reduction rules](attack-surface-reduction.md) you may encounter issues, such as:
-- A rule blocks a file, process, or performs some other action that it should not (false positive)
-- A rule does not work as described, or does not block a file or process that it should (false negative)
+* A rule blocks a file, process, or performs some other action that it should not (false positive)
+* A rule does not work as described, or does not block a file or process that it should (false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
-3. Submit support logs
+4. Submit support logs
## Confirm prerequisites
Attack surface reduction rules will only work on devices with the following conditions:
->[!div class="checklist"]
-> - Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
-> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
-> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+> [!div class="checklist"]
+> * Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
+> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
+> * Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
## Use audit mode to test the rule
-You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.
+You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.
Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with.
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run.
2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
-3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
+3. [Review the attack surface reductio rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
>
->If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
+>If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
>
>Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
@@ -82,21 +83,24 @@ Use the [Windows Defender Security Intelligence web-based submission form](https
## Collect diagnostic data for file submissions
-When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
+When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:
+
```console
cd c:\program files\windows defender
```
+
2. Run this command to generate the diagnostic logs:
+
```console
mpcmdrun -getfiles
```
-3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
+
+3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
## Related topics
-- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-
+* [Attack surface reduction rules](attack-surface-reduction.md)
+* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
similarity index 79%
rename from windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
index 63963825e3..ae216de7bb 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: dansimp
ms.author: dansimp
ms.date: 08/09/2018
@@ -20,7 +21,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
@@ -46,7 +47,7 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
Write-Host "Removing MitigationAuditOptions for: " $Name
Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
}
-
+
# Remove the FilterFullPath value if there is nothing else
if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) {
Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop;
@@ -58,19 +59,19 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
Remove-Item -Path $Key.PSPath -ErrorAction Stop
}
}
- Catch {
- Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
+ Catch {
+ Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
}
}
# Delete all ExploitGuard ProcessMitigations
function Remove-All-ProcessMitigations {
if (!(Test-IsAdmin)) {
- throw "ERROR: No Administrator-Privileges detected!"; return
+ throw "ERROR: No Administrator-Privileges detected!"; return
}
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object {
- $MitigationItem = $_;
+ $MitigationItem = $_;
$MitigationItemName = $MitigationItem.PSChildName
Try {
@@ -85,7 +86,7 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
Write-Host "Removing FullPathEntry: " $Name
Remove-ProcessMitigations $FullPathItem $Name
}
-
+
# If there are no subkeys now, we can delete the "UseFilter" value
if ($MitigationItem.SubKeyCount -eq 0) {
Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop
@@ -97,8 +98,8 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop
}
}
- Catch {
- Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
+ Catch {
+ Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
}
}
}
@@ -106,18 +107,18 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
# Delete all ExploitGuard System-wide Mitigations
function Remove-All-SystemMitigations {
- if (!(Test-IsAdmin)) {
- throw "ERROR: No Administrator-Privileges detected!"; return
+ if (!(Test-IsAdmin)) {
+ throw "ERROR: No Administrator-Privileges detected!"; return
}
-
+
$Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel"
- Try {
- if ($Kernel.GetValue("MitigationOptions"))
+ Try {
+ if ($Kernel.GetValue("MitigationOptions"))
{ Write-Host "Removing System MitigationOptions"
Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop;
}
- if ($Kernel.GetValue("MitigationAuditOptions"))
+ if ($Kernel.GetValue("MitigationAuditOptions"))
{ Write-Host "Removing System MitigationAuditOptions"
Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
}
@@ -132,30 +133,30 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
2. Create and import an XML configuration file with the following default mitigations, as described in Import, export, and deploy Exploit Protection configurations:
- ```xml
+ ```xml
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
+
-
-
+
+
-
-
-
-
-
+
+
+
+
+
@@ -180,9 +181,9 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
-
-
-
+
+
+
@@ -195,9 +196,9 @@ If you haven’t already, it's a good idea to download and use the [Windows Secu
## Related topics
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
similarity index 69%
rename from windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
index cfd19843a9..af397987a0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: dansimp
ms.author: dansimp
ms.date: 03/27/2019
@@ -20,48 +21,50 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- IT administrators
+* IT administrators
-When you use [Network protection](network-protection-exploit-guard.md) you may encounter issues, such as:
+When you use [Network protection](network-protection.md) you may encounter issues, such as:
-- Network protection blocks a website that is safe (false positive)
-- Network protection fails to block a suspicious or known malicious website (false negative)
+* Network protection blocks a website that is safe (false positive)
+* Network protection fails to block a suspicious or known malicious website (false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
-3. Submit support logs
+4. Submit support logs
## Confirm prerequisites
Network protection will only work on devices with the following conditions:
>[!div class="checklist"]
-> - Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
-> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
-> - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
-> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
+> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
+> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
+> * [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
+> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
+## Use audit mode
-## Use audit mode
-
-You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled.
+You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled.
1. Set network protection to **Audit mode**.
- ```powershell
+
+ ```PowerShell
Set-MpPreference -EnableNetworkProtection AuditMode
```
-2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
-3. [Review the network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
+
+1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
+
+1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
>
>If network protection is not blocking a connection that you are expecting it should block, enable the feature.
-```powershell
+```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
```
@@ -75,21 +78,24 @@ To whitelist the website that is being blocked (false positive), add its URL to
## Collect diagnostic data for file submissions
-When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
+When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:
- ```
+
+ ```PowerShell
cd c:\program files\windows defender
```
-2. Run this command to generate the diagnostic logs:
- ```
+
+1. Run this command to generate the diagnostic logs:
+
+ ```PowerShell
mpcmdrun -getfiles
```
-3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
+
+1. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
## Related topics
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Network protection](network-protection-exploit-guard.md)
-- [Evaluate network protection](evaluate-network-protection.md)
-- [Enable network protection](enable-network-protection.md)
+* [Network protection](network-protection.md)
+* [Evaluate network protection](evaluate-network-protection.md)
+* [Enable network protection](enable-network-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
index 289a76f1c5..5f81c16bed 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
@@ -25,20 +25,22 @@ ms.topic: troubleshooting
- Windows Server 2016
-
You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues.
This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines.
+
+## Troubleshoot issues with onboarding tools
+
If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem.
-## Troubleshoot onboarding when deploying with Group Policy
+### Troubleshoot onboarding when deploying with Group Policy
Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if the deployment has succeeded or not.
If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script).
If the script completes successfully, see [Troubleshoot onboarding issues on the machines](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur.
-## Troubleshoot onboarding issues when deploying with System Center Configuration Manager
+### Troubleshoot onboarding issues when deploying with System Center Configuration Manager
When onboarding machines using the following versions of System Center Configuration Manager:
- System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager
@@ -52,7 +54,7 @@ If the deployment fails, you can check the output of the script on the machines.
If the onboarding completed successfully but the machines are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur.
-## Troubleshoot onboarding when deploying with a script
+### Troubleshoot onboarding when deploying with a script
**Check the result of the script on the machine**:
1. Click **Start**, type **Event Viewer**, and press **Enter**.
@@ -76,7 +78,7 @@ Event ID | Error Type | Resolution steps
40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
65 | Insufficient privileges| Run the script again with administrator privileges.
-## Troubleshoot onboarding issues using Microsoft Intune
+### Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment.
@@ -296,9 +298,9 @@ You might also need to check the following:
## Licensing requirements
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- - Windows 10 Enterprise E5
- - Windows 10 Education E5
- - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
+- Windows 10 Enterprise E5
+- Windows 10 Education E5
+- Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md
deleted file mode 100644
index 0cf451828c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-title: Troubleshoot Microsoft Defender Advanced Threat Protection capabilities
-description: Find solutions to issues on sensor state, service issues, or other Microsoft Defender ATP capabilities
-keywords: troubleshoot, sensor, state, service, issues, attack surface reduction, next generation protection
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: troubleshooting
----
-
-# Troubleshoot Microsoft Defender Advanced Threat Protection
-
-Troubleshoot issues that might arise as you use Microsoft Defender ATP capabilities.
-
-## In this section
-Topic | Description
-:---|:---
-Troubleshoot sensor state | Find solutions for issues related to the Microsoft Defender ATP sensor
-Troubleshoot service issues | Fix issues related to the Microsoft Defender Advanced Threat service
-Troubleshoot attack surface reduction | Fix issues related to network protection and attack surface reduction rules
-Troubleshoot next generation protection | If you encounter a problem with antivirus, you can search the tables in this topic to find a matching issue and potential solution
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/use-apis.md b/windows/security/threat-protection/microsoft-defender-atp/use-apis.md
deleted file mode 100644
index 12a8e4cc4e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/use-apis.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Microsoft Defender ATP APIs
-ms.reviewer:
-description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
-keywords: apis, api, wdatp, open api, windows defender atp api, public api, alerts, machine, user, domain, ip, file
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-search.appverid: met150
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Microsoft Defender ATP APIs
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-## In this section
-Topic | Description
-:---|:---
-[Microsoft Defender ATP API overview](apis-intro.md) | Learn how to access Microsoft Defender ATP APIs.
-[Supported Microsoft Defender ATP APIs](exposed-apis-list.md) | Learn more about how you can run API calls to individual supported entities, and details such as HTTP request values, request headers and expected responses. Examples include APIs for [alert resource type](alerts.md), [domain related alerts](get-domain-related-alerts.md), or even actions such as [isolate machine](isolate-machine.md).
-How to use APIs - Samples | Learn how to use Advanced hunting APIs and multiple APIs such as PowerShell. Other examples include [schedule advanced hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) or [OData queries](exposed-apis-odata-samples.md).
