diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 1f7820db7b..aa032cdf0f 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -302,6 +302,7 @@ Although all new Office 365 Education subscriptions have automatic licensing ena
| Disable | `Set-MsolCompanySettings -AllowAdHocSubscriptions $false` |
+
### Enable Azure AD Premium
When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium.
@@ -450,6 +451,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
| Windows PowerShell | This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
+
### Create a source file that contains the user and group accounts
After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods.
@@ -464,6 +466,7 @@ After you have selected your user and group account bulk import method, you’re
| Windows PowerShell | Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
+
### Import the user accounts into AD DS
With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method.
@@ -575,6 +578,7 @@ After you create the Microsoft Store for Business portal, configure it by using
| Private store | Allows you to change the organization name used in your Microsoft Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store). |
+
### Find, acquire, and distribute apps in the portal
Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Microsoft Store for Business.
@@ -1269,6 +1273,7 @@ Follow the same steps described in the
+
### Summary
Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By performing these maintenance tasks you help ensure that your school stays secure and is configured as you specified.
@@ -1278,5 +1283,4 @@ Now, you have identified the tasks you need to perform monthly, at the end of an
Try it out: Windows 10 deployment (for educational institutions)
Try it out: Windows 10 in the classroom
Chromebook migration guide
-
-
+
\ No newline at end of file
diff --git a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
index 590fce21ac..2500ec0e02 100644
--- a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
+++ b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
@@ -142,7 +142,7 @@ Stop-Website "Microsoft BitLocker Administration and Monitoring"
### Move the Recovery Database from Server A to Server B
-Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B.
+Use Windows Explorer to move the **MBAM Recovery Database Data.bak** file from Server A to Server B.
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
index e6907467fb..3b6a6ab7cf 100644
--- a/store-for-business/acquire-apps-microsoft-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -38,7 +38,7 @@ There are a couple of things we need to know when you pay for apps. You can add
## Allow users to shop
**Allow users to shop** controls the shopping experience in Microsoft Store for Education. When this setting is on, **Purchasers** and **Basic Purchasers** can purchase products and services from Microsoft Store for Education. If your school chooses to closely control how purchases are made, admins can turn off **Allow users to shop**. When the setting is off:
-- The shopping experience is not availalbe
+- The shopping experience is not available
- **Purchasers** and **Basic Purchasers** can't purchase products and services from Microsoft Store for Education
- Admins can't assign shopping roles to users
- Products and services previously purchased by **Basic Purchasers** can be managed by admins.
diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md
index 2655544301..7a5bb503e8 100644
--- a/windows/client-management/mdm/enterpriseapn-ddf.md
+++ b/windows/client-management/mdm/enterpriseapn-ddf.md
@@ -26,7 +26,7 @@ The content below are the different versions of the DDF for this CSP.
- [EnterpriseAPN CSP version 1.1 DDF](#enterpriseapn-csp-version-11-ddf)
- [EnterpriseAPN CSP version 1.2 DDF](#enterpriseapn-csp-version-12-ddf)
-### EnterpriseAPN CSP version 1.0 DDF
+### EnterpriseAPN CSP version 1.0 DDF
``` syntax
@@ -314,7 +314,7 @@ The content below are the different versions of the DDF for this CSP.
```
-### EnterpriseAPN CSP version 1.1 DDF
+### EnterpriseAPN CSP version 1.1 DDF
``` syntax
@@ -739,7 +739,7 @@ The content below are the different versions of the DDF for this CSP.
```
-### EnterpriseAPN CSP version 1.2 DDF
+### EnterpriseAPN CSP version 1.2 DDF
``` syntax
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index 08bae9914c..298e6e88d2 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -255,7 +255,7 @@ All Windows 10-based devices can be connected to an MDM. You can connect to an
-3. Click the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link).
+3. Click the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows10-based-device-to-work-using-a-deep-link).
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 0f9b975e5d..d397680a0c 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -33,7 +33,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- **Breaking changes and known issues**
- [Get command inside an atomic command is not supported](#get-command-inside-an-atomic-command-is-not-supported)
- - [Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#notification-channel-uri-not-preserved-during-upgrade-from-windows-81-to-windows-10)
+ - [Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#notification-channel-uri-not-preserved-during-upgrade-from-windows81-to-windows10)
- [Apps installed using WMI classes are not removed](#apps-installed-using-wmi-classes-are-not-removed)
- [Passing CDATA in SyncML does not work](#passing-cdata-in-syncml-does-not-work)
- [SSL settings in IIS server for SCEP must be set to "Ignore"](#ssl-settings-in-iis-server-for-scep-must-be-set-to-ignore)
@@ -43,15 +43,15 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [Version information for mobile devices](#version-information-for-mobile-devices)
- [Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues](#upgrading-windows-phone-81-devices-with-app-whitelisting-using-applicationrestriction-policy-has-issues)
- [Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218](#apps-dependent-on-microsoft-frameworks-may-get-blocked-in-phones-prior-to-build-10586218)
- - [Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile](#multiple-certificates-might-cause-wi-fi-connection-instabilities-in-windows-10-mobile)
+ - [Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile](#mcmcwfciw10mobile)
- [Remote PIN reset not supported in Azure Active Directory joined mobile devices](#remote-pin-reset-not-supported-in-azure-active-directory-joined-mobile-devices)
- [MDM client will immediately check-in with the MDM server after client renews WNS channel URI](#mdm-client-will-immediately-check-in-with-the-mdm-server-after-client-renews-wns-channel-uri)
- - [User provisioning failure in Azure Active Directory joined Windows 10 PC](#user-provisioning-failure-in-azure-active-directory-joined-windows-10-pc)
+ - [User provisioning failure in Azure Active Directory joined Windows 10 PC](#user-provisioning-failure-in-azure-active-directory-joined-windows10-pc)
- [Requirements to note for VPN certificates also used for Kerberos Authentication](#requirements-to-note-for-vpn-certificates-also-used-for-kerberos-authentication)
- [Device management agent for the push-button reset is not working](#device-management-agent-for-the-push-button-reset-is-not-working)
- **Frequently Asked Questions**
- - [Can there be more than 1 MDM server to enroll and manage devices in Windows 10?](#can-there-be-more-than-1-mdm-server-to-enroll-and-manage-devices-in-windows-10)
+ - [Can there be more than 1 MDM server to enroll and manage devices in Windows 10?](#ctbmt1mdmsteamdiw10)
- [How do I set the maximum number of Azure Active Directory joined devices per user?](#how-do-i-set-the-maximum-number-of-azure-active-directory-joined-devices-per-user)
- [What is dmwappushsvc?](#what-is-dmwappushsvc)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index aba19d4c12..05e9f8b8a0 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -738,7 +738,7 @@ The following diagram shows the Policy configuration service provider in tree fo
-
- Cryptography/AllowFipsAlgorithmPolicy
+ Cryptography/AllowFipsAlgorithmPolicy
-
Cryptography/TLSCipherSuites
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index a1ba855654..85d8f6acdc 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -83,12 +83,17 @@ The following list shows the supported values:
+> [!NOTE]
+> To manage encryption of PCs and devices, use [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
+
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 4dd0e68d3c..1921989b07 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -19,14 +19,23 @@ manager: dansimp
## Cryptography policies
+<<<<<<< HEAD
+* [Cryptography/AllowFipsAlgorithmPolicy](#CryptographyAllowFipsAlgorithmPolicy)
+* [Cryptography/TLSCipherSuites](#CryptographyTLSCipherSuites)
+=======
* [Cryptography/AllowFipsAlgorithmPolicy](#cryptographyallowfipsalgorithmpolicy)
* [Cryptography/TLSCipherSuites](#cryptographytlsciphersuites)
+>>>>>>> master
* [Cryptography/Microsoft Surface Hub](#cryptography-policies-supported-by-microsoft-surface-hub)
+<<<<<<< HEAD
+## Cryptography/AllowFipsAlgorithmPolicy
+=======
## Cryptography/AllowFipsAlgorithmPolicy
+>>>>>>> master
@@ -68,7 +77,11 @@ The following list shows the supported values:
+<<<<<<< HEAD
+## Cryptography/TLSCipherSuites
+=======
## Cryptography/TLSCipherSuites
+>>>>>>> master
|Home|Pro|Business |Enterprise |Education |Mobile |Mobile Enterprise |
@@ -105,8 +118,8 @@ Footnote:
## Cryptography policies supported by Microsoft Surface Hub
-- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
-- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
+- [Cryptography/AllowFipsAlgorithmPolicy](#CryptographyAllowFipsAlgorithmPolicy)
+- [Cryptography/TLSCipherSuites](#CryptographyTLSCipherSuites)
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index b74019c352..2f36d9f2b4 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -2638,6 +2638,9 @@ GP Info:
**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**
+> [!Warning]
+> Starting with Windows 10 version 1803, this policy is deprecated.
+
diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md
index 33cf15dabb..b08ebebd2c 100644
--- a/windows/configuration/kiosk-mdm-bridge.md
+++ b/windows/configuration/kiosk-mdm-bridge.md
@@ -31,59 +31,59 @@ Here’s an example to set AssignedAccess configuration:
3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
4. Execute the following script:
-```ps
+```xml
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = @"
-<?xml version="1.0" encoding="utf-8" ?>
-<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
- <Profiles>
- <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
- <AllAppsList>
- <AllowedApps>
- <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
- <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
- <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
- <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
- <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
- <App DesktopAppPath="%windir%\system32\mspaint.exe" />
- <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
- </AllowedApps>
- </AllAppsList>
- <StartLayout>
- <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
- <LayoutOptions StartTileGroupCellWidth="6" />
- <DefaultLayoutOverride>
- <StartLayoutCollection>
- <defaultlayout:StartLayout GroupCellWidth="6">
- <start:Group Name="Group1">
- <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
- <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
- <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
- <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
- <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
- </start:Group>
- <start:Group Name="Group2">
- <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
- <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
- </start:Group>
- </defaultlayout:StartLayout>
- </StartLayoutCollection>
- </DefaultLayoutOverride>
- </LayoutModificationTemplate>
- ]]>
- </StartLayout>
- <Taskbar ShowTaskbar="true"/>
- </Profile>
- </Profiles>
- <Configs>
- <Config>
- <Account>MultiAppKioskUser</Account>
- <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
- </Config>
- </Configs>
-</AssignedAccessConfiguration>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+ MultiAppKioskUser
+
+
+
+
"@
Set-CimInstance -CimInstance $obj
diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md
index 6324c8cddc..38d6cdbf27 100644
--- a/windows/configuration/ue-v/uev-getting-started.md
+++ b/windows/configuration/ue-v/uev-getting-started.md
@@ -31,7 +31,7 @@ The standard installation of UE-V synchronizes the default Microsoft Windows and
- [Step 2: Deploy the settings storage location](#step-2-deploy-the-settings-storage-location). Explains how to deploy a settings storage location. All UE-V deployments require a location to store settings packages that contain the synchronized setting values.
-- [Step 3: Enable and configure the UE-V service](#step-3-enable-the-ue-v-service-on-user-devices). Explains how to enable to UE-V service on user devices and configure the storage path. To synchronize settings using UE-V, devices must have the UE-V service enabled and running.
+- [Step 3: Enable and configure the UE-V service](#step-3-enable-and-configure-the-ue-v-service-on-user-devices). Explains how to enable to UE-V service on user devices and configure the storage path. To synchronize settings using UE-V, devices must have the UE-V service enabled and running.
- [Step 4: Test Your UE-V evaluation deployment](#step-4-test-your-ue-v-evaluation-deployment). Run a few tests on two computers with the UE-V service enabled to see how UE-V works and if it meets your organization’s needs.
diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md
index 6d8716bc7c..d18a727658 100644
--- a/windows/configuration/wcd/wcd-hotspot.md
+++ b/windows/configuration/wcd/wcd-hotspot.md
@@ -15,5 +15,4 @@ manager: dansimp
# HotSpot (Windows Configuration Designer reference)
-Do not use. Enterprise admins who want to configure settings for mobile hotspots should use [Policies > Wifi](#wcd-policies.md#wifi). Mobile operators should use the [Country and Operator Settings Asset (COSA) format](https://docs.microsoft.com/windows-hardware/drivers/mobilebroadband/cosa-overview).
-
+Do not use. Enterprise admins who want to configure settings for mobile hotspots should use [Policies > Wifi](wcd-policies.md#wifi). Mobile operators should use the [Country and Operator Settings Asset (COSA) format](https://docs.microsoft.com/windows-hardware/drivers/mobilebroadband/cosa-overview).
\ No newline at end of file
diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md
index a155145546..f3cf3adf07 100644
--- a/windows/deployment/update/feature-update-mission-critical.md
+++ b/windows/deployment/update/feature-update-mission-critical.md
@@ -29,7 +29,7 @@ Devices and shared workstations that are online and available 24 hours a day, 7
You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example:
-- **LTSC feature updates.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
+- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments.
- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs.
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index 0837197376..1bfb00bab7 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -145,7 +145,7 @@ See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
## Deploy Windows 10 Enterprise features
-Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows-10-pro-and-enterprise-editions)?
+Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)?
The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features.
diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml
index ce1f513a1a..aa758b2848 100644
--- a/windows/release-information/status-windows-10-1507.yml
+++ b/windows/release-information/status-windows-10-1507.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 10240.18244
June 11, 2019
KB4503291 | Investigating
| June 12, 2019
11:17 AM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 10240.18094
January 08, 2019
KB4480962 | Mitigated
| April 25, 2019
02:00 PM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 10240.18215
May 14, 2019
KB4499154 | Resolved
KB4505051 | May 19, 2019
02:00 PM PT |
@@ -72,6 +73,15 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views You may receive an error and the app may stop responding or close when trying to expand, view or create Custom Views in Event Viewer. You may also receive an error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 10240.18244
June 11, 2019
KB4503291 | Investigating
| Last updated:
June 12, 2019
11:17 AM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
index 28aefbeb37..7d54d3e1eb 100644
--- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
+++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 14393.3025
June 11, 2019
KB4503267 | Investigating
| June 12, 2019
11:17 AM PT |
Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)
See details > | OS Build 14393.2941
April 25, 2019
KB4493473 | Mitigated
| June 07, 2019
04:25 PM PT |
Devices running Windows Server 2016 with Hyper-V seeing Bitlocker error 0xC0210000
Some devices running Windows Server with Hyper-V enabled may start into Bitlocker recovery with error 0xC0210000
See details > | OS Build 14393.2969
May 14, 2019
KB4494440 | Mitigated
| May 23, 2019
09:57 AM PT |
Cluster service may fail if the minimum password length is set to greater than 14
The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.
See details > | OS Build 14393.2639
November 27, 2018
KB4467684 | Mitigated
| April 25, 2019
02:00 PM PT |
@@ -87,6 +88,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views You may receive an error and the app may stop responding or close when trying to expand, view or create Custom Views in Event Viewer. You may also receive an error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 14393.3025
June 11, 2019
KB4503267 | Investigating
| Last updated:
June 12, 2019
11:17 AM PT
Opened:
June 12, 2019
11:11 AM PT |
Some applications may fail to run as expected on clients of AD FS 2016Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of KB4493473 on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.
Affected platforms: - Server: Windows Server 2016
Workaround: You can use the Allow-From value of the header if the IFRAME is only accessing pages from a single-origin URL. On the affected server, open a PowerShell window as an administrator and run the following command: set-AdfsResponseHeaders -SetHeaderName X-Frame-Options -SetHeaderValue \"allow-from https://example.com\"
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 14393.2941
April 25, 2019
KB4493473 | Mitigated
| Last updated:
June 07, 2019
04:25 PM PT
Opened:
June 04, 2019
05:55 PM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503267.
Back to top | OS Build 14393.2999
May 23, 2019
KB4499177 | Resolved
KB4503267 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml
index 7f3a342f47..58ab37e1f1 100644
--- a/windows/release-information/status-windows-10-1703.yml
+++ b/windows/release-information/status-windows-10-1703.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 15063.1868
June 11, 2019
KB4503279 | Investigating
| June 12, 2019
11:17 AM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 15063.1563
January 08, 2019
KB4480973 | Mitigated
| April 25, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4503279 | June 11, 2019
10:00 AM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 15063.1805
May 14, 2019
KB4499181 | Resolved
KB4505055 | May 19, 2019
02:00 PM PT |
@@ -79,6 +80,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views You may receive an error and the app may stop responding or close when trying to expand, view or create Custom Views in Event Viewer. You may also receive an error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 15063.1868
June 11, 2019
KB4503279 | Investigating
| Last updated:
June 12, 2019
11:17 AM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503279.
Back to top | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4503279 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml
index 378cc71da1..1686aebdb7 100644
--- a/windows/release-information/status-windows-10-1709.yml
+++ b/windows/release-information/status-windows-10-1709.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 16299.1217
June 11, 2019
KB4503284 | Investigating
| June 12, 2019
11:17 AM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 16299.904
January 08, 2019
KB4480978 | Mitigated
| April 25, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4503284 | June 11, 2019
10:00 AM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 16299.1143
May 14, 2019
KB4498946 | Resolved
KB4505062 | May 19, 2019
02:00 PM PT |
@@ -80,6 +81,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views You may receive an error and the app may stop responding or close when trying to expand, view or create Custom Views in Event Viewer. You may also receive an error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 16299.1217
June 11, 2019
KB4503284 | Investigating
| Last updated:
June 12, 2019
11:17 AM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503284.
Back to top | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4503284 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml
index 69ffbe452f..617981f0f7 100644
--- a/windows/release-information/status-windows-10-1803.yml
+++ b/windows/release-information/status-windows-10-1803.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 17134.829
June 11, 2019
KB4503286 | Investigating
| June 12, 2019
11:17 AM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 17134.523
January 08, 2019
KB4480966 | Mitigated
| April 25, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4503286 | June 11, 2019
10:00 AM PT |
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.
See details > | OS Build 17134.648
March 12, 2019
KB4489868 | Resolved
KB4503286 | June 11, 2019
10:00 AM PT |
@@ -81,6 +82,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views You may receive an error and the app may stop responding or close when trying to expand, view or create Custom Views in Event Viewer. You may also receive an error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17134.829
June 11, 2019
KB4503286 | Investigating
| Last updated:
June 12, 2019
11:17 AM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503286.
Back to top | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4503286 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
index 4ddd5019f9..4f37eece33 100644
--- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
@@ -65,6 +65,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 17763.557
June 11, 2019
KB4503327 | Investigating
| June 12, 2019
11:17 AM PT |
Devices with some Asian language packs installed may receive an error
After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F
See details > | OS Build 17763.437
April 09, 2019
KB4493509 | Mitigated
| May 03, 2019
10:59 AM PT |
Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive an error.
See details > | OS Build 17763.379
March 12, 2019
KB4489899 | Mitigated
| May 02, 2019
04:47 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 17763.253
January 08, 2019
KB4480116 | Mitigated
| April 09, 2019
10:00 AM PT |
@@ -90,6 +91,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views You may receive an error and the app may stop responding or close when trying to expand, view or create Custom Views in Event Viewer. You may also receive an error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.557
June 11, 2019
KB4503327 | Investigating
| Last updated:
June 12, 2019
11:17 AM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503327.
Back to top | OS Build 17763.529
May 21, 2019
KB4497934 | Resolved
KB4503327 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml
index 0c64ca5a1d..fcd033412c 100644
--- a/windows/release-information/status-windows-10-1903.yml
+++ b/windows/release-information/status-windows-10-1903.yml
@@ -65,6 +65,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 18362.175
June 11, 2019
KB4503293 | Investigating
| June 12, 2019
11:17 AM PT |
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates
See details > | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| June 10, 2019
06:06 PM PT |
Loss of functionality in Dynabook Smartphone Link app
After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.
See details > | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| May 24, 2019
03:10 PM PT |
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Investigating
| May 21, 2019
04:47 PM PT |
@@ -89,6 +90,15 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views You may receive an error and the app may stop responding or close when trying to expand, view or create Custom Views in Event Viewer. You may also receive an error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 18362.175
June 11, 2019
KB4503293 | Investigating
| Last updated:
June 12, 2019
11:17 AM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
index aae03cfacf..4ba643273d 100644
--- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503292 | Investigating
| June 12, 2019
11:17 AM PT |
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working
See details > | May 14, 2019
KB4499164 | Mitigated
| June 07, 2019
02:57 PM PT |
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details > | April 09, 2019
KB4493472 | Mitigated
| April 25, 2019
02:00 PM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499164 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
@@ -82,6 +83,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views You may receive an error and the app may stop responding or close when trying to expand, view or create Custom Views in Event Viewer. You may also receive an error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | June 11, 2019
KB4503292 | Investigating
| Last updated:
June 12, 2019
11:17 AM PT
Opened:
June 12, 2019
11:11 AM PT |
| IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Workaround: To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.
Next steps: We are working on a resolution and estimate a solution will be available in mid-July.
Back to top | May 14, 2019
KB4499164 | Mitigated
| Last updated:
June 07, 2019
02:57 PM PT
Opened:
June 07, 2019
02:57 PM PT |
"
diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
index c57eb16042..fbdca4aa80 100644
--- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503276 | Investigating
| June 12, 2019
11:17 AM PT |
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working
See details > | May 14, 2019
KB4499151 | Mitigated
| June 07, 2019
02:57 PM PT |
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
See details > | April 25, 2019
KB4493443 | Mitigated
| May 15, 2019
05:53 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
See details > | January 08, 2019
KB4480963 | Mitigated
| April 25, 2019
02:00 PM PT |
@@ -85,6 +86,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views You may receive an error and the app may stop responding or close when trying to expand, view or create Custom Views in Event Viewer. You may also receive an error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | June 11, 2019
KB4503276 | Investigating
| Last updated:
June 12, 2019
11:17 AM PT
Opened:
June 12, 2019
11:11 AM PT |
| IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Workaround: To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.
Next steps: We are working on a resolution and estimate a solution will be available in mid-July.
Back to top | May 14, 2019
KB4499151 | Mitigated
| Last updated:
June 07, 2019
02:57 PM PT
Opened:
June 07, 2019
02:57 PM PT |
"
diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml
index a38199a095..5fbac87a3d 100644
--- a/windows/release-information/status-windows-server-2008-sp2.yml
+++ b/windows/release-information/status-windows-server-2008-sp2.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503273 | Investigating
| June 12, 2019
11:17 AM PT |
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493471 | Resolved
| May 14, 2019
01:21 PM PT |
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493471 | Resolved
| May 14, 2019
01:19 PM PT |
Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.
See details > | March 12, 2019
KB4489880 | Resolved
KB4499149 | May 14, 2019
10:00 AM PT |
@@ -73,6 +74,15 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views You may receive an error and the app may stop responding or close when trying to expand, view or create Custom Views in Event Viewer. You may also receive an error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | June 11, 2019
KB4503273 | Investigating
| Last updated:
June 12, 2019
11:17 AM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: April 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml
index 4b03573e5d..6a351a9f49 100644
--- a/windows/release-information/status-windows-server-2012.yml
+++ b/windows/release-information/status-windows-server-2012.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503285 | Investigating
| June 12, 2019
11:17 AM PT |
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working
See details > | May 14, 2019
KB4499171 | Mitigated
| June 07, 2019
02:57 PM PT |
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
See details > | April 25, 2019
KB4493462 | Mitigated
| May 15, 2019
05:53 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
See details > | January 08, 2019
KB4480975 | Mitigated
| April 25, 2019
02:00 PM PT |
@@ -83,6 +84,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views You may receive an error and the app may stop responding or close when trying to expand, view or create Custom Views in Event Viewer. You may also receive an error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | June 11, 2019
KB4503285 | Investigating
| Last updated:
June 12, 2019
11:17 AM PT
Opened:
June 12, 2019
11:11 AM PT |
| IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Workaround: To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.
Next steps: We are working on a resolution and estimate a solution will be available in mid-July.
Back to top | May 14, 2019
KB4499171 | Mitigated
| Last updated:
June 07, 2019
02:57 PM PT
Opened:
June 07, 2019
02:57 PM PT |
"
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index f7a788e6f8..1bd0ee3c7b 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -117,6 +117,74 @@ When enabling the Guest account, only grant limited rights and permissions. For
In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
+## HelpAssistant account (installed with a Remote Assistance session)
+
+
+The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
+
+HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user’s invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
+
+**Security considerations**
+
+The SIDs that pertain to the default HelpAssistant account include:
+
+- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services.
+
+- SID: S-1-5-<domain>-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
+
+For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.
+
+For details about the HelpAssistant account attributes, see the following table.
+
+**HelpAssistant account attributes**
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-<domain>-13 (Terminal Server User), S-1-5-<domain>-14 (Remote Interactive Logon) |
+
+
+Type |
+User |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+Domain Guests
+Guests |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Can be moved out, but we do not recommend it. |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+
### DefaultAccount
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index 8713d91370..978d72142a 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -83,7 +83,7 @@ The special identity groups are described in the following tables:
- [This Organization](#this-organization)
-- [Window Manager\\Window Manager Group](#window-manager-window-manager-group)
+- [Window Manager\\Window Manager Group](#window-managerwindow-manager-group)
## Anonymous Logon
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 3d74e8a3b3..8d6b7d474a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -151,7 +151,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
### Windows Server 2012 or later Domain Controllers
-Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section.
+Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section.
Sign-in the federation server with _domain administrator_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
index c4ffbeb3a0..58616c9d65 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
@@ -27,9 +27,6 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
[Hybrid Azure AD joined in Managed environments](#hybrid-azure-ad-joined-in-managed-environments)
[Hybrid Azure AD joined in Federated environments](#hybrid-azure-ad-joined-in-federated-environments)
-
-
-
## Azure AD joined in Managed environments
@@ -44,7 +41,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|G | The application sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
|H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the process continues with MDM enrollment.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
## Azure AD joined in Federated environments
@@ -60,7 +57,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|H | The application sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
|I | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the process continues with MDM enrollment.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
## Hybrid Azure AD joined in Managed environments
@@ -75,7 +72,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|G | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then updates the device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
|H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
## Hybrid Azure AD joined in Federated environments
@@ -89,4 +86,4 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|F | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client. Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.|
|G | If Azure AD Connect device write-back is enabled, Azure AD Connect requests updates from Azure Active Directory at its next synchronization cycle (device write-back is required for hybrid deployment using certificate trust). Azure Active Directory correlates the device object with a matching synchronized computer object. Azure AD Connect receives the device object that includes the object GUID and computer SID and writes the device object to Active Directory.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
index ca78d68e98..ef7fb31fff 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
@@ -22,9 +22,9 @@ ms.reviewer:
- Windows 10
Windows Hello for Business authentication works through collection of components and infrastructure working together. You can group the infrastructure and components in three categories:
-- [Registration](#Registration)
-- [Provisioning](#Provisioning)
-- [Authentication](#Authentication)
+- [Registration](#registration)
+- [Provisioning](#provisioning)
+- [Authentication](#authentication)
## Registration
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index fbb7791800..24f1ffb00b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -90,7 +90,7 @@ Steps you will perform include:
- [Configure Internet Information Services to host CRL distribution point](#configure-internet-information-services-to-host-crl-distribution-point)
- [Prepare a file share to host the certificate revocation list](#prepare-a-file-share-to-host-the-certificate-revocation-list)
-- [Configure the new CRL distribution point in the issuing certificate authority](#Configure-the-new-crl-distribution-point-in-the-issuing-certificate-authority)
+- [Configure the new CRL distribution point and Publishing location in the issuing certificate authority](#configure-the-new-crl-distribution-point-and-publishing-location-in-the-issuing-certificate-authority)
- [Publish CRL](#publish-a-new-crl)
- [Reissue domain controller certificates](#reissue-domain-controller-certificates)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index b826287e64..c8c3fee1a5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -29,14 +29,14 @@ Windows Hello for Business involves configuring distributed technologies that ma
* [Active Directory](#active-directory)
* [Public Key Infrastructure](#public-key-infrastructure)
* [Azure Active Directory](#azure-active-directory)
-* [Active Directory Federation Services](#active-directory-federation-services)
+* [Multifactor Authentication Services](#multifactor-authentication-services)
New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) section to prepare your Windows Hello for Business deployment by configuring directory synchronization.
The new installation baseline begins with a basic Active Directory deployment and enterprise PKI.
-## Active Directory ##
+## Active Directory
This document expects you have Active Directory deployed with an _adequate_ number of Windows Server 2016 domain controllers for each site. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal.
@@ -83,7 +83,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store.
> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based URL.
-### Section Review ###
+### Section Review
> [!div class="checklist"]
> * Minimum Windows Server 2012 Certificate Authority.
@@ -92,7 +92,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> * Root certificate authority certificate (Azure AD Joined devices).
> * Highly available certificate revocation list (Azure AD Joined devices).
-## Azure Active Directory ##
+## Azure Active Directory
You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities.
The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization.
@@ -104,12 +104,13 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h
> * Create an Azure Active Directory Tenant.
> * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary.
-## Multifactor Authentication Services ##
+## Multifactor Authentication Services
Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA or a third-party MFA adapter
Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works.
-### Azure Multi-Factor Authentication (MFA) Cloud ###
+### Azure Multi-Factor Authentication (MFA) Cloud
+
> [!IMPORTANT]
> As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are:
> * Azure Multi-Factor Authentication
@@ -118,16 +119,16 @@ Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.co
>
> If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section.
-#### Azure MFA Provider ####
+#### Azure MFA Provider
If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant.
-#### Configure Azure MFA Settings ####
+#### Configure Azure MFA Settings
Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
-#### Azure MFA User States ####
+#### Azure MFA User States
After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.
-### Azure MFA via ADFS ###
+### Azure MFA via ADFS
Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section.
### Section Review
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 07bcd4e0ba..1573d9e947 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -28,13 +28,14 @@ Hybrid environments are distributed systems that enable organizations to use on-
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
* [Directories](#directories)
-* [Public Key Infrastructure](#public-key-infastructure)
+* [Public Key Infrastructure](#public-key-infrastructure)
* [Directory Synchronization](#directory-synchronization)
-* [Federation](#federation)
+* [Federation](#federation-with-azure)
* [MultiFactor Authentication](#multifactor-authentication)
* [Device Registration](#device-registration)
-## Directories ##
+## Directories
+
Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
@@ -43,7 +44,7 @@ You can deploy Windows Hello for Business in any environment with Windows Server
Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs.
-### Section Review ###
+### Section Review
> [!div class="checklist"]
> * Active Directory Domain Functional Level
@@ -54,7 +55,7 @@ Review these requirements and those from the Windows Hello for Business planning
-## Public Key Infrastructure ##
+## Public Key Infrastructure
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller.
Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
@@ -83,7 +84,8 @@ The minimum required enterprise certificate authority that can be used with Wind
-## Directory Synchronization ##
+## Directory Synchronization
+
The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory.
Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect.
@@ -96,17 +98,20 @@ Organizations using older directory synchronization technology, such as DirSync
-## Federation with Azure ##
+## Federation with Azure
+
You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2.
-### Section Review ###
+### Section Review
+
> [!div class="checklist"]
> * Non-federated environments
> * Federated environments
-## Multifactor Authentication ##
+## Multifactor Authentication
+
Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication.
Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD.
@@ -119,17 +124,20 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth
-## Device Registration ##
+## Device Registration
+
Organizations wanting to deploy hybrid key trust need their domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory.
-### Section Checklist ###
+### Section Checklist
+
> [!div class="checklist"]
> * Device Registration with Azure Device Registration
-### Next Steps ###
+### Next Steps
+
Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**.
For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Synchronization**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 13cf3b5a0e..0c493ddc5d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -150,7 +150,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
### Windows Server 2016, 2012 R2 or later Domain Controllers
-Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section.
+Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section.
Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
1. Start **Server Manager**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
index fd1a237822..9b6ae813f1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
@@ -174,7 +174,7 @@ Update the server using Windows Update until the server has no required or optio
#### Configure the IIS Server’s Certificate
-To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section.
+To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-servers-certificate) section.
#### Create WebServices SDK user account
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index d0df6caa9a..2549af8feb 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -192,7 +192,7 @@ Control Flow Guard (CFG) is a mitigation that does not need configuration within
| **Heap protections**
help prevent
exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.
**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. |
| **Kernel pool protections**
help prevent
exploitation of pool memory
used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.
**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. |
| **Control Flow Guard**
helps mitigate exploits
that are based on
flow between code locations
in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.
**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. |
-| **Protections built into Microsoft Edge** (the browser)
helps mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.
**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer-11), later in this topic. |
+| **Protections built into Microsoft Edge** (the browser)
helps mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.
**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer11), later in this topic. |
### SMB hardening improvements for SYSVOL and NETLOGON shares
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_32_Main_App_Fix.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_32_Main_App_Fix.png
new file mode 100644
index 0000000000..1d68a3dcce
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_32_Main_App_Fix.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_33_SecurityPrivacySettings_NoPrompt.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_33_SecurityPrivacySettings_NoPrompt.png
new file mode 100644
index 0000000000..03fa2f0b9c
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_33_SecurityPrivacySettings_NoPrompt.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_34_MAU.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_34_MAU.png
new file mode 100644
index 0000000000..99e4d16920
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_34_MAU.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
index c261037801..da0118cedb 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
@@ -25,7 +25,7 @@ ms.topic: conceptual
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
## Prerequisites and system requirements
@@ -79,7 +79,62 @@ To complete this process, you must have admin privileges on the machine.
The installation will proceed.
> [!NOTE]
-> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time.
+> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but real-time protection will be disabled.
+
+### Fixing disabled Real Time Protection
+
+If you did not enable Microsoft's driver during installation, then Defender's application will display a banner prompting you to enable it:
+
+ 
+
+You can also run ```mdatp --health```. It will report if Real Time Protection is enabled but not available:
+
+```bash
+mavel-mojave:~ testuser$ mdatp --health
+...
+realTimeProtectionAvailable : false
+realTimeProtectionEnabled : true
+...
+```
+
+> [!NOTE]
+> You have a 30 minute window to enable Real Time Protection from the warning banner, immediately following installation.
+
+The warning banner containing a **Fix** button, which allows you to quickly enable Real Time Protection, without having to open a command prompt. Select the **Fix** button. It will prompt the **Security & Privacy** system window, where you will have to **Allow** system software from developers "Microsoft Corporation".
+
+If you don't see a prompt, it means that 30 or more minutes have already passed, and Real Time Protection has still not been enabled:
+
+
+
+In this case, you will need to perform the following steps to enable Real Time Protection instead.
+
+1. In Terminal, attempt to install the driver. (The operation will fail)
+ ```bash
+ mavel-mojave:~ testuser$ sudo kextutil /Library/Extensions/wdavkext.kext
+ Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
+ Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
+ Diagnostics for /Library/Extensions/wdavkext.kext:
+ ```
+
+2. Open **System Preferences...** > **Security & Privacy** from the menu. (Close it first, if it's opened.)
+
+3. **Allow** system software from developers "Microsoft Corporation"
+
+4. In Terminal, install the driver again. This time the operation will succeed:
+
+```bash
+mavel-mojave:~ testuser$ sudo kextutil /Library/Extensions/wdavkext.kext
+```
+
+The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real Time Protection is both enabled and available:
+
+```bash
+mavel-mojave:~ testuser$ mdatp --health
+...
+realTimeProtectionAvailable : true
+realTimeProtectionEnabled : true
+...
+```
## Client configuration
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
index 6f3b99dc46..add0f3f650 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
@@ -25,7 +25,7 @@ ms.topic: conceptual
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
## Prerequisites and system requirements
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
index b7524656f9..57f36fcbf5 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
@@ -25,7 +25,7 @@ ms.topic: conceptual
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
## Prerequisites and system requirements
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md
index 5bdebb3c04..f994a4d7d4 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md
@@ -23,7 +23,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
## Prerequisites and system requirements
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
index 3b68d01cfd..8341a2e601 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
@@ -25,7 +25,7 @@ ms.topic: conceptual
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
## Collecting diagnostic information
@@ -66,6 +66,16 @@ If an error occurs during installation, the installer will only report a general
The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
+## Upgrade
+
+We distribute our updates via Microsoft Auto Update (MAU). You can check for MAU settings in main application's menu (Help => Check For Product Updates...):
+
+ 
+
+**Q**: Can MDATP for Mac be updated without MAU?
+
+**A**: In the current release, MDATP for Mac product updates are done via MAU. While advanced manageability experts may be able to set up the product updates without MAU, this scenario is not explicitly supported. We will monitor customer interest in this scenario to evaluate its importance relative to other product advancements.
+
## Uninstalling
There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
index b3ad2a2c8c..6794868296 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
@@ -21,7 +21,7 @@ ms.topic: conceptual
# Microsoft Defender Advanced Threat Protection for Mac
>[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+>This topic relates to the pre-release version of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic describes how to install and use Microsoft Defender ATP for Mac.
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
index 7342686647..30acb5dae4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -23,7 +23,7 @@ ms.date: 05/03/2018
Running Appication Control in audit mode allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies.
-Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see [Create an initial Windows Defender Application Control policy from a reference computer](#create-initial-default-policy).
+Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see [Create an initial Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md).
**To audit a Windows Defender Application Control policy with local policy:**
@@ -94,7 +94,7 @@ Use the following procedure after you have been running a computer with a WDAC p
- Any applications that actually should not be allowed to run in your environment. Edit these out of the .xml file. If they remain in the .xml file, and the information in the file is merged into your existing WDAC policy, the policy will treat the applications as trusted, and allow them to run.
-You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section, [Merge Windows Defender Application Control policies](#merge-windows-defender-application-control-policies).
+You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section, [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).
> [!NOTE]
-> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies.
+> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 4104a10a84..647debfcee 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -22,13 +22,17 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019.
+
+Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1704 and 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019.
+
To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
+
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
@@ -63,6 +67,8 @@ Event ID | Description
1121 | Event when rule fires in Block-mode
1122 | Event when rule fires in Audit-mode
+The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed.
+
## Attack surface reduction rules
@@ -207,7 +213,7 @@ GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
-Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
+Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
>[!NOTE]
>In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
@@ -284,3 +290,5 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+- [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
+
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
index 851b77b568..ea78e8de16 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
@@ -29,10 +29,6 @@ To configure Windows Defender Firewall with Advanced Security to log dropped pac
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-In this topic:
-
-- [To configure the Windows Defender Firewall with Advanced Security log](#to-configure-the-windows-firewall-log)
-
## To configure the Windows Defender Firewall with Advanced Security log
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
index bba537328b..17d43619ee 100644
--- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
@@ -29,12 +29,6 @@ This procedure shows you how to open the Windows Defender Firewall with Advanced
To complete this procedure, you must be a member of the Administrators group. For more information, see Additional considerations.
-## Opening Windows Defender Firewall
-
-- [Using the Windows interface](#to-open-windows-firewall-with-advanced-security-using-the-ui)
-
-- [Using a command line](#to-open-windows-firewall-with-advanced-security-from-a-command-prompt)
-
## To open Windows Defender Firewall using the UI
Click Start, type **Windows Defender Firewall**, and the press ENTER.