Merged PR 14984: BILBAO preview to GA updates

devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md

@@ -15,19 +15,26 @@ ms.topic: article
 ---
 
 # Deploying the latest firmware and drivers for Surface devices
-Although Surface devices are typically automatically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment. If you need to install drivers and firmware separately from Windows Update, you can find the requisite files on the Microsoft Download Center. Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices.
+Although Surface devices are typically automatically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment. 
+
+## Downloading MSI files
+To download MSI files, refer to the following Microsoft Support page:
+ 
+- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface)<br>
+Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices.
 
 ## Deploying MSI files
-Driver and firmware updates for Surface devices containing all required cumulative updates are available as separate MSI files packaged for specific versions of Windows 10. For example, for Surface Pro 6, there are separate MSI files for Windows 10 versions 16299, 17134, and 17763.
+Driver and firmware updates for Surface devices containing all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10. 
-When deploying updates to Surface devices in your organization, you need to first determine the appropriate .MSI file for the Windows version running on your target devices.
+In the name of each of these files you will find a Windows build number, this number indicates the minimum supported build required to install the drivers and firmware contained within. Refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information) for a list of the build numbers for each version. For example, to install the drivers contained in SurfacePro6_Win10_16299_1900307_0.msi file you must have Windows 10 Fall Creators Update version 1709, or newer installed on your Surface Pro 6.
 
-### Naming convention for Surface MSI files
+
-Each .MSI file is named in accordance with a formula that begins with the product and Windows release  information, followed by the Windows OS floor number and version number, and ending with the revision of version number:
+### Surface MSI naming convention
+Each .MSI file is named in accordance with a formula that begins with the product and Windows release information, followed by the Windows build  number and version number, and ending with the revision of version number.  SurfacePro6_Win10_16299_1900307_0.msi is classified as follows:
 
 **Example:**
 SurfacePro6_Win10_16299_1900307_0.msi :
 
-| Product     | Windows release | OS floor | Version |  Revision of version |
+| Product     | Windows release | Build | Version |  Revision of version |
 | --- | --- | --- | --- | --- |
 | SurfacePro6 | Win10  | 16299  | 1900307 | 0  |
 |       |      |       | Indicates key date and sequence information  | Indicates release history of the MSI file   |
@@ -42,31 +49,9 @@ Look to the **version** number to determine the latest files that contain the mo
 
 The first file —  SurfacePro6_Win10_16299_1900307_0.msi  —  is the newest because its VERSION field has the newest build in 2019; the other files are from 2018.
 
-### Downloading MSI files
+## Supported devices
-To download MSI files, refer to the following Microsoft Support page:
+Downloadable MSI files are available for Surface devices from Surface Pro 2 and later. 
- 
-- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface)
 
- 
-The following MSI files are available:
-
-- Surface Laptop 2
-- Surface Pro 6
-- Surface Go
-- Surface Go with LTE Advanced
-- Surface Book 2
-- Surface Laptop
-- Surface Pro
-- Surface Pro with LTE Advanced
-- Surface Pro 6
-- Surface Studio
-- Surface Studio 2
-- Surface Book
-- Surface Pro 4
-- Surface Pro 3
-- Surface 3
-- Surface 3 LTE
-- Surface Pro 2
 
 [!NOTE]
 There are no downloadable firmware or driver updates available for Surface devices with Windows RT, including Surface RT and Surface 2. Updates can only be applied using Windows Update.

mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md

@@ -32,55 +32,55 @@ This section contains release notes for User Experience Virtualization.
 
 When a computer has an application that is installed through both Application Virtualization (App-V) and a locally with a Windows Installer (.msi) file, the registry-based settings do not synchronize between the technologies.
 
-WORKAROUND: To resolve this problem, run the application by selecting one of the two technologies, but not both.
+**WORKAROUND:** To resolve this problem, run the application by selecting one of the two technologies, but not both.
 
 ### <a href="" id="settings-do-not-synchronization-when-network-share-is-outside-user-s-domain"></a>Settings do not synchronization when network share is outside user’s domain
 
 When Windows® 8 attempts operating system settings synchronization, the synchronization fails with the following error message: **boost::filesystem::exists::Incorrect user name or password**. This error can indicate that the network share is outside the user’s domain or a domain with a trust relationship to that domain. To check for operational log events, open the **Event Viewer** and navigate to **Applications and Services Logs** / **Microsoft** / **User Experience Virtualization** / **Logging** / **Operational**. Network shares that are used for UE-V settings storage locations should reside in the same Active Directory domain as the user or a trusted domain of the user’s domain.
 
-WORKAROUND: Use network shares from the same Active Directory domain as the user.
+**WORKAROUND:** Use network shares from the same Active Directory domain as the user.
 
 ### Unpredictable results with both Office 2010 and Office 2013 installed
 
 When a user has both Office 2010 and Office 2013 installed, any common settings between the two versions of Office are roamed by UE-V. This could cause the Office 2010 package size to be quite large or result in unpredictable conflicts with 2013, particularly if Office 365 is used.
 
-WORKAROUND: Install only one version of Office or limit which settings are synchronized by UE-V.
+**WORKAROUND:** Install only one version of Office or limit which settings are synchronized by UE-V.
 
 ### Uninstall and re-install of Windows 8 app reverts settings to initial state
 
 While using UE-V settings synchronization for a Windows 8 app, if the user uninstalls the app and then reinstalls the app, the app’s settings revert to their default values.  This happens because the uninstall removes the local (cached) copy of the app’s settings but does not remove the local UE-V settings package.  When the app is reinstalled and launched, UE-V gather the app settings that were reset to the app defaults and then uploads the default settings to the central storage location.  Other computers running the app then download the default settings.  This behavior is identical to the behavior of desktop applications.
 
-WORKAROUND: None.
+**WORKAROUND:** None.
 