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
index 9bcc029641..4b653cf263 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
@@ -65,7 +65,7 @@ This section describes features and tools that are available to help you manage
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
-### Policy dependencies
+### Policy dependencies
The settings for this security policy are dependent on the [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md) setting value.
diff --git a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
index 8ab757be7a..a9d12cc027 100644
--- a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
+++ b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
@@ -15,7 +15,7 @@ manager: dansimp
ms.author: dolmont
---
-# WannaCrypt ransomware worm targets out-of-date systems
+# WannaCrypt ransomware worm targets out-of-date systems
On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx) if they have not already done so.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index b61fbe54d1..115361ba35 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -191,7 +191,7 @@ This setting will prevent a scan from occurring after receiving an update. You c
### Enable headless UI mode
- - Double-click **Enable headless UI mode** and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
+- Double-click **Enable headless UI mode** and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index 69fc95abeb..c9aca52f0d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -42,7 +42,7 @@ There are specific network-connectivity requirements to ensure your endpoints ca
2. Select **All services > Intune**.
3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
-5. On the **Cloud-delivered protection** switch, select **Enable**.
+5. On the **Cloud-delivered protection** switch, select **Not configured**.
6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**.
7. In the **Submit samples consent** dropdown, select one of the following:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-alert.jpg b/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-alert.jpg
new file mode 100644
index 0000000000..36da4a5988
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-alert.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-huntingquery.png b/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-huntingquery.png
new file mode 100644
index 0000000000..2e11d9e9b5
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-huntingquery.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-windowssecurityapp.png b/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-windowssecurityapp.png
new file mode 100644
index 0000000000..d0eef7ebef
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-windowssecurityapp.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
index 73f3bdc5e1..e3142e03ef 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
@@ -148,10 +148,10 @@ realTimeProtectionEnabled : true
mdatp --health orgId
```
-2. Install the configuration file on a client machine:
+2. Run the Python script to install the configuration file:
```bash
- python WindowsDefenderATPOnboarding.py
+ /usr/bin/python WindowsDefenderATPOnboarding.py
Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
```
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
index b9d60523ba..8fe52e371e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
@@ -55,7 +55,7 @@ The following table lists the services and their associated URLs that your netwo
| ---------------------------------------- | ----------------------- |
| Common URLs for all locations | x.cp.wd.microsoft.com cdn.x.cp.wd.microsoft.com eu-cdn.x.cp.wd.microsoft.com wu-cdn.x.cp.wd.microsoft.com *.blob.core.windows.net officecdn-microsoft-com.akamaized.net |
| European Union | europe.x.cp.wd.microsoft.com |
-| United Kingdon | unitedkingdom.x.cp.wd.microsoft.com |
+| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com |
| United States | unitedstates.x.cp.wd.microsoft.com |
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index c074504ddd..02469ed7c3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -1,9 +1,9 @@
---
-title: Prevent security settings changes with Tamper Protection
+title: Protect security settings with Tamper Protection
ms.reviewer:
manager: dansimp
-description: Use tamper protection to prevent malicious apps from changing important security settings.
-keywords: malware, defender, antivirus, tamper protection
+description: Use Tamper Protection to prevent malicious apps from changing important security settings.
+keywords: malware, defender, antivirus, Tamper Protection
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -11,48 +11,160 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+audience: ITPro
+author: denisebmsft
+ms.author: deniseb
---
-# Prevent security settings changes with tamper protection
+# Protect security settings with Tamper Protection
**Applies to:**
- Windows 10
-Tamper Protection helps prevent malicious apps from changing important security settings. These settings include:
+## Overview
-- Real-time protection
-- Cloud-delivered protection
-- IOfficeAntivirus (IOAV)
-- Behavior monitoring
+During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper Protection helps prevent this from occurring.
+
+With Tamper Protection, malicious apps are prevented from taking actions like these:
+- Disabling virus and threat protection
+- Disabling real-time protection
+- Turning off behavior monitoring
+- Disabling antivirus (such as IOfficeAntivirus (IOAV))
+- Disabling cloud-delivered protection
- Removing security intelligence updates
-With Tamper Protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings:
+## How it works
-- Mobile device management (MDM) apps like Intune
-- Enterprise configuration management apps like System Center Configuration Manager (SCCM)
-- Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures
-- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup)
-- Group Policy
-- Other Windows Management Instrumentation (WMI) apps
+ Tamper Protection essentially locks Microsoft Defender and prevents your security settings from being changed through apps and methods like these:
+- Configuring settings in Registry Editor on your Windows machine
+- Changing settings through PowerShell cmdlets
+- Editing or removing security settings through group policies
+- and so on.
-The Tamper Protection setting doesn't affect how third party antivirus apps register with the Windows Security app.
+Tamper Protection doesn't prevent you from viewing your security settings. And, Tamper Protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the Tamper Protection setting; this is managed by your security team.
-On computers running Windows 10 Enterprise E5, users can't change the Tamper Protection setting.
+### What do you want to do?
-Tamper Protection is set to **On** by default. If you set Tamper Protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & Threat Protection**.
+[Turn Tamper Protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine)
-## Configure tamper protection
+[Turn Tamper Protection on (or off) for your organization with Intune (Preview)](#turn-tamper-protection-on-or-off-for-your-organization-with-intune)
+
+## Turn Tamper Protection on (or off) for an individual machine
+
+If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn Tamper Protection on or off. You must have appropriate admin permissions on your machine to perform the following task.
+
+1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**.
+
+2. Select **Virus & threat protection** > **Virus & threat protection settings**.
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Select **Virus & threat protection**, then select **Virus & threat protection settings**.
3. Set **Tamper Protection** to **On** or **Off**.
->[!NOTE]
->Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
->
->To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later.
->
->Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
+> [!NOTE]
+> Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
+>
+> To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
+>
+> Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
+
+
+## Turn Tamper Protection on (or off) for your organization with Intune
+
+If you are part of your organization's security team, the ability to turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune) is now in preview.
+
+You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
+
+1. Make sure your organization meets the following requirements:
+
+ - Your organization must have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in Microsoft 365 E5. See [Microsoft 365 Enterprise overview](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview) for more details.)
+ - Your organization's devices must be managed by [Intune](https://docs.microsoft.com/intune/device-management-capabilities).
+ - Your Windows machines must be running [Windows OS 1903](https://docs.microsoft.com/windows/release-information/status-windows-10-1903) or later.
+ - You must be using Windows security and update [security intelligence](https://www.microsoft.com/wdsi/definitions) to version 1.287.60.0 (or above)
+ - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). (See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).)
+
+2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account.
+
+3. Select **Device configuration** > **Profiles**.
+
+4. Create a profile that includes the following settings:
+
+ - **Platform**: Windows 10 and later
+ - **ProfileType**: Endpoint protection
+ - **Settings** > Windows Defender Security Center > Tamper Protection
+
+5. Assign the profile to one or more groups.
+
+## Frequently asked questions
+
+### To which Windows OS versions is configuring Tamper Protection is applicable?
+
+Windows 1903 May release
+
+### Is configuring Tamper Protection in Intune supported on servers?
+
+No
+
+### Will Tamper Protection have any impact on third party antivirus registration?
+
+No, third-party antivirus will continue to register with the Windows Security application.
+
+### What happens if Microsoft Defender is not active on a device?
+
+Tamper Protection will not have any impact on such devices.
+
+### How can I turn Tamper Protection on/off?
+
+If you are home user, see [Turn Tamper Protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine).
+
+If you are an organization using [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage Tamper Protection in Intune similar to how you manage other endpoint protection features. See [Turn Tamper Protection on (or off) for your organization with Intune](#turn-tamper-protection-on-or-off-for-your-organization-with-intune).
+
+
+### How does configuring Tamper Protection in Intune affect how I manage Windows Defender through my group policy?
+
+Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender settings will be ignored when Tamper Protection is on.
+
+### For Microsoft Defender Advanced Threat Protection E5, is configuring Tamper Protection in Intune targeted to the entire organization only?
+
+Configuring Tamper Protection in Intune can be targeted to your entire organization as well as to devices and user groups with Intune.
+
+### Can I configure Tamper Protection in System Center Configuration Manager?
+
+Currently we do not have support to manage Tamper Protection through System Center Configuration Manager.
+
+### I have the Windows E3 enrollment. Can I use configuring Tamper Protection in Intune?
+
+Currently, configuring Tamper Protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+
+### What happens if I try to change Microsoft Defender settings in Intune, System Center Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
+
+You won’t be able to change the features that are protected by Tamper Protection; those change requests are ignored.
+
+### I’m an enterprise customer. Can local admins change Tamper Protection on their devices?
+
+No. Local admins cannot change or modify Tamper Protection settings.
+
+### What happens if my device is onboarded with Microsoft Defender Advanced Threat Protection and then goes into an off-boarded state?
+
+In this case, Tamper Protection status changes, and this feature is no longer applied.
+
+### Will there be an alert about Tamper Protection status changing in the Microsoft Defender Advanced Threat Protection portal?
+
+Yes. The alert is shown in [https://microsoft.securitycenter.com](https://microsoft.securitycenter.com) under **Alerts**.
+
+In addition, your security operations team can use hunting queries, such as the following:
+
+`AlertEvents | where Title == "Tamper Protection bypass"`
+
+### Will there be a group policy setting for Tamper Protection?
+
+No.
+
+## Related resources
+
+[Windows 10 Enterprise Security](https://docs.microsoft.com/windows/security/index)
+
+[Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
+
+[Microsoft 365 Enterprise overview (at a glance)](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview#at-a-glance)
+
+[Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
index 8c57a43727..68c4accc82 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
@@ -29,6 +29,9 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y
3. Under **Quarantined threats**, click **See full history**.
4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.)
+> [!NOTE]
+> You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV.
+
## Related topics
- [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
index bd9df5835d..def6571abc 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@@ -47,7 +47,6 @@ You can configure and manage Windows Defender Antivirus with:
> [!NOTE]
> For more information regarding what's new in each Windows version, please refer to [What's new in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp).
-=======
## Minimum system requirements
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index ac99737410..196c8dc9a2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -11,7 +11,7 @@
## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md)
### [Types of devices](types-of-devices.md)
-###Use WDAC with custom policies
+### Use WDAC with custom policies
#### [Create an initial default policy](create-initial-default-policy.md)
#### [Create path-based rules](create-path-based-rules.md)
#### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
index 3622d0e101..f762644195 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Add rules for packaged apps to existing AppLocker rule-set
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
index 86c295cf9e..8730c6c545 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
@@ -20,8 +20,8 @@ ms.date: 02/28/2019
# Administer AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
index d2d3584bf7..f7a0f16873 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# AppLocker architecture and components
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professional describes AppLocker’s basic architecture and its major components.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
index c12a1e59ac..3bfb26bb30 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# AppLocker functions
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index 37045a74e8..7f4112593f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -20,8 +20,8 @@ ms.date: 10/16/2017
# AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
index 7758f45ec7..e92450d695 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
@@ -21,8 +21,8 @@ ms.date: 09/21/2017
# AppLocker deployment guide
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
index a7258ab473..d723d9a054 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# AppLocker design guide
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
index 6e50eebbd2..3e660d6659 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# AppLocker policy use scenarios
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
index e32e6bf896..54ec678b22 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# AppLocker processes and interactions
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
index c02fce9a90..f289a40fe7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# AppLocker settings
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional lists the settings used by AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
index f330084b0b..031ce25230 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# AppLocker technical reference
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This overview topic for IT professionals provides links to the topics in the technical reference.
AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
index ce69d9e064..2dd978d52b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
@@ -20,8 +20,8 @@ ms.date: 06/08/2018
# Configure an AppLocker policy for audit only
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
index 24f5aeb1ef..36cce5baec 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Configure an AppLocker policy for enforce rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
index 018d76dd6b..dfb7c8814a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Add exceptions for an AppLocker rule
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
index 52899e5621..a3a2d593bb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Configure the AppLocker reference device
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
index fffa53c756..c2c55cccf6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
@@ -20,8 +20,8 @@ ms.date: 04/02/2018
# Configure the Application Identity service
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
index d87b6b2d31..7ac5a2faeb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create a rule for packaged apps
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
index 9248042379..f7689c76f7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create a rule that uses a file hash condition
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
index 7d7608f7c8..728693dc35 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create a rule that uses a path condition
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals shows how to create an AppLocker rule with a path condition.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
index 58609a7102..5a875b4b84 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create a rule that uses a publisher condition
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
index 8f20bf3c9a..f68602c282 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create AppLocker default rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
index 7afc539899..e0c0cb658f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create a list of apps deployed to each business group
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
index 859761b9b9..4cb2f24434 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create Your AppLocker policies
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
index 6fb52b2843..6d75ecfc99 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create Your AppLocker rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
index 84e53cfb2d..be00ebc127 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
@@ -20,8 +20,8 @@ ms.date: 08/02/2018
# Delete an AppLocker rule
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to delete an AppLocker rule.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
index 0fe96e42aa..65374479fc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Deploy AppLocker policies by using the enforce rules setting
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
index dd81603afd..058e736230 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Deploy the AppLocker policy into production
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
index 2226a672dd..e03376d487 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Determine the Group Policy structure and rule enforcement
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This overview topic describes the process to follow when you are planning to deploy AppLocker rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
index c8d4acc789..3b75aaec82 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Determine which apps are digitally signed on a reference device
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
index e1b0bef761..7f43b4f3cd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Determine your application control objectives
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
index c39d07f07a..f87c93e451 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Display a custom URL message when users try to run a blocked app
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
index 60741a87ed..ec45f1d75e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# DLL rules in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes the file formats and available default rules for the DLL rule collection.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
index 415d381cc4..44a181aa71 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Document the Group Policy structure and AppLocker rule enforcement
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
index 1ea62b509f..3cac5abbce 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Document your app list
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
index a748a0fb9d..2147e2fe3f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Document your AppLocker rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index 08db847c8a..03b04a1190 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Edit an AppLocker policy
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps required to modify an AppLocker policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
index 8bf42722e6..028a8237bc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Edit AppLocker rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
index 1f45a8cb4d..575de45499 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Enable the DLL rule collection
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
index e34cd10524..b396db1cfb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Enforce AppLocker rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes how to enforce application control rules by using AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
index 09e13411bb..ffdc7ace8c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Executable rules in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes the file formats and available default rules for the executable rule collection.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
index 579f6a1677..0443b67c6b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Export an AppLocker policy from a GPO
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
index 1d42dabe51..6856386f4a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Export an AppLocker policy to an XML file
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.
Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
index 6d259a430f..b4adeb4b33 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# How AppLocker works
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
index cd3f2ab32d..eaa7c7aa78 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Import an AppLocker policy from another computer
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes how to import an AppLocker policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
index 07ffba8bd0..ac5ac53cd5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Import an AppLocker policy into a GPO
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).
AppLocker policies can be created as local security policies and modified like any other local security policy, or they can be created as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
index af959d3197..20b1b50dae 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Maintain AppLocker policies
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes how to maintain rules within AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
index bd4497b964..3a9dee486d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Manage packaged apps with AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
index 575ad0d393..47c7db9884 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Merge AppLocker policies by using Set-ApplockerPolicy
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
index 0ccb16202c..f40ead0fc0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Merge AppLocker policies manually
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
index 72378b52ca..9d03415f49 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Monitor app usage with AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
index 50e84edb7a..d669f7c890 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Optimize AppLocker performance
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes how to optimize AppLocker policy enforcement.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
index eb87d51320..1057121e64 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 10/13/2017
# Packaged apps and packaged app installer rules in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic explains the AppLocker rule collection for packaged app installers and packaged apps.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index d0e2f069fe..90bf198903 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Plan for AppLocker policy management
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
index de3556a475..9e6a10f475 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Refresh an AppLocker policy
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to force an update for an AppLocker policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
index b1187d6b13..5bfe8d38ed 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Requirements for deploying AppLocker policies
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
index edcc2be0d3..ded7e2d592 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Requirements to use AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
index a0a509e1ae..a87df1bc69 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Run the Automatically Generate Rules wizard
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index 068f4f5786..1854e961d1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Script rules in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes the file formats and available default rules for the script rule collection.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
index 2fbfbf63aa..bde5f92033 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Security considerations for AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
index 74fe7bc8ec..4daacad66d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Select the types of rules to create
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic lists resources you can use when selecting your application control policy rules by using AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
index dd5cb6b46d..00511d0f23 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Test an AppLocker policy by using Test-AppLockerPolicy
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
index e1d63a2f9d..6306c10479 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Test and update an AppLocker policy
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic discusses the steps required to test an AppLocker policy prior to deployment.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
index d3666a1e1e..974a0000cc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Tools to use with AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes the tools available to create and administer AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
index 38e080a194..0cd67f03d8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understand AppLocker enforcement settings
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes the AppLocker enforcement settings for rule collections.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
index 29a92cb366..fedd0c187e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
@@ -20,8 +20,8 @@ ms.date: 10/13/2017
# Understand AppLocker policy design decisions
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
index 60372d5be9..eef85dda63 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understand AppLocker rules and enforcement setting inheritance in Group Policy
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
index cf93b27a4b..5e0c80b55d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understand the AppLocker policy deployment process
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
index 50811e33c0..f9cdae7831 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding AppLocker allow and deny actions on rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic explains the differences between allow and deny actions on AppLocker rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
index aab40287b6..d2d2d98598 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding AppLocker default rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
index fb7afc79b9..cbb7806a6b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding AppLocker rule behavior
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
index f2788d4bfc..0392b51405 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding AppLocker rule collections
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic explains the five different types of AppLocker rules used to enforce AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
index f937e73090..ace4b89837 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding AppLocker rule condition types
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes the three types of AppLocker rule conditions.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
index 08aeb4091d..9420c1f20f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding AppLocker rule exceptions
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes the result of applying AppLocker rule exceptions to rule collections.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
index 3bb3ba52c4..b0e028c79d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding the file hash rule condition in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
index 0e59ec885b..95863340c0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding the path rule condition in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
index 52259c9248..73bd0d992a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding the publisher rule condition in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
index 9c5076e4c6..adf5eb6279 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
@@ -21,8 +21,8 @@ ms.date: 09/21/2017
# Use a reference device to create and maintain AppLocker policies
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
index 1f70ea7e87..828934ca43 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Use AppLocker and Software Restriction Policies in the same domain
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
index 0f4a4872cf..58edb0059e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Use the AppLocker Windows PowerShell cmdlets
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
index a3834e3625..78c04357c6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Using Event Viewer with AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic lists AppLocker events and describes how to use Event Viewer with AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
index 3583e3fd1b..1dd5197ddd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Use Software Restriction Policies and AppLocker policies
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
index a3c525fbfa..2ddcbb332e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# What Is AppLocker?
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
index a853be9f44..50fff5a7b2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Windows Installer rules in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes the file formats and available default rules for the Windows Installer rule collection.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
index d3c403d633..2bde016bc2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Working with AppLocker policies
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
index c899126846..1b92efcccf 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
@@ -18,8 +18,8 @@ ms.date: 08/27/2018
# Working with AppLocker rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md
index abaa31c6ff..d7f2a132fb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create your Windows Defender Application Control (WDAC) planning document
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This planning topic for the IT professional summarizes the information you need to research and include in your WDAC planning document.
diff --git a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md
index 6a6df72992..f29188cd79 100644
--- a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md
+++ b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Document your application control management processes
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This planning topic describes the Windows Defender Application Control (WDAC) policy maintenance information to record for your design document.
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
index 44ff0aa926..e9719fd4e4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
@@ -18,8 +18,8 @@ ms.author: dansimp
# Windows Defender Application Control design guide
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This guide covers design and planning for Windows Defender Application Control (WDAC). It is intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
deleted file mode 100644
index 0a5a679109..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ /dev/null
@@ -1,118 +0,0 @@
----
-title: Compare the features in Exploit protection with EMET
-keywords: emet, enhanced mitigation experience toolkit, configuration, exploit, compare, difference between, versus, upgrade, convert
-description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
-ms.date: 08/08/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->[!IMPORTANT]
->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP.
->
->You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
-
-This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Microsoft Defender ATP.
-
-Exploit protection in Microsoft Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
-
-EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.
-
-After July 31, 2018, it will not be supported.
-
-For more information about the individual features and mitigations available in Microsoft Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
-
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-
-
- ## Feature comparison
-
- The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.
-
- | Windows Defender Exploit Guard | EMET
- -|:-:|:-:
-Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)] All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)] Windows 8.1; Windows 8; Windows 7 Cannot be installed on Windows 10, version 1709 and later
-Installation requirements | [Windows Security in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) (no additional installation required) Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
-User interface | Modern interface integrated with the [Windows Security app](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
-Supportability | [!include[Check mark yes](images/svg/check-yes.svg)] [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)] [Part of the Windows 10 support lifecycle](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)] Ends after July 31, 2018
-Updates | [!include[Check mark yes](images/svg/check-yes.svg)] Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)] No planned updates or development
-Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)] All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison)) [Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited set of mitigations
-Attack surface reduction[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps block known infection vectors](attack-surface-reduction-exploit-guard.md) [Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited ruleset configuration only for modules (no processes)
-Network protection[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Controlled folder access[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps protect important folders](controlled-folders-exploit-guard.md) [Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Windows Security app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Requires installation and use of EMET tool
-Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)] Available
-Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)] [Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)] Requires use of EMET tool (EMET_CONF)
-System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Reporting | [!include[Check mark yes](images/svg/check-yes.svg)] With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md) [Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/secure-score-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited Windows event log monitoring
-Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)] [Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Limited to EAF, EAF+, and anti-ROP mitigations
-
-([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
-
-([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [Exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
-
-## Mitigation comparison
-
-The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection-exploit-guard.md).
-
-The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.
-
-Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
--|:-:|:-:
-Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] As "Memory Protection Check"
-Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] As "Load Library Check"
-Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.svg)] Included natively in Windows 10 See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.svg)]
-Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
-Block low integrity images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Code integrity guard | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Disable extension points | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-
-
->[!NOTE]
->The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
->
->See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
-
-
-## Related topics
-
-- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
deleted file mode 100644
index 7a23a23e04..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-title: Evaluate the impact of Windows Defender Exploit Guard
-description: Use our evaluation guides to quickly enable and configure features, and test them against common attack scenarios
-keywords: evaluate, guides, evaluation, exploit guard, controlled folder access, attack surface reduction, exploit protection, network protection, test, demo
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
-ms.date: 05/30/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Evaluate Windows Defender Exploit Guard
-
-**Applies to:**
-
-- Windows 10, version 1709 and later
-- Windows Server 2016
-
-Windows Defender Exploit Guard is a collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
-
-Windows Defender Exploit Guard is comprised of four features. We've developed evaluation guides for each of the features so you can easily and quickly see how they work and determine if they are suitable for your organization.
-
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
-
-Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisites are.
-
-- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
-- [Evaluate controlled folder access](evaluate-controlled-folder-access.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Evaluate network protection](evaluate-network-protection.md)
-
-You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits:
-
-- [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md)
-
-## Related topics
-
-| Topic | Description |
-|-------|-------------|
-| | |
-
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Protect your network](network-protection-exploit-guard.md)
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
deleted file mode 100644
index d701915788..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ /dev/null
@@ -1,174 +0,0 @@
----
-title: Apply mitigations to help prevent attacks through vulnerabilities
-keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
-description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
-ms.date: 04/02/2019
-ms.reviewer:
-manager: dansimp
----
-
-# Protect devices from exploits
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps.
-
-It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803.
-
->[!TIP]
->You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-
-Exploit protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-
-You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once.
-
-When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-
-You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled.
-
-Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10.
-
->[!IMPORTANT]
->If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
-
->[!WARNING]
->Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
-
-## Review exploit protection events in the Microsoft Security Center
-
-Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
-
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.
-
-Here is an example query:
-
-```
-MiscEvents
-| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
-```
-
-## Review exploit protection events in Windows Event Viewer
-
-You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
-
-Provider/source | Event ID | Description
--|:-:|-
-Security-Mitigations | 1 | ACG audit
-Security-Mitigations | 2 | ACG enforce
-Security-Mitigations | 3 | Do not allow child processes audit
-Security-Mitigations | 4 | Do not allow child processes block
-Security-Mitigations | 5 | Block low integrity images audit
-Security-Mitigations | 6 | Block low integrity images block
-Security-Mitigations | 7 | Block remote images audit
-Security-Mitigations | 8 | Block remote images block
-Security-Mitigations | 9 | Disable win32k system calls audit
-Security-Mitigations | 10 | Disable win32k system calls block
-Security-Mitigations | 11 | Code integrity guard audit
-Security-Mitigations | 12 | Code integrity guard block
-Security-Mitigations | 13 | EAF audit
-Security-Mitigations | 14 | EAF enforce
-Security-Mitigations | 15 | EAF+ audit
-Security-Mitigations | 16 | EAF+ enforce
-Security-Mitigations | 17 | IAF audit
-Security-Mitigations | 18 | IAF enforce
-Security-Mitigations | 19 | ROP StackPivot audit
-Security-Mitigations | 20 | ROP StackPivot enforce
-Security-Mitigations | 21 | ROP CallerCheck audit
-Security-Mitigations | 22 | ROP CallerCheck enforce
-Security-Mitigations | 23 | ROP SimExec audit
-Security-Mitigations | 24 | ROP SimExec enforce
-WER-Diagnostics | 5 | CFG Block
-Win32K | 260 | Untrusted Font
-
-## Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
-
->[!IMPORTANT]
->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP.
->
->You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
-
-This section compares exploit protection in Microsoft Defender ATP with the Enhance Mitigation Experience Toolkit (EMET) for reference.
-The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.
-
- | Windows Defender Exploit Guard | EMET
- -|:-:|:-:
-Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)] All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)] Windows 8.1; Windows 8; Windows 7 Cannot be installed on Windows 10, version 1709 and later
-Installation requirements | [Windows Security in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) (no additional installation required) Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
-User interface | Modern interface integrated with the [Windows Security app](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
-Supportability | [!include[Check mark yes](images/svg/check-yes.svg)] [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)] [Part of the Windows 10 support lifecycle](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)] Ends after July 31, 2018
-Updates | [!include[Check mark yes](images/svg/check-yes.svg)] Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)] No planned updates or development
-Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)] All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison)) [Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited set of mitigations
-Attack surface reduction[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps block known infection vectors](attack-surface-reduction-exploit-guard.md) [Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited ruleset configuration only for modules (no processes)
-Network protection[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Controlled folder access[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps protect important folders](controlled-folders-exploit-guard.md) [Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Windows Security app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Requires installation and use of EMET tool
-Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)] Available
-Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)] [Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)] Requires use of EMET tool (EMET_CONF)
-System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Reporting | [!include[Check mark yes](images/svg/check-yes.svg)] With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md) [Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/secure-score-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited Windows event log monitoring
-Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)] [Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Limited to EAF, EAF+, and anti-ROP mitigations
-
-([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
-
-([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
-
-## Mitigation comparison
-
-The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection-exploit-guard.md).
-
-The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.
-
-Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
--|:-:|:-:
-Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] As "Memory Protection Check"
-Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] As "Load Library Check"
-Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.svg)] Included natively in Windows 10 See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.svg)]
-Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
-Block low integrity images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Code integrity guard | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Disable extension points | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-
->[!NOTE]
->The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
->
->See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
-
-
-## Related topics
-
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
-- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/graphics.md b/windows/security/threat-protection/windows-defender-exploit-guard/graphics.md
deleted file mode 100644
index 111bb99fc5..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/graphics.md
+++ /dev/null
@@ -1,11 +0,0 @@
----
-ms.date: 09/18/2017
-ms.reviewer:
-manager: dansimp
-ms.author: ellevin
-author: levinec
----
-
-
-
-
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png
deleted file mode 100644
index bab791f3c0..0000000000
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_75.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_75.png
deleted file mode 100644
index de277c05e1..0000000000
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_75.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_empty.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_empty.png
deleted file mode 100644
index 97f905f5ea..0000000000
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_empty.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png
deleted file mode 100644
index 2bc45259d3..0000000000
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/turn-windows-features-on-or-off.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/turn-windows-features-on-or-off.png
deleted file mode 100644
index 8d47a53b51..0000000000
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/turn-windows-features-on-or-off.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md b/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md
deleted file mode 100644
index eedb76c8dc..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md
+++ /dev/null
@@ -1,30 +0,0 @@
-# [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-
-## [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
-### [Use auditing mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
-### [View Exploit Guard events](event-views-exploit-guard.md)
-
-## [Exploit protection](exploit-protection-exploit-guard.md)
-### [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-### [Evaluate Exploit protection](evaluate-exploit-protection.md)
-### [Enable Exploit protection](enable-exploit-protection.md)
-### [Customize Exploit protection](customize-exploit-protection.md)
-#### [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
-### [Memory integrity](memory-integrity.md)
-#### [Requirements for virtualization-based protection of code integrity](requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-#### [Enable virtualization-based protection of code integrity](enable-virtualization-based-protection-of-code-integrity.md)
-## [Attack surface reduction](attack-surface-reduction-exploit-guard.md)
-### [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
-### [Enable Attack surface reduction](enable-attack-surface-reduction.md)
-### [Customize Attack surface reduction](customize-attack-surface-reduction.md)
-### [Troubleshoot Attack surface reduction rules](troubleshoot-asr.md)
-## [Network Protection](network-protection-exploit-guard.md)
-### [Evaluate Network Protection](evaluate-network-protection.md)
-### [Enable Network Protection](enable-network-protection.md)
-### [Troubleshoot Network protection](troubleshoot-np.md)
-## [Controlled folder access](controlled-folders-exploit-guard.md)
-### [Evaluate Controlled folder access](evaluate-controlled-folder-access.md)
-### [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md)
-### [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/prerelease.md b/windows/security/threat-protection/windows-defender-exploit-guard/prerelease.md
deleted file mode 100644
index 6e993c8c0a..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/prerelease.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-ms.date: 08/25/2017
-ms.reviewer:
-manager: dansimp
-ms.author: ellevin
-author: levinec
----
-> [!IMPORTANT]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
deleted file mode 100644
index a60d5f5a24..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-title: Use Windows Defender Exploit Guard to protect your network
-description: Windows Defender EG employs features that help protect your network from threats, including helping prevent ransomware encryption and exploit attacks
-keywords: emet, exploit guard, Controlled folder access, Network protection, Exploit protection, Attack surface reduction, hips, host intrusion prevention system
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-ms.date: 08/09/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Windows Defender Exploit Guard
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.
-
-There are four features in Windows Defender EG:
-
-- [Exploit protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV).
-- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV.
-- [Network protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV.
-- [Controlled folder access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV.
-
-Windows 10, version 1803 provides additional protections:
-
-- New Attack surface reduction rules
-- Controlled folder access can now block disk sectors
-
-You can evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action:
-- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
-
-
-You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for the features, which provides you with basic event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
-
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work.
-
-Windows Defender EG can be managed and reported on in the Windows Security app as part of the Microsoft Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies.
-
-You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). You can [sign up for a free trial of Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works.
-
-## Requirements
-
-This section covers requirements for each feature in Windows Defender EG.
-
-| Symbol | Support |
-|--------|---------|
-|  | Not supported |
-|  | Supported |
-|  | Recommended. Includes full, automated reporting into the Microsoft Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.|
-
-| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 Enterprise | Windows 10 with Enterprise E3 subscription | Windows 10 with Enterprise E5 subscription |
-| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | :--------------------------------------: |
-| Exploit protection |  |  |  |  |  |
-| Attack surface reduction rules |  |  |  |  |  |
-| Network protection |  |  |  |  |  |
-| Controlled folder access |  |  |  |  |  |
-
->[!NOTE]
-> The [Identity & Threat Protection package](https://www.microsoft.com/microsoft-365/blog/2019/01/02/introducing-new-advanced-security-and-compliance-offerings-for-microsoft-365/), available for Microsoft 365 E3 customers, provides the same Windows Defender ATP capabilities as the Enterprise E5 subscription.
-
-The following table lists which features in Windows Defender EG require enabling [real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) from Windows Defender Antivirus.
-
-| Feature | Real-time protection |
-|-----------------| ------------------------------------ |
-| Exploit protection | No requirement |
-| Attack surface reduction rules | Must be enabled |
-| Network protection | Must be enabled |
-| Controlled folder access | Must be enabled |
-
- ## In this library
-
-Topic | Description
----|---
-[Protect devices from exploits](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
-[Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.
-[Protect your network](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors.
-[Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.
-
-
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index ca32f2c55a..001c490193 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: dansimp
ms.author: dansimp
ms.date: 04/30/2018
@@ -16,64 +17,63 @@ ms.reviewer:
manager: dansimp
---
-
# App and browser control
**Applies to**
- Windows 10, version 1703 and later
-
The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
-In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at the [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) topic in the Windows Defender Exploit Guard library.
+In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](../microsoft-defender-atp/exploit-protection.md).
You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
## Prevent users from making changes to the Exploit protection area in the App & browser control section
You can prevent users from modifying settings in the Exploit protection area. The settings will be either greyed out or not appear if you enable this setting. Users will still have access to other settings in the App & browser control section, such as those for Windows Defender SmartScreen, unless those options have been configured separately.
You can only prevent users from modifying Exploit protection settings by using Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
>
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> ### Requirements
+>
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Security > App and browser protection**.
+3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-6. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
+4. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
## Hide the App & browser control section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app.
This can only be done in Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
>
->You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> ### Requirements
+>
+> You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Security > App and browser protection**.
+3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-6. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
+4. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index 9692fa9046..d84d263388 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -30,23 +30,23 @@ manager: dansimp
- Group Policy
-You can add information about your organization in a contact card to the Windows Security app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
+You can add information about your organization in a contact card to the Windows Security app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
-
+
-This information will also be shown in some enterprise-specific notifications (including those for [Windows Defender Exploit Guard](/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard), the [Block at first sight feature](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus).
-
-
+This information will also be shown in some enterprise-specific notifications (including those for the [Block at first sight feature](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus).
+
Users can click on the displayed information to initiate a support request:
+
- Clicking **Call** or the phone number will open Skype to start a call to the displayed number
- Clicking **Email** or the email address will create a new email in the machine's default email app address to the displayed email
- Clicking **Help portal** or the website URL will open the machine's default web browser and go to the displayed address
## Requirements
-You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
## Use Group Policy to enable and customize contact information
@@ -54,29 +54,26 @@ There are two stages to using the contact card and customized notifications. Fir
This can only be done in Group Policy.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
+3. Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
-6. You enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 7 and 8), and you can enable both or only one or the other:
+4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 5 and 6). You can enable both, or slect one or the other:
1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**.
-7. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
+5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
-8. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings by opening them, setting them to **Enabled** and adding the contact information in the field under **Options**:
+6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings by opening them, setting them to **Enabled** and adding the contact information in the field under **Options**:
1. **Specify contact email address or Email ID**
2. **Specify contact phone number or Skype ID**
3. **Specify contact website**
-9. Click **OK** after configuring each setting to save your changes.
-
+7. Click **OK** after configuring each setting to save your changes.
>[!IMPORTANT]
>You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
-
-
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index a12e0b136b..af8816db71 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -16,10 +16,6 @@ ms.reviewer:
manager: dansimp
---
-
-
-
-
# The Windows Security app
**Applies to**
@@ -29,6 +25,7 @@ manager: dansimp
This library describes the Windows Security app, and provides information on configuring certain features, including:
+
- [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md)
- [Hiding notifications](wdsc-hide-notifications.md)
@@ -38,33 +35,32 @@ In Windows 10, version 1803, the app has two new areas, **Account protection** a
->[!NOTE]
->The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+> [!NOTE]
+> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
You can't uninstall the Windows Security app, but you can do one of the following:
-- Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016).
+- Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016).
- Hide all of the sections on client computers (see below).
- Disable Windows Defender Antivirus, if needed. See [Enable and configure Windows Defender AV always-on protection and monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
You can find more information about each section, including options for configuring the sections - such as hiding each of the sections - at the following topics:
-
-- [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus ransomware protection settings and notifications, including the Controlled folder access feature of Windows Defender Exploit Guard and sign-in to Microsoft OneDrive.
-- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings.
+- [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus ransomware protection settings and notifications, including Controlled folder access, and sign-in to Microsoft OneDrive.
+- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings.
- [Firewall & network protection](wdsc-firewall-network-protection.md), which has information and access to firewall settings, including Windows Defender Firewall.
- [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations.
- [Device security](wdsc-device-security.md), which provides access to built-in device security settings.
- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
- [Family options](wdsc-family-options.md), which includes access to parental controls along with tips and information for keeping kids safe online.
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
## Open the Windows Security app
+
- Click the icon in the notification area on the taskbar.
@@ -75,34 +71,30 @@ You can find more information about each section, including options for configur
-
> [!NOTE]
> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products.
-
-
## How the Windows Security app works with Windows security features
-
->[!IMPORTANT]
->Windows Defender AV and the Windows Security app use similarly named services for specific purposes.
->
->The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
->
+> [!IMPORTANT]
+> Windows Defender AV and the Windows Security app use similarly named services for specific purposes.
+>
+> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
+>
>These services do not affect the state of Windows Defender AV. Disabling or modifying these services will not disable Windows Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product.
->
+>
>Windows Defender AV will be [disabled automatically when a third-party antivirus product is installed and kept up to date](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
->
->Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
+>
+> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
> [!WARNING]
-> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
->
->It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
->
->This will significantly lower the protection of your device and could lead to malware infection.
+> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+>
+> It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
+>
+> This will significantly lower the protection of your device and could lead to malware infection.
-The Windows Security app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
+The Windows Security app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
It acts as a collector or single place to see the status and perform some configuration for each of the features.
@@ -112,18 +104,3 @@ Disabling any of the individual features (through Group Policy or other manageme
> Individually disabling any of the services will not disable the other services or the Windows Security app.
For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index bf20974a75..cde7dc4fc5 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -14,7 +14,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/11/2019
---
# Create Windows Firewall rules in Intune
@@ -35,29 +34,7 @@ Select Windows Defender Firewall.
## Firewall rule components
-Following table has description for each field.
-
-
-| Property | Type | Description |
-|----------|------|-------------|
-| DisplayName | String | The display name of the rule. Does not need to be unique. |
-| Description | String | The description of the rule. |
-| PackageFamilyName | String | The package family name of a Microsoft Store application that's affected by the firewall rule. |
-| FilePath | String | The full file path of an app that's affected by the firewall rule. |
-| FullyQualifiedBinaryName | String | The fully qualified binary name. |
-| ServiceName | String | The name used in cases when a service, not an application, is sending or receiving traffic. |
-| Protocol | Nullable Integer - default value is null which maps to All | 0-255 number representing the [IP protocol](https://www.wikipedia.org/wiki/List_of_IP_protocol_numbers) (TCP = 6, UDP = 17). If not specified, the default is All. |
-| LocalPortRanges | String array | List of local port ranges. For example, "100-120", "200", "300-320". If not specified, the default is All. |
-| RemotePortRanges | String array | List of remote port ranges. For example, "100-120", "200", "300-320". If not specified, the default is All. |
-| LocalAddressRanges | String array | List of local addresses covered by the rule. Valid tokens include: - "\*" indicates any local address. If present, this must be the only token included. - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. - A valid IPv6 address. - An IPv4 address range in the format of "start address - end address" with no spaces included. - An IPv6 address range in the format of "start address - end address" with no spaces included. Default is any address. |
-| RemoteAddressRanges | String array | List of tokens specifying the remote addresses covered by the rule.Tokens are case insensitive. Valid tokens include: - "\*" indicates any remote address. If present, this must be the only token included. - "Defaultgateway" - "DHCP" - "DNS" - "WINS" - "Intranet" - "RmtIntranet" - "Internet" - "Ply2Renders" - "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive. - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. - A valid IPv6 address. - An IPv4 address range in the format of "start address - end address" with no spaces included. - An IPv6 address range in the format of "start address - end address" with no spaces included. Default is any address. |
-| ProfileTypes | WindowsFirewallNetworkProfileTypes | Specifies the profiles to which the rule belongs. If not specified, the default is All. |
-| Action| StateManagementSetting | The action the rule enforces. If not specified, the default is Allowed. |
-| TrafficDirection | WindowsFirewallRuleTrafficDirectionType | The traffic direction that the rule is enabled for. If not specified, the default is Out. |
-| InterfaceTypes | WindowsFirewallRuleInterfaceTypes | The interface types of the rule. |
-| EdgeTraversal | StateManagementSetting | Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. |
-| LocalUserAuthorizations | String | Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format. |
-
+The firewall rule configurations in Intune use the Windows 10 CSP for Firewall. For more information, see [Firewall CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/firewall-csp).
## Application
Control connections for an app or program.
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index d9cd25a523..149ba35f1d 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -23,33 +23,33 @@ Microsoft is committed to optimizing the security of its products and services.
The Security Target describes security functionality and assurance measures used to evaluate Windows.
- - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
- - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
- - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
- - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
- - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
- - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
- - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
- - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
- - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
- - [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
- - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
- - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf)
- - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf)
- - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf)
- - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf)
- - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf)
- - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
- - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
- - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
- - [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305)
- - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
- - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
- - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
- - [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf)
- - [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
- - [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
+- [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
+- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
+- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
+- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
+- [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
+- [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
+- [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
+- [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
+- [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
+- [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
+- [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
+- [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
+- [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf)
+- [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf)
+- [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf)
+- [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf)
+- [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf)
+- [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
+- [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
+- [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
+- [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305)
+- [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
+- [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
+- [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
+- [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf)
+- [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
+- [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
## Common Criteria Deployment and Administration
@@ -59,77 +59,77 @@ These documents describe how to configure Windows to replicate the configuration
**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2**
-
- - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
- - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
- - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
- - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
- - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
- - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx)
- - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf)
- - [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx)
- - [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf)
- - [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf)
- - [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf)
+
+- [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
+- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
+- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
+- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
+- [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
+- [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
+- [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx)
+- [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf)
+- [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx)
+- [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf)
+- [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf)
+- [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf)
**Windows 8.1 and Windows Phone 8.1**
- - [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
- - [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
+- [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
+- [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
**Windows 8, Windows RT, and Windows Server 2012**
- - [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
- - [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
- - [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
- - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
+- [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
+- [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
+- [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
+- [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
**Windows 7 and Windows Server 2008 R2**
- - [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
- - [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308)
+- [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
+- [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308)
**Windows Vista and Windows Server 2008**
- - [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
- - [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
+- [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
+- [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
**Windows Server 2003 SP2 including R2, x64, and Itanium**
- - [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949)
- - [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc)
+- [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949)
+- [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc)
**Windows Server 2003 SP1(x86), x64, and IA64**
- - [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef)
- - [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8)
+- [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef)
+- [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8)
**Windows Server 2003 SP1**
- - [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc)
- - [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38)
+- [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc)
+- [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38)
**Windows XP Professional SP2 (x86) and x64 Edition**
- - [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee)
- - [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694)
- - [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779)
- - [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431)
- - [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54)
- - [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569)
+- [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee)
+- [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694)
+- [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779)
+- [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431)
+- [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54)
+- [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569)
**Windows XP Professional SP2, and XP Embedded SP2**
- - [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60)
- - [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de)
- - [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8)
+- [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60)
+- [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de)
+- [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8)
**Windows Server 2003 Certificate Server**
- - [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
- - [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
- - [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
+- [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
+- [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
+- [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
## Common Criteria Evaluation Technical Reports and Certification / Validation Reports
@@ -137,41 +137,40 @@ These documents describe how to configure Windows to replicate the configuration
An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team.
- - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
- - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
- - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
- - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
- - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
- - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
- - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
- - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf)
- - [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
- - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf)
- - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf)
- - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf)
- - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf)
- - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf)
- - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf)
- - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
- - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
- - [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
- - [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
- - [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
- - [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
- - [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef)
- - [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658)
- - [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- - [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- - [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- - [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265)
- - [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf)
- - [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
- - [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
- - [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
+- [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
+- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
+- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
+- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
+- [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
+- [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
+- [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
+- [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
+- [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
+- [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf)
+- [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
+- [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf)
+- [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf)
+- [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf)
+- [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf)
+- [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf)
+- [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf)
+- [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
+- [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
+- [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
+- [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
+- [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
+- [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
+- [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef)
+- [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658)
+- [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
+- [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
+- [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
+- [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265)
+- [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf)
+- [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
+- [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
+- [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
## Other Common Criteria Related Documents
- - [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc)
-
+- [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc)
diff --git a/windows/whats-new/images/virus-and-threat-protection.png b/windows/whats-new/images/virus-and-threat-protection.png
index f5fd5287bc..f289d22531 100644
Binary files a/windows/whats-new/images/virus-and-threat-protection.png and b/windows/whats-new/images/virus-and-threat-protection.png differ
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 129309368a..4c6f69c1a2 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -1,631 +1,631 @@
----
-title: What's new in Windows 10 Enterprise 2019 LTSC
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB).
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"]
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: low
-ms.topic: article
----
-
-# What's new in Windows 10 Enterprise 2019 LTSC
-
-**Applies to**
-- Windows 10 Enterprise 2019 LTSC
-
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
-
->[!NOTE]
->Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809.
-
-Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as:
- - Advanced protection against modern security threats
- - Full flexibility of OS deployment
- - Updating and support options
- - Comprehensive device and app management and control capabilities
-
-The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below.
-
->[!IMPORTANT]
->The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
-
-## Microsoft Intune
-
->Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching.
-
-## Security
-
-This version of Window 10 includes security improvements for threat protection, information protection, and identity protection.
-
-### Threat protection
-
-#### Windows Defender ATP
-
-The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management.
-
-
-
-##### Attack surface reduction
-
-Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard).
- - This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
- - When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page.
-
-###### Windows Defender Firewall
-
-Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/windows/wsl/release-notes#build-17618-skip-ahead).
-
-##### Windows Defender Device Guard
-
-[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including:
-- Software-based protection provided by code integrity policies
-- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI)
-
-But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control).
-
-### Next-gen protection
-
-#### Office 365 Ransomware Detection
-
-For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
-
-### Endpoint detection and response
-
-Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal.
-
- Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus).
-
- We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on:
-- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus)
-- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus)
-- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus)
-- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features)
-- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus)
-
- Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus).
-
- New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include:
-- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
-- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus)
-- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus)
-
- We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
-
- **Endpoint detection and response** is also enhanced. New **detection** capabilities include:
-- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
- - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
- - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks.
- - Upgraded detections of ransomware and other advanced attacks.
- - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
-
- **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
-- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
- - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
-
-Additional capabilities have been added to help you gain a holistic view on **investigations** include:
- - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
- - [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
- - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
- - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
- - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
- - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP.
-
-Other enhanced security features include:
-- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
-- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
-- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
-- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
-- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
-- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor.
-- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
-
-We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on.
-
-We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**.
-
-This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks).
-
-You can read more about ransomware mitigations and detection capability at:
-- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
-- [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf)
-- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/)
-
-Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
-
-Get a quick, but in-depth overview of Windows Defender ATP for Windows 10: [Windows Defender Advanced Threat Protection](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
-
-For more information about features of Windows Defender ATP available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf).
-
-### Information protection
-
-Improvements have been added to Windows Information Protection and BitLocker.
-
-#### Windows Information Protection
-
-Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions).
-
-Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
-
-You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs).
-
-This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234).
-
-### BitLocker
-
-The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
-
-#### Silent enforcement on fixed drives
-
-Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI.
-
-This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others.
-
-This feature will soon be enabled on Olympia Corp as an optional feature.
-
-#### Delivering BitLocker policy to AutoPilot devices during OOBE
-
-You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins.
-
-For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
-
-To achieve this:
-
-1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
-2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group.
- - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
-3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
- - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
-
-### Identity protection
-
-Improvements have been added are to Windows Hello for Business and Credential Guard.
-
-#### Windows Hello for Business
-
-New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present.
-
-New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude:
-- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
-- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
-- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
-
-[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section.
-- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
-- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
-- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
-- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
-- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
-- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
-
-For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
-
-#### Windows Defender Credential Guard
-
-Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
-
-Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions.
-
-For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
-
-### Other security improvments
-
-#### Windows security baselines
-
-Microsoft has released new [Windows security baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10).
-
-**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10).
-
-The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published.
-
-#### SMBLoris vulnerability
-
-An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed.
-
-#### Windows Security Center
-
-Windows Defender Security Center is now called **Windows Security Center**.
-
-You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**.
-
-The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products.
-
-WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
-
-
-
-#### Group Policy Security Options
-
-The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
-
-A new security policy setting
-[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
-
-#### Windows 10 in S mode
-
-We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
-
-
-
-## Deployment
-
-### Windows Autopilot
-
-[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10.
-
-Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information.
-
-Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.
-
-You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices).
-
-#### Windows Autopilot self-deploying mode
-
-Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot.
-
-This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process.
-
-You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
-
-To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying).
-
-
-#### Autopilot Reset
-
-IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
-
-### MBR2GPT.EXE
-
-MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
-
-The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
-
-Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
-
-For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
-
-### DISM
-
-The following new DISM commands have been added to manage feature updates:
-
- DISM /Online /Initiate-OSUninstall
- – Initiates a OS uninstall to take the computer back to the previous installation of windows.
- DISM /Online /Remove-OSUninstall
- – Removes the OS uninstall capability from the computer.
- DISM /Online /Get-OSUninstallWindow
- – Displays the number of days after upgrade during which uninstall can be performed.
- DISM /Online /Set-OSUninstallWindow
- – Sets the number of days after upgrade during which uninstall can be performed.
-
-For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
-
-### Windows Setup
-
-You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.
-
-Prerequisites:
-- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later.
-- Windows 10 Enterprise or Pro
-
-For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
-
-It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
-
- /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]
-
-For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21)
-
-New command-line switches are also available to control BitLocker:
-
- Setup.exe /BitLocker AlwaysSuspend
- – Always suspend bitlocker during upgrade.
- Setup.exe /BitLocker TryKeepActive
- – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade.
- Setup.exe /BitLocker ForceKeepActive
- – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade.
-
-For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33)
-
-### Feature update improvements
-
-Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/).
-
-### SetupDiag
-
-[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed.
-
-SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
-
-## Sign-in
-
-### Faster sign-in to a Windows 10 shared pc
-
-If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash!
-
-**To enable fast sign-in:**
-1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC.
-2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
-3. Sign-in to a shared PC with your account. You'll notice the difference!
-
- 
-
-### Web sign-in to Windows 10
-
-Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
-
-**To try out web sign-in:**
-1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
-2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in.
-3. On the lock screen, select web sign-in under sign-in options.
-4. Click the “Sign in” button to continue.
-
-
-
-## Windows Analytics
-
-### Upgrade Readiness
-
->[!IMPORTANT]
->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release.
-
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
-
-The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
-
-For more information about Upgrade Readiness, see the following topics:
-
-- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/)
-- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
-
-Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
-
-### Update Compliance
-
-Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
-
-Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
-
-For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor).
-
-New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor).
-
-### Device Health
-
-Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
-
-## Accessibility and Privacy
-
-### Accessibility
-
-"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post.
-
-### Privacy
-
-In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) app.
-
-## Configuration
-
-### Kiosk configuration
-
-Microsoft Edge has many improvements specifically targeted to Kiosks, however Edge is not available in the LTSC release of Windows 10. Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release.
-
-If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](https://docs.microsoft.com/windows/configuration/kiosk-methods) with a semi-annual release channel.
-
-### Co-management
-
-Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
-
-For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
-
-### OS uninstall period
-
-The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period.
-
-### Azure Active Directory join in bulk
-
-Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
-
-
-
-### Windows Spotlight
-
-The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences:
-
-- **Turn off the Windows Spotlight on Action Center**
-- **Do not use diagnostic data for tailored experiences**
-- **Turn off the Windows Welcome Experience**
-
-[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight)
-
-### Start and taskbar layout
-
-Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise 2019 LTSC adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management).
-
-[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
-
-- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
-- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep)
-- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist).
-
-## Windows Update
-
-### Windows Update for Business
-
-Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
-
-The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
-
-
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
-
-WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
-
-Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
-
-The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
-
-
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
-
-WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
-
-### Windows Insider for Business
-
-We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business).
-
-You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business).
-
-
-### Optimize update delivery
-
-With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
-
->[!NOTE]
-> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
-
-Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
-
-Added policies include:
-- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
-- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn)
-- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching)
-- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching)
-- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size)
-
-To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization)
-
-### Uninstalled in-box apps no longer automatically reinstall
-
-Starting with Windows 10 Enterprise 2019 LTSC, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
-
-Additionally, apps de-provisioned by admins on Windows 10 Enterprise 2019 LTSC machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise 2016 LTSC (or earlier) to Windows 10 Enterprise 2019 LTSC.
-
-## Management
-
-### New MDM capabilities
-
-Windows 10 Enterprise 2019 LTSC adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
-
-Some of the other new CSPs are:
-
-- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
-
-- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
-
-- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.
-
-- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
-
-- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx).
-
-- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
-
-IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
-
-[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
-
-MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](https://docs.microsoft.com/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
-
-Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709).
-
-### Mobile application management support for Windows 10
-
-The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise 2019 LTSC.
-
-For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management).
-
-### MDM diagnostics
-
-In Windows 10 Enterprise 2019 LTSC, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
-
-### Application Virtualization for Windows (App-V)
-
-Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise 2019 LTSC introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
-
-For more info, see the following topics:
-- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
-- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing)
-- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating)
-- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
-
-### Windows diagnostic data
-
-Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level.
-
-- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
-- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703)
-
-### Group Policy spreadsheet
-
-Learn about the new Group Policies that were added in Windows 10 Enterprise 2019 LTSC.
-
-- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
-
-### Mixed Reality Apps
-
-This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality).
-
-## Networking
-
-### Network stack
-
-Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/).
-
-### Miracast over Infrastructure
-
-In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx).
-
-How it works:
-
-Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
-
-Miracast over Infrastructure offers a number of benefits:
-
-- Windows automatically detects when sending the video stream over this path is applicable.
-- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
-- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
-- No changes to current wireless drivers or PC hardware are required.
-- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
-- It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
-
-Enabling Miracast over Infrastructure:
-
-If you have a device that has been updated to Windows 10 Enterprise 2019 LTSC, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
-
-- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise 2019 LTSC, or a later OS.
-- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
- - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
- - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
-- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-
-It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
-
-## Registry editor improvements
-
-We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
-
-
-
-## Remote Desktop with Biometrics
-
-Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
-
-To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**.
-
-- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials.
-- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
-
-See the following example:
-
-
-
-
-
-## See Also
-
-[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.
+---
+title: What's new in Windows 10 Enterprise 2019 LTSC
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB).
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: greg-lindsay
+ms.localizationpriority: low
+ms.topic: article
+---
+
+# What's new in Windows 10 Enterprise 2019 LTSC
+
+**Applies to**
+- Windows 10 Enterprise 2019 LTSC
+
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
+
+>[!NOTE]
+>Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809.
+
+Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as:
+- Advanced protection against modern security threats
+- Full flexibility of OS deployment
+- Updating and support options
+- Comprehensive device and app management and control capabilities
+
+The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below.
+
+>[!IMPORTANT]
+>The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
+
+## Microsoft Intune
+
+>Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching.
+
+## Security
+
+This version of Window 10 includes security improvements for threat protection, information protection, and identity protection.
+
+### Threat protection
+
+#### Windows Defender ATP
+
+The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management.
+
+
+
+##### Attack surface reduction
+
+Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard).
+ - This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
+ - When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page.
+
+###### Windows Defender Firewall
+
+Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/windows/wsl/release-notes#build-17618-skip-ahead).
+
+##### Windows Defender Device Guard
+
+[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including:
+- Software-based protection provided by code integrity policies
+- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI)
+
+But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control).
+
+### Next-gen protection
+
+#### Office 365 Ransomware Detection
+
+For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
+
+### Endpoint detection and response
+
+Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal.
+
+ Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus).
+
+ We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on:
+- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus)
+- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus)
+- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus)
+- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features)
+- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus)
+
+ Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus).
+
+ New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include:
+- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
+- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus)
+- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus)
+
+ We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+
+ **Endpoint detection and response** is also enhanced. New **detection** capabilities include:
+- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
+ - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
+ - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks.
+ - Upgraded detections of ransomware and other advanced attacks.
+ - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
+
+ **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
+- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
+ - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
+
+Additional capabilities have been added to help you gain a holistic view on **investigations** include:
+- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
+- [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
+- [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
+- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
+- [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
+- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP.
+
+Other enhanced security features include:
+- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
+- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
+- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
+- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
+- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
+- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor.
+- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
+
+We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on.
+
+We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**.
+
+This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks).
+
+You can read more about ransomware mitigations and detection capability at:
+- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
+- [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf)
+- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/)
+
+Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
+
+Get a quick, but in-depth overview of Windows Defender ATP for Windows 10: [Windows Defender Advanced Threat Protection](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+
+For more information about features of Windows Defender ATP available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf).
+
+### Information protection
+
+Improvements have been added to Windows Information Protection and BitLocker.
+
+#### Windows Information Protection
+
+Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions).
+
+Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
+
+You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs).
+
+This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234).
+
+### BitLocker
+
+The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
+
+#### Silent enforcement on fixed drives
+
+Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI.
+
+This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others.
+
+This feature will soon be enabled on Olympia Corp as an optional feature.
+
+#### Delivering BitLocker policy to AutoPilot devices during OOBE
+
+You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins.
+
+For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
+
+To achieve this:
+
+1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
+2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group.
+ - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
+3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
+ - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
+
+### Identity protection
+
+Improvements have been added are to Windows Hello for Business and Credential Guard.
+
+#### Windows Hello for Business
+
+New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present.
+
+New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude:
+- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
+- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
+- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
+
+[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section.
+- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
+- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
+- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
+- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
+- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
+- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
+
+For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
+
+#### Windows Defender Credential Guard
+
+Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
+
+Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions.
+
+For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
+
+### Other security improvments
+
+#### Windows security baselines
+
+Microsoft has released new [Windows security baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10).
+
+**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10).
+
+The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published.
+
+#### SMBLoris vulnerability
+
+An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed.
+
+#### Windows Security Center
+
+Windows Defender Security Center is now called **Windows Security Center**.
+
+You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**.
+
+The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products.
+
+WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
+
+
+
+#### Group Policy Security Options
+
+The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
+
+A new security policy setting
+[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
+
+#### Windows 10 in S mode
+
+We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
+
+
+
+## Deployment
+
+### Windows Autopilot
+
+[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10.
+
+Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information.
+
+Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.
+
+You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices).
+
+#### Windows Autopilot self-deploying mode
+
+Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot.
+
+This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process.
+
+You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
+
+To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying).
+
+
+#### Autopilot Reset
+
+IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
+
+### MBR2GPT.EXE
+
+MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
+
+The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
+
+Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+
+For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
+
+### DISM
+
+The following new DISM commands have been added to manage feature updates:
+
+ DISM /Online /Initiate-OSUninstall
+ – Initiates a OS uninstall to take the computer back to the previous installation of windows.
+ DISM /Online /Remove-OSUninstall
+ – Removes the OS uninstall capability from the computer.
+ DISM /Online /Get-OSUninstallWindow
+ – Displays the number of days after upgrade during which uninstall can be performed.
+ DISM /Online /Set-OSUninstallWindow
+ – Sets the number of days after upgrade during which uninstall can be performed.
+
+For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
+
+### Windows Setup
+
+You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.
+
+Prerequisites:
+- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later.
+- Windows 10 Enterprise or Pro
+
+For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
+
+It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
+
+ /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]
+
+For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21)
+
+New command-line switches are also available to control BitLocker:
+
+ Setup.exe /BitLocker AlwaysSuspend
+ – Always suspend bitlocker during upgrade.
+ Setup.exe /BitLocker TryKeepActive
+ – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade.
+ Setup.exe /BitLocker ForceKeepActive
+ – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade.
+
+For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33)
+
+### Feature update improvements
+
+Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/).
+
+### SetupDiag
+
+[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed.
+
+SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
+
+## Sign-in
+
+### Faster sign-in to a Windows 10 shared pc
+
+If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash!
+
+**To enable fast sign-in:**
+1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC.
+2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
+3. Sign-in to a shared PC with your account. You'll notice the difference!
+
+ 
+
+### Web sign-in to Windows 10
+
+Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
+
+**To try out web sign-in:**
+1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
+2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in.
+3. On the lock screen, select web sign-in under sign-in options.
+4. Click the “Sign in” button to continue.
+
+
+
+## Windows Analytics
+
+### Upgrade Readiness
+
+>[!IMPORTANT]
+>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release.
+
+Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+
+The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
+
+For more information about Upgrade Readiness, see the following topics:
+
+- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/)
+- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
+
+Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
+
+### Update Compliance
+
+Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
+
+Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
+
+For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor).
+
+New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor).
+
+### Device Health
+
+Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
+
+## Accessibility and Privacy
+
+### Accessibility
+
+"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post.
+
+### Privacy
+
+In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) app.
+
+## Configuration
+
+### Kiosk configuration
+
+Microsoft Edge has many improvements specifically targeted to Kiosks, however Edge is not available in the LTSC release of Windows 10. Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release.
+
+If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](https://docs.microsoft.com/windows/configuration/kiosk-methods) with a semi-annual release channel.
+
+### Co-management
+
+Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+
+For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
+
+### OS uninstall period
+
+The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period.
+
+### Azure Active Directory join in bulk
+
+Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
+
+
+
+### Windows Spotlight
+
+The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences:
+
+- **Turn off the Windows Spotlight on Action Center**
+- **Do not use diagnostic data for tailored experiences**
+- **Turn off the Windows Welcome Experience**
+
+[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight)
+
+### Start and taskbar layout
+
+Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise 2019 LTSC adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management).
+
+[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
+
+- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
+- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep)
+- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist).
+
+## Windows Update
+
+### Windows Update for Business
+
+Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
+
+The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
+
+
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
+
+WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
+
+Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
+
+The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
+
+
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
+
+WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
+
+### Windows Insider for Business
+
+We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business).
+
+You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business).
+
+
+### Optimize update delivery
+
+With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+
+>[!NOTE]
+> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
+
+Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
+
+Added policies include:
+- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
+- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn)
+- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching)
+- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching)
+- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size)
+
+To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization)
+
+### Uninstalled in-box apps no longer automatically reinstall
+
+Starting with Windows 10 Enterprise 2019 LTSC, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
+
+Additionally, apps de-provisioned by admins on Windows 10 Enterprise 2019 LTSC machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise 2016 LTSC (or earlier) to Windows 10 Enterprise 2019 LTSC.
+
+## Management
+
+### New MDM capabilities
+
+Windows 10 Enterprise 2019 LTSC adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
+
+Some of the other new CSPs are:
+
+- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
+
+- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
+
+- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.
+
+- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
+
+- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx).
+
+- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
+
+IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
+
+[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
+
+MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](https://docs.microsoft.com/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
+
+Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709).
+
+### Mobile application management support for Windows 10
+
+The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise 2019 LTSC.
+
+For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management).
+
+### MDM diagnostics
+
+In Windows 10 Enterprise 2019 LTSC, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
+
+### Application Virtualization for Windows (App-V)
+
+Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise 2019 LTSC introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
+
+For more info, see the following topics:
+- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
+- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing)
+- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating)
+- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
+
+### Windows diagnostic data
+
+Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level.
+
+- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
+- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703)
+
+### Group Policy spreadsheet
+
+Learn about the new Group Policies that were added in Windows 10 Enterprise 2019 LTSC.
+
+- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
+
+### Mixed Reality Apps
+
+This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality).
+
+## Networking
+
+### Network stack
+
+Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/).
+
+### Miracast over Infrastructure
+
+In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx).
+
+How it works:
+
+Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
+
+Miracast over Infrastructure offers a number of benefits:
+
+- Windows automatically detects when sending the video stream over this path is applicable.
+- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
+- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
+- No changes to current wireless drivers or PC hardware are required.
+- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
+- It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
+
+Enabling Miracast over Infrastructure:
+
+If you have a device that has been updated to Windows 10 Enterprise 2019 LTSC, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
+
+- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise 2019 LTSC, or a later OS.
+- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
+ - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
+ - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
+- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+
+It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
+
+## Registry editor improvements
+
+We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
+
+
+
+## Remote Desktop with Biometrics
+
+Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+
+To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**.
+
+- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials.
+- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
+
+See the following example:
+
+
+
+
+
+## See Also
+
+[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index df1f40120d..a1ba0c02f2 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -96,7 +96,7 @@ Windows Defender Application Guard hardens a favorite attacker entry-point by is
### Window Defender Exploit Guard
-Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. For more information, see [Windows Defender Exploit Guard](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard).
+Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection), [Attack surface reduction protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction), [Controlled folder access](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/controlled-folder-access), and [Network protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/network-protection).
### Windows Defender Device Guard
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index 7c41c62396..f74337a7a7 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -178,11 +178,11 @@ Windows Defender Antivirus now shares detection status between M365 services and
### Windows Defender Exploit Guard
-Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. [Virtualization-based Security](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303) (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center.
+Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. [Virtualization-based Security](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303) (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center.
-For more information, see [Reduce attack surfaces with Windows Defender Exploit Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
+For more information, see [Reduce attack surfaces](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction)
-### Windows Defender ATP
+### Windows Defender ATP
[Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics:
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index 7bf5f8b3ee..b4e4f4f224 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -67,7 +67,7 @@ This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/clie
This feature will soon be enabled on Olympia Corp as an optional feature.
-#### Delivering BitLocker policy to AutoPilot devices during OOBE
+#### Delivering BitLocker policy to AutoPilot devices during OOBE
You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins.
](../images/ua-cg-15.png){kind=link}