 ### Email signature roaming for Outlook 2010
 
 UE-V will roam the Outlook 2010 signature files between devices. However, the default signature options for new messages and replies or forwards are not synchronized. These two settings are stored in the Outlook profile, which UE-V does not roam.
 
-WORKAROUND: None.
+**WORKAROUND:** None.
 
 ### UE-V does not support roaming settings between 32-bit and 64-bit versions of Microsoft Office
 
-We recommend that you install the 32-bit version of Microsoft Office for both 32-bit and 64-bit operating systems. To choose the Microsoft Office version that you need, click here. ([http://office.microsoft.com/word-help/choose-the-32-bit-or-64-bit-version-of-microsoft-office-HA010369476.aspx](https://go.microsoft.com/fwlink/?LinkID=247623)). UE-V supports roaming settings between identical architecture versions of Office. For example, 32-bit Office settings will roam between all 32-bit Office instances. UE-V does not support roaming settings between 32-bit and 64-bit versions of Office.
+We recommend that you install the 64-bit version of Microsoft Office for modern computers. To determine which version you you need, [click here](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261?ui=en-US&rs=en-US&ad=US#32or64Bit=Newer_Versions).
 
-WORKAROUND: None
+**WORKAROUND:** None
 
 ### <a href="" id="msi-s-are-not-localized"></a>MSI’s are not localized
 
 UE-V 2.0 includes a localized setup program for both the UE-V Agent and UE-V generator. These MSI files are still available but the user interface is minimized and the MSI’s only display in English. Despite the file being in English, the setup program installs all supported languages during the installation.
 
-WORKAROUND: None
+**WORKAROUND:** None
 
 ### Favicons that are associated with Internet Explorer 9 favorites do not roam
 
 The favicons that are associated with Internet Explorer 9 favorites are not roamed by User Experience Virtualization and do not appear when the favorites first appear on a new computer.
 
-WORKAROUND: Favicons will appear with their associated favorites once the bookmark is used and cached in the Internet Explorer 9 browser.
+**WORKAROUND:** Favicons will appear with their associated favorites once the bookmark is used and cached in the Internet Explorer 9 browser.
 
 ### File settings paths are stored in registry
 
 Some application settings store the paths of their configuration and settings files as values in the registry. The files that are referenced as paths in the registry must be synchronized when settings are roamed between computers.
 
-WORKAROUND: Use folder redirection or some other technology to ensure that any files that are referenced as file settings paths are present and placed in the same location on all computers where settings roam.
+**WORKAROUND:** Use folder redirection or some other technology to ensure that any files that are referenced as file settings paths are present and placed in the same location on all computers where settings roam.
 
 ### Long Settings Storage Paths could cause an error
 
@@ -90,25 +90,25 @@ Keep settings storage paths as short as possible. Long paths could prevent resol
 
 To check the operational log events, open the Event Viewer and navigate to Applications and Services Logs / Microsoft / User Experience Virtualization / Logging / Operational.
 
-WORKAROUND: None.
+**WORKAROUND:** None.
 
 ### Some operating system settings only roam between like operating system versions
 
 Operating system settings for Narrator and currency characters specific to the locale (i.e. language and regional settings) will only roam across like operating system versions of Windows. For example, currency characters will not roam between Windows 7 and Windows 8.
 
-WORKAROUND: None
+**WORKAROUND:** None
 
 ### Windows 8 apps do not sync settings when the app restarts after closing unexpectedly
 
 If a Windows 8 app closes unexpectedly soon after startup, settings for the application may not be synchronized when the application is restarted.
 
-WORKAROUND: Close the Windows 8 app, close and restart the UevAppMonitor.exe application (can use TaskManager), and then restart the Windows 8 app.
+**WORKAROUND:** Close the Windows 8 app, close and restart the UevAppMonitor.exe application (can use TaskManager), and then restart the Windows 8 app.
 
 ### <a href="" id="ue-v-1-agent-generates-errors-when-running-ue-v-2-templates-"></a>UE-V 1 agent generates errors when running UE-V 2 templates
 
 If a UE-V 2 settings location template is distributed to a computer installed with a UE-V 1 agent, some settings fail to synchronize between computers and the agent reports errors in the event log.
 
-WORKAROUND: When migrating from UE-V 1 to UE-V 2 and it is likely you’ll have computers running the previous version of the agent, create a separate UE-V 2.0 catalog to support the UE-V 2.0 Agent and templates.
+**WORKAROUND:** When migrating from UE-V 1 to UE-V 2 and it is likely you’ll have computers running the previous version of the agent, create a separate UE-V 2.0 catalog to support the UE-V 2.0 Agent and templates.
 
 ## Hotfixes and Knowledge Base articles for UE-V 2.0
 

windows/client-management/mdm/firewall-csp.md

@@ -277,6 +277,7 @@ Sample syncxml to provision the firewall settings to evaluate
 </ul>
 <p style="margin-left: 20px">If not specified, the default is All.</p>
 <p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+<p style="margin-left: 20px">The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.</p>
 
 <a href="" id="description"></a>**FirewallRules/_FirewallRuleName_/Description**
 <p style="margin-left: 20px">Specifies the description of the rule.</p>
@@ -306,7 +307,7 @@ Sample syncxml to provision the firewall settings to evaluate
 <p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
 
 <a href="" id="direction"></a>**FirewallRules/_FirewallRuleName_/Direction**
-<p style="margin-left: 20px">Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:</p>
+<p style="margin-left: 20px">The rule is enabled based on the traffic direction as following. Supported values:</p>
 <ul>
 <li>IN - the rule applies to inbound traffic.</li>
 <li>OUT - the rule applies to outbound traffic.</li>
@@ -320,7 +321,6 @@ Sample syncxml to provision the firewall settings to evaluate
 <li>RemoteAccess</li>
 <li>Wireless</li>
 <li>Lan</li>
-<li>MobileBroadband</li>
 </ul>
 <p style="margin-left: 20px">If not specified, the default is All.</p>
 <p style="margin-left: 20px">Value type is string. Supported operations are Get and Replace.</p>

windows/client-management/mdm/oma-dm-protocol-support.md

@@ -314,13 +314,13 @@ For more information about Basic or MD5 client authentication, MD5 server authen
 
 ## User targeted vs. Device targeted configuration
 
-For CSPs and policies that supports per user configuration, MDM server could send user targeted setting values to the device the user that enrolled MDM is actively logged in. The device notifies the server the login status via a device alert (1224) with Alert type = in DM pkg\#1.
+For CSPs and policies that support per user configuration, the MDM server can send user targeted setting values to the device that a MDM-enrolled user is actively logged into. The device notifies the server of the login status via a device alert (1224) with Alert type = in DM pkg\#1.
 
 The data part of this alert could be one of following strings:
 
--   user – the user that enrolled the device is actively login. The MDM server could send user specific configuration for CSPs/policies that support per user configuration
+-   user – the user that enrolled the device is actively logged in. The MDM server could send user specific configuration for CSPs/policies that support per user configuration
 -   others – another user login but that user does not have an MDM account. The server can only apply device wide configuration, e.g. configuration applies to all users in the device.
--   none – no active user login. The server can only apply device wide configuration and available configuration is restricted to the device environment (no active user login
+-   none – no active user login. The server can only apply device wide configuration and available configuration is restricted to the device environment (no active user login).
 
 Below is an alert example:
 

windows/client-management/mdm/policy-csp-deviceinstallation.md

@@ -422,7 +422,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f
             <CmdID>$CmdID$</CmdID>
             <Item>
                 <Target>
-                    <LocURI>./Device/Vendor/MSFT/Policy/Config/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings</LocURI>
+                    <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings</LocURI>
                 </Target>
                 <Meta>
                     <Format xmlns="syncml:metinf">string</Format>

windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md

@@ -25,14 +25,14 @@ ms.topic: article
 
 You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations.
 
-After you deploy and store the customized databases on each of your local computers, you must register the database files. Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application.
+After you deploy and store the customized databases on each of your local computers, you must register the database files. Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application. 
 
 ## Command-Line Options for Deploying Customized Database Files
 
 
 The command-line options use the following conventions.
 
-Sdbinst.exe \[-q\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\] \[-?\]
+Sdbinst.exe \[-q\] \[-?\] \[-u\] \[-g\] \[-p\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\]
 
 The following table describes the available command-line options.
 
@@ -78,8 +78,14 @@ The following table describes the available command-line options.
 <p>For example,</p>
 <p><code>sdbinst.exe -?</code></p></td>
 </tr>
+<tr class="even">
+<td align="left"><p>-p</p></td>
+<td align="left"><p>Allows SDBs installation with Patches</p>
+<p>For example,</p>
+<p><code>sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb</code></p></td>
+</tr>
 </tbody>
 </table>
 
 ## Related topics
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)

windows/deployment/planning/windows-10-1803-removed-features.md

@@ -51,4 +51,4 @@ If you have feedback about the proposed replacement of any of these features, yo
 |Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.|
 |IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.|
 |[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.|
-|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124\(vs.11\)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.|
+|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.|

windows/deployment/update/windows-analytics-FAQ-troubleshooting.md

@@ -42,6 +42,8 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win
 
 [Device names not appearing for Windows 10 devices](#device-names-not-appearing-for-windows-10-devices)
 
+[Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results](#custom-log-queries-using-the-abnormalshutdowncount-field-of-device-health-show-zero-or-lower-than-expected-results)
+
 [Disable Upgrade Readiness](#disable-upgrade-readiness)
 
 [Exporting large data sets](#exporting-large-data-sets)
@@ -54,7 +56,7 @@ In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and
 Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices with a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/05/12/wheres-my-data/) on the Windows Analytics blog.
 
 >[!NOTE]
-> If you generate the status report and get an error message saying "Sorry! We’re not recognizing your Commercial Id," go to **Settings > Connected sources > Windows telemetry** and unsubscribe, wait a minute and then re-subscribe to Upgrade Readiness.
+> If you generate the status report and get an error message saying "Sorry! We’re not recognizing your Commercial Id," go to **Settings > Connected sources > Windows telemetry** remove the Upgrade Readiness solution, and then re-add it.
  
 If devices are not showing up as expected, find a representative device and follow these steps to run the latest pilot version of the Upgrade Readiness deployment script on it to troubleshoot issues:
 
@@ -201,6 +203,20 @@ Finally, Upgrade Readiness only collects IE site discovery data on devices that
 ### Device names not appearing for Windows 10 devices
 Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates.
 
+### Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results
+This issue affects custom queries of the Device Health data by using the **Logs > Search page** or API. It does not impact any of the built-in tiles or reports of the Device Health solution. The **AbnormalShutdownCount** field of the **DHOSReliability** data table represents abnormal shutdowns other than crashes, such as sudden power loss or holding down the power button.
+ 
+We have identified an incompatibility between AbnormalShutdownCount and the Limited Enhanced diagnostic data level on Windows 10, versions 1709, 1803, and 1809. Such devices do not send the abnormal shutdown signal to Microsoft. You should not rely on AbnormalShutdownCount in your custom queries unless you use any one of the following workarounds:
+ 
+
+- Upgrade devices to Windows 10, version 1903 when available. Participants in the Windows Insider program can preview this change using Windows Insider builds.
+- Change the diagnostic data setting from devices running Windows 10, versions 1709, 1803, and 1809 normal Enhanced level instead of Limited Enhanced.
+- Use alternative data from devices to track abnormal shutdowns. For example, you can forward abnormal shutdown events from the Windows Event Log to your Log Analytics workspace by using the Log Analytics agent. Suggested events to forward include:
+    - Log: System, ID: 41, Source: Kernel-Power
+    - Log System, ID: 6008, Source: EventLog
+
+
+
 ### Disable Upgrade Readiness
 
 If you want to stop using Upgrade Readiness and stop sending diagnostic data to Microsoft, follow these steps:

windows/deployment/update/windows-analytics-overview.md

@@ -51,4 +51,7 @@ Use Upgrade Readiness to get:
 - Application usage information, allowing targeted validation; workflow to track validation progress and decisions
 - Data export to commonly used software deployment tools, including System Center Configuration Manager 
 
-To get started with any of these solutions, visit the links for instructions to add it to Azure Portal.
+To get started with any of these solutions, visit the links for instructions to add it to Azure Portal.
+
+>[!NOTE]
+> For details about licensing requirements and costs associated with using Windows Analytics solutions, see [What are the requirements and costs for Windows Analytics solutions?](windows-analytics-FAQ-troubleshooting.md#what-are-the-requirements-and-costs-for-windows-analytics-solutions).

windows/deployment/windows-10-enterprise-subscription-activation.md

@@ -9,6 +9,8 @@ ms.sitesec: library
 ms.pagetype: mdt
 author: greg-lindsay
 ms.collection: M365-modern-desktop
+search.appverid:
+- MET150
 ms.topic: article
 ---
 

windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md

@@ -95,6 +95,7 @@ This policy setting controls whether the elevation request prompt is displayed o
 
 -   **Enabled** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
 -   **Disabled** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
+
 ## User Account Control: Virtualize file and registry write failures to per-user locations
 
 This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.

windows/security/identity-protection/vpn/vpn-conditional-access.md

@@ -10,7 +10,7 @@ ms.author: pashort
 manager: elizapo
 ms.reviewer: 
 ms.localizationpriority: medium
-ms.date: 01/26/2019
+ms.date: 03/21/2019
 ---
 
 # VPN and conditional access
@@ -32,11 +32,7 @@ Conditional Access Platform components used for Device Compliance include the fo
 
 - Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. 
 
-- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. 
+- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued.
-
-    Additional details regarding the Azure AD issued short-lived certificate: 
-    - The default lifetime is 60 minutes and is configurable
-    - When that certificate expires, the client will again check with Azure AD so that continued health can be validated before a new certificate is issued allowing continuation of the connection
 
 - [Microsoft Intune device compliance policies](https://docs.microsoft.com/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
 

windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md

@@ -6,8 +6,12 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: aadake
-ms.date: 12/20/2018
+ms.author: justinha
-ms.topic: article
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 03/26/2019
 ---
 
 # Kernel DMA Protection for Thunderbolt™ 3 
@@ -98,12 +102,12 @@ No, Kernel DMA Protection only protects against drive-by DMA attacks after the O
 DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping.
 Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
 
-*For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the image below
+*For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image. 
 
 ![Kernel DMA protection user experience](images/device-details-tab.png)
 
 ### What should I do if the drivers for my Thunderbolt™ 3 peripherals do not support DMA-remapping?
-If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality. Details for driver compatibility requirements can be found here (add link to OEM documentation).
+If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality. Details for driver compatibility requirements can be found at the [Microsoft Partner Center](https://partner.microsoft.com/dashboard/collaborate/packages/4142).
 
 ### Do Microsoft drivers support DMA-remapping?
 In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA-remapping.

windows/security/information-protection/secure-the-windows-10-boot-process.md

@@ -78,7 +78,7 @@ All x86-based Certified For Windows 10 PCs must meet several requirements relat
 
 These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems:
 
--  **Use an operating system with a certified bootloader.** Because all Certified For Windows 10 PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows 10 PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to <http://sysdev.microsoft.com>.
+-  **Use an operating system with a certified bootloader.** Because all Certified For Windows 10 PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows 10 PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to <http://partner.microsoft.com/dashboard>.
 -  **Configure UEFI to trust your custom bootloader.** All Certified For Windows 10 PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems.
 -  **Turn off Secure Boot.** All Certified For Windows 10 PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however.
 

windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md

@@ -11,7 +11,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 03/15/2019
+ms.date: 03/25/2019
 ---
 
 # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
@@ -67,6 +67,9 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
    - [Recommended apps](#add-recommended-apps)
    - [Store apps](#add-store-apps)
    - [Desktop apps](#add-desktop-apps)
+
+>[!NOTE]
+>An application might return access denied errors after removing it from the list of protected apps. Rather than remove it from the list, uninstall and reinstall the application or exempt it from WIP policy.    
     
 ### Add recommended apps 
 
@@ -397,7 +400,7 @@ To define the network boundaries, click **App policy** > the name of your policy
 
 ![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png)
 
-Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**.
+Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then click **OK**.
 
 ### Cloud resources
 

windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md

@@ -13,7 +13,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/26/2019
+ms.date: 03/25/2019
 ---
 
 # Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
@@ -38,8 +38,15 @@ This table includes the recommended URLs to add to your Enterprise Cloud Resourc
 |Visual Studio Online |contoso.visualstudio.com |
 |Power BI |contoso.powerbi.com |
 
->[!NOTE]
+You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both.
->You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both.
+
+For Office 365 endpoints, see [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges). 
+Office 365 endpoints are updated monthly. 
+Allow the domains listed in section number 46 Allow Required and add also add the apps. 
+Note that apps from officeapps.live.com can also store personal data. 
+
+When multiple files are selected from SharePoint Online or OneDrive, the files are aggregated and the URL can change. In this case, add a entry for a second-level domain and use a wildcard such as .svc.ms. 
+
 
 ## Recommended Neutral Resources
 We recommended adding these URLs if you use the Neutral Resources network setting with Windows Information Protection (WIP).

windows/security/threat-protection/TOC.md

@@ -389,6 +389,7 @@
 #####Rules
 ###### [Manage suppression rules](windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md)
 ###### [Manage automation allowed/blocked](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+###### [Manage allowed/blocked](windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
 ###### [Manage automation file uploads](windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
 ###### [Manage automation folder exclusions](windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
   

windows/security/threat-protection/intelligence/supply-chain-malware.md

@@ -48,15 +48,17 @@ To learn more about supply chain attacks, read this blog post called [attack inc
 
 ### For software vendors and developers
 
-* Take steps to ensure your apps are not compromised.
+* Maintain a highly secure build and update infrastructure.
-
-* Maintain a secure and up-to-date infrastructure. Restrict access to critical build systems.
   * Immediately apply security patches for OS and software.
-
+  * Implement mandatory integrity controls to ensure only trusted tools run.
   * Require multi-factor authentication for admins.
 
-* Build secure software update processes as part of the software development lifecycle.
+* Build secure software updaters as part of the software development lifecycle.
+  * Require SSL for update channels and implement certificate pinning.
+  * Sign everything, including configuration files, scripts, XML files, and packages.
+  * Check for digital signatures, and don’t let the software updater accept generic input and commands.
 
 * Develop an incident response process for supply chain attacks.
+  * Disclose supply chain incidents and notify customers with accurate and timely information
 
 For more general tips on protecting your systems and devices, see [prevent malware infection](prevent-malware-infection.md).

windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md

@@ -49,4 +49,4 @@ To be eligible for VIA your organization must:
 
 3. Be willing to sign and adhere to the VIA membership agreement.
 
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).

windows/security/threat-protection/intelligence/virus-initiative-criteria.md

@@ -53,4 +53,4 @@ Your organization must meet the following eligibility requirements to qualify fo
 
 ### Apply now
 
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).

windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md

@@ -15,12 +15,12 @@ ms.topic: conceptual
 ms.date: 04/19/2017
 ---
 
-# Network security: Configure encryption types allowed for Kerberos Win7 only
+# Network security: Configure encryption types allowed for Kerberos
 
 **Applies to**
 -   Windows 10
 
-Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting.
+Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos** security policy setting.
 
 ## Reference
 
@@ -67,9 +67,9 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 | Default domain policy| Not defined|
 | Default domain controller policy| Not defined|
 | Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | None of these encryption types that are available in this policy are allowed.|
+| Domain controller effective default settings | The default OS setting applies, DES suites are not supported by default.|
-| Member server effective default settings | None of these encryption types that are available in this policy are allowed.|
+| Member server effective default settings | The default OS setting applies, DES suites are not supported by default.|
-| Effective GPO default settings on client computers | None of these encryption types that are available in this policy are allowed.|
+| Effective GPO default settings on client computers | The default OS setting applies, DES suites are not supported by default.|
  
 ## Security considerations
 

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -371,6 +371,7 @@
 ####Rules
 ##### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
 ##### [Manage automation allowed/blocked](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+##### [Manage allowed/blocked](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
 ##### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
 ##### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
  

windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 11/16/2018
 ---
 
 # Configure advanced features in Windows Defender ATP

windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md

@@ -66,7 +66,7 @@ Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "s
 Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com"
 ```
 
-For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
+For more information see, [Add or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
 
 ## Assign user access using the Azure portal
 For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).

windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md

@@ -48,7 +48,7 @@ ms.date: 04/24/2018
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
 
-3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
 
 4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
 
@@ -78,7 +78,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
 
     b.  Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
 
-2.  Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
+2.  Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11), right-click the GPO you want to configure and click **Edit**.
 
 3.  In the **Group Policy Management Editor**, go to **Computer configuration**.
 
@@ -110,7 +110,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 
-3.	Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+3.	Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
 
 4.	In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
 

windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md

@@ -61,7 +61,7 @@ You can use existing System Center Configuration Manager functionality to create
 
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
 
-3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
+3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs) topic.
 
     a. Choose a predefined device collection to deploy the package to.
 
@@ -92,7 +92,7 @@ Possible values are:
 
 The default value in case the registry key doesn’t exist is 1.
 
-For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
+For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings).
 
 
 
@@ -115,7 +115,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 
-3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
+3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs) topic.
 
     a. Choose a predefined device collection to deploy the package to.
 
@@ -155,7 +155,7 @@ Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
 Name: “OnboardingState”
 Value: “1”
 ```
-For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
+For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings).
 
 ## Related topics
 - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md

@@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 12/14/2018
 ---
 
 # Onboard servers to the Windows Defender ATP service
@@ -45,7 +44,22 @@ For a practical guidance on what needs to be in place for licensing and infrastr
 
 ## Windows Server 2012 R2 and Windows Server 2016
 
-To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP, you’ll need to:
+There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP:
+
+- **Option 1**: Onboard through Azure Security Center
+- **Option 2**: Onboard through Windows Defender Security Center
+
+### Option 1: Onboard servers through Azure Security Center
+1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
+
+2. Select Windows Server 2012 R2 and 2016 as the operating system.
+
+3. Click **Onboard Servers in Azure Security Center**. 
+
+4. Follow the onboarding instructions in [Windows Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
+
+### Option 2: Onboard servers through Windows Defender Security Center
+You'll need to tak the following steps if you choose to onboard servers through Windows Defender Security Center. 
 
 - For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
 
@@ -53,7 +67,7 @@ To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender AT
     >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
 
 - Turn on server monitoring from Windows Defender Security Center.
-- If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below.
+- If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below.
 
 >[!TIP]
 > After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
@@ -73,7 +87,7 @@ The following steps are required to enable this integration:
 
 1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
 
-2. Select Windows Server 2012R2 and 2016 as the operating system.
+2. Select Windows Server 2012 R2 and 2016 as the operating system.
  
 3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
 
@@ -201,7 +215,7 @@ To offboard the server, you can use either of the following methods:
 1. Get your Workspace ID:
    a. In the navigation pane, select **Settings** > **Onboarding**.
 
-   b. Select **Windows Server 2012R2 and 2016** as the operating system and get your Workspace ID:
+   b. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID:
     
         ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png)
 

windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md

@@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 30/07/2018
 ---
 
 # Supported Windows Defender ATP query APIs 

windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md

@@ -63,61 +63,50 @@ When accessing [Windows Defender Security Center](https://SecurityCenter.Windows
 
 2. The **Welcome** screen will provide some details as to what is about to occur during the set up wizard.
 
-	![Image of Welcome screen for portal set up](images\atp-portal-welcome-screen.png)
+	![Image of Welcome screen for portal set up](images\welcome1.png)
 
 	You will need to set up your preferences for Windows Defender Security Center.
 
-3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
+3. Set up preferences
+    
+    ![Image of geographic location in set up](images\setup-preferences.png)
 
-	> [!WARNING]
+   1. **Select data storage location** <br> When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United States, the European Union, or the United Kingdom. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
-	> This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process.
 
-	![Image of geographic location in set up](images\atp-geographic-location-setup.png)
+    	> [!WARNING]
+    	> This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process.
 
-4.   Windows Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process.
+   2. **Select the data retention policy** <br> Windows Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process.
 
-	> [!NOTE]
+    > [!NOTE]
-	> This option can be changed at a later time.
+    > This option can be changed at a later time.
 
-   ![Image of data retention set up](images\atp-data-retention-policy.png)
+   3. **Select the size of your organization** <br> You will need to indicate the size of your organization based on an estimate of the number of employees currently employed.
 
-5. You will need to indicate the size of your organization based on an estimate of the number of employees currently employed.
+    > [!NOTE]
+    > The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization.
 
-	> [!NOTE]
+   4. **Turn on preview features** <br> Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**.
-	> The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization.
 
-	![Image of organization size](images\atp-organization-size.png)
+	    You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
-
-6. The customer industry information is helpful in collecting data for the Windows Security Team, and while optional, would be useful if completed. 
-
-	> [!NOTE]
-	> This option can be changed at a later time.
-
-	![Image of industry information](images\atp-industry-information.png)
-
-7. Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**.
-
-	You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
 
 	- Toggle the setting between On and Off to choose **Preview features**.
 
-	> [!NOTE]
+      > [!NOTE]
-	> This option can be changed at a later time.
+      > This option can be changed at a later time.
 
-	![Image of preview experience](images\atp-preview-experience.png)
+4. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**.
-
-8. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**.
 
 	> [!NOTE]
 	> Some of these options can be changed at a later time in Windows Defender Security Center.
 
-	![Image of final preference set up](images\atp-final-preference-setup.png)
+	![Image of final preference set up](images\setup-preferences2.png)
 
-9. A dedicated cloud instance of Windows Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete.
+5. A dedicated cloud instance of Windows Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete.
 
-	![Image of Windows Defender ATP cloud instance](images\atp-windows-cloud-instance-creation.png)
+	![Image of Windows Defender ATP cloud instance](images\creating-account.png)
 
-10. You are almost done. Before you can start using Windows Defender ATP you'll need to:
+6. You are almost done. Before you can start using Windows Defender ATP you'll need to:
 
 	- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
 
@@ -129,7 +118,7 @@ When accessing [Windows Defender Security Center](https://SecurityCenter.Windows
 	> If you click **Start using Windows Defender ATP** before onboarding machines you will receive the following notification:
 	>![Image of setup imcomplete](images\atp-setup-incomplete.png)
 
-11. After onboarding machines you can click **Start using Windows Defender ATP**. You will now launch Windows Defender ATP for the first time.
+7. After onboarding machines you can click **Start using Windows Defender ATP**. You will now launch Windows Defender ATP for the first time.
 
 	![Image of onboard machines](images\atp-onboard-endpoints-WDATP-portal.png)
 

windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md

@@ -67,7 +67,15 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
 
 1. Select the alert you'd like to suppress. This brings up the **Alert management** pane.
 
-2.  Select **Create a supression rule**.
+2.  Select **Create a suppression rule**.
+
+    You can create a suppression rule based on the following attributes:
+    
+    * File hash 
+    * File name - wild card supported
+    * File path - wild card supported
+    * IP
+    * URL - wild card supported
 
 3. Select the **Trigerring IOC**.
     

windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,77 @@
+---
+title: Manage allowed/blocked lists
+description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities.
+keywords: manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Manage allowed/blocked lists
+
+**Applies to:**
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
+
+
+Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
+
+On the top navigation you can:
+- Import a list
+- Add an indicator 
+- Customize columns to add or remove columns 
+- Export the entire list in CSV format
+- Select the items to show per page
+- Navigate between pages
+- Apply filters 
+
+## Create an indicator
+1. In the navigation pane, select **Settings** > **Allowed/blocked list**.  
+
+2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities: 
+   - File hash
+   - IP address
+   - URLs/Domains
+  
+3. Click **Add indicator**.
+
+4. For each attribute specify the following details:
+   - Indicator - Specify the entity details and define the expiration of the indicator.
+   - Action - Specify the action to be taken and provide a description.
+   - Scope - Define the scope of the machine group.
+    
+5. Review the details in the Summary tab, then click **Save**.
+
+## Manage indicators
+1. In the navigation pane, select **Settings** > **Allowed/blocked list**.  
+
+2. Select the tab of the entity type you'd like to manage.  
+
+3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
+
+## Import a list
+You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details. 
+
+Download the sample CSV to know the supported column attributes. 
+
+
+## Related topics
+- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+
+
+
+
+

windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md

@@ -1,7 +1,7 @@
 ---
 title: Minimum requirements for Windows Defender ATP
-description: Minimum network and data storage configuration, machine hardware and software requirements, and deployment channel requirements for Windows Defender ATP.
+description: Understand the licensing requirements and requirements for onboarding machines to the sercvie
-keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, machine configuration, deployment channel
+keywords: minimum requirements, licensing, comparison table
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
-ms.date: 11/20/2018
 ---
 
 # Minimum requirements for Windows Defender ATP
@@ -43,6 +42,7 @@ For more information on the array of features in Windows 10 editions, see [Compa
 
 For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://go.microsoft.com/fwlink/p/?linkid=2069559).
 
+For more information about licensing requirements for Windows Defender ATP platform on Windows Server, see [Protecting Windows Servers with Windows Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114).
 
 
 ## Related topic

windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md

@@ -66,7 +66,7 @@ Review the following details to verify minimum system requirements:
 
 - Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
 
-    >[NOTE]
+    >[!NOTE]
     >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
     >Don't install .NET framework 4.0.x, since it will negate the above installation.
 

windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md

@@ -44,7 +44,7 @@ When you open the portal, you’ll see the main areas of the application:
 - (3) Search, Community center, Time settings, Help and support, Feedback
 
 > [!NOTE]
-> Malware related detections will only appear if your machines are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> Malware related detections will only appear if your machines are using Windows Defender Antivirus as the default real-time protection antimalware product.
 
 You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
 

windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md

@@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 30/07/2018
 ---
 
 # Create custom reports using Power BI (app authentication)

windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md

@@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 30/07/2018
 ---
 
 # Create custom reports using Power BI (user authentication)

windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md

@@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 30/07/2018
 ---
 
 # Advanced Hunting using Python

windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md

@@ -1,313 +1,312 @@
----
+---
-title: Troubleshoot Windows Defender ATP onboarding issues
+title: Troubleshoot Windows Defender ATP onboarding issues
-description: Troubleshoot issues that might arise during the onboarding of machines or to the Windows Defender ATP service.
+description: Troubleshoot issues that might arise during the onboarding of machines or to the Windows Defender ATP service.
-keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics
+keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics
-search.product: eADQiWindows 10XVcnh
+search.product: eADQiWindows 10XVcnh
-search.appverid: met150
+search.appverid: met150
-ms.prod: w10
+ms.prod: w10
-ms.mktglfcycl: deploy
+ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.sitesec: library
-ms.pagetype: security
+ms.pagetype: security
-ms.author: macapara
+ms.author: macapara
-author: mjcaparas
+author: mjcaparas
-ms.localizationpriority: medium
+ms.localizationpriority: medium
-manager: dansimp
+manager: dansimp
-audience: ITPro
+audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: M365-security-compliance 
-ms.topic: troubleshooting
+ms.topic: troubleshooting
-ms.date: 09/07/2018
+---
----
+
-
+# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
-# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
+
-
+**Applies to:**
-**Applies to:**
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Windows Server 2012 R2
-- Windows Server 2012 R2
+- Windows Server 2016
-- Windows Server 2016
+
-
+
-
+
-
+You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues.
-You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues.
+This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines.
-This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines.
+
-
+If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an onboarding or connectivity problem.
-If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an onboarding or connectivity problem.
+
-
+## Troubleshoot onboarding when deploying with Group Policy
-## Troubleshoot onboarding when deploying with Group Policy
+Deployment with Group Policy is done by running the onboarding script on the machines.  The Group Policy console does not indicate if the deployment has succeeded or not.
-Deployment with Group Policy is done by running the onboarding script on the machines.  The Group Policy console does not indicate if the deployment has succeeded or not.
+
-
+If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script).
-If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script).
+
-
+If the script completes successfully, see [Troubleshoot onboarding issues on the machines](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur.
-If the script completes successfully, see [Troubleshoot onboarding issues](#troubleshoot-onboarding-issues) for additional errors that might occur.
+
-
+## Troubleshoot onboarding issues when deploying with System Center Configuration Manager
-## Troubleshoot onboarding issues when deploying with System Center Configuration Manager
+When onboarding machines using the following versions of System Center Configuration Manager:
-When onboarding machines using the following versions of System Center Configuration Manager:
+- System Center 2012 Configuration Manager
-- System Center 2012 Configuration Manager
+- System Center 2012 R2 Configuration Manager
-- System Center 2012 R2 Configuration Manager
+- System Center Configuration Manager (current branch) version 1511
-- System Center Configuration Manager (current branch) version 1511
+- System Center Configuration Manager (current branch) version 1602
-- System Center Configuration Manager (current branch) version 1602
+
-
+
-
+Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console.
-Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console.
+
-
+If the deployment fails, you can check the output of the script on the machines.
-If the deployment fails, you can check the output of the script on the machines.
+
-
+If the onboarding completed successfully but the machines are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur.
-If the onboarding completed successfully but the machines are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues](#troubleshoot-onboarding-issues) for additional errors that might occur.
+
-
+## Troubleshoot onboarding when deploying with a script
-## Troubleshoot onboarding when deploying with a script
+
-
+**Check the result of the script on the machine**:
-**Check the result of the script on the machine**:
+1. Click **Start**, type **Event Viewer**, and press **Enter**.
-1. Click **Start**, type **Event Viewer**, and press **Enter**.
+
-
+2. Go to **Windows Logs** > **Application**.
-2. Go to **Windows Logs** > **Application**.
+
-
+3. Look for an event from **WDATPOnboarding** event source.
-3. Look for an event from **WDATPOnboarding** event source.
+
-
+If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue.
-If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue.
+> [!NOTE]
-> [!NOTE]
+> The following event IDs are specific to the onboarding script only.
-> The following event IDs are specific to the onboarding script only.
+
-
+Event ID | Error Type | Resolution steps
-Event ID | Error Type | Resolution steps
+:---|:---|:---
-:---|:---|:---
+5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
-5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
+10 | Onboarding data couldn't be written to registry |  Check the permissions on the registry, specifically<br> ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.<br>Verify that the script was ran as an administrator.
-10 | Onboarding data couldn't be written to registry |  Check the permissions on the registry, specifically<br> ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.<br>Verify that the script was ran as an administrator.
+15 |  Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). <br> <br> If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again.
-15 |  Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). <br> <br> If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again.
+15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions.
-15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions.
+30 |  The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
-30 |  The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
+35 |  The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location<br>```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.<br>The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
-35 |  The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location<br>```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.<br>The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
+40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
-40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
+65 | Insufficient privileges| Run the script again with administrator privileges.
-65 | Insufficient privileges| Run the script again with administrator privileges.
+
-
+## Troubleshoot onboarding issues using Microsoft Intune
-## Troubleshoot onboarding issues using Microsoft Intune
+You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
-You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
+
-
+If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. 
-If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. 
+
-
+Use the following tables to understand the possible causes of issues while onboarding:
-Use the following tables to understand the possible causes of issues while onboarding:
+
-
+- Microsoft Intune error codes and OMA-URIs table
-- Microsoft Intune error codes and OMA-URIs table
+- Known issues with non-compliance table
-- Known issues with non-compliance table
+- Mobile Device Management (MDM) event logs table
-- Mobile Device Management (MDM) event logs table
+
-
+If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt.  
-If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt.  
+
-
+**Microsoft Intune error codes and OMA-URIs**:
-**Microsoft Intune error codes and OMA-URIs**:
+
-
+
-
+Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
-Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
+:---|:---|:---|:---|:---
-:---|:---|:---|:---|:---
+0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding <br> Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. <br><br> **Troubleshooting steps:** <br> Check the event IDs in the [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) section. <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
-0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding <br> Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. <br><br> **Troubleshooting steps:** <br> Check the event IDs in the [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section. <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
+ | | | | Onboarding <br> Offboarding <br> SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it. <br><br> **Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection``` <br> <br> If it doesn't exist, open an elevated command and add the key.
- | | | | Onboarding <br> Offboarding <br> SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it. <br><br> **Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection``` <br> <br> If it doesn't exist, open an elevated command and add the key.
+ | | | | SenseIsRunning <br> OnboardingState <br> OrgId |  **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed. <br><br> **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine). <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
- | | | | SenseIsRunning <br> OnboardingState <br> OrgId |  **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed. <br><br> **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues). <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
+ || | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms:  Enterprise, Education, and Professional. <br> Server is not supported.
- || | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms:  Enterprise, Education, and Professional. <br> Server is not supported.
+ 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient.  | All |  **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms:  Enterprise, Education, and Professional.
- 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient.  | All |  **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms:  Enterprise, Education, and Professional.
+
-
+<br>
-<br>
+**Known issues with non-compliance**
-**Known issues with non-compliance**
+
-
+The following table provides information on issues with non-compliance and how you can address the issues.
-The following table provides information on issues with non-compliance and how you can address the issues.
+
-
+Case | Symptoms | Possible cause and troubleshooting steps
-Case | Symptoms | Possible cause and troubleshooting steps
+:---|:---|:---
-:---|:---|:---
+1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already. <br><br> **Troubleshooting steps:** Wait for OOBE to complete.
-1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already. <br><br> **Troubleshooting steps:** Wait for OOBE to complete.
+2 |  Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. |  **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start. <br><br> **Troubleshooting steps:** The issue should automatically be fixed within 24 hours.
-2 |  Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. |  **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start. <br><br> **Troubleshooting steps:** The issue should automatically be fixed within 24 hours.
+3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time.
-3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time.
+
-
+<br>
-<br>
+**Mobile Device Management (MDM) event logs**
-**Mobile Device Management (MDM) event logs**
+
-
+View the MDM event logs to troubleshoot issues that might arise during onboarding:
-View the MDM event logs to troubleshoot issues that might arise during onboarding:
+
-
+Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider
-Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider
+
-
+Channel name: Admin
-Channel name: Admin
+
-
+ID | Severity | Event description | Troubleshooting steps
-ID | Severity | Event description | Troubleshooting steps
+:---|:---|:---|:---
-:---|:---|:---|:---
+1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
-1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
+
-
+## Troubleshoot onboarding issues on the machine
-## Troubleshoot onboarding issues on the machine
+If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
-If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
+- [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log)
-- [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-endpoint-event-log)
+- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled)
-- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled)
+- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
-- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
+- [Ensure the machine has an Internet connection](#ensure-the-machine-has-an-internet-connection)
-- [Ensure the machine has an Internet connection](#ensure-the-endpoint-has-an-internet-connection)
+- [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
-- [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
+
-
+
-
+### View agent onboarding errors in the machine event log
-### View agent onboarding errors in the machine event log
+
-
+1. Click **Start**, type **Event Viewer**, and press **Enter**.
-1. Click **Start**, type **Event Viewer**, and press **Enter**.
+
-
+2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**.
-2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**.
+
-
+  > [!NOTE]
-  > [!NOTE]
+	> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
-	> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
+
-
+3. Select **Operational** to load the log.
-3. Select **Operational** to load the log.
+
-
+4. In the **Action** pane, click **Filter Current log**.
-4. In the **Action** pane, click **Filter Current log**.
+
-
+5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**.
-5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**.
+
-
+  ![Image of Event Viewer log filter](images/filter-log.png)
-  ![Image of Event Viewer log filter](images/filter-log.png)
+
-
+6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table:
-6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table:
+
-
+Event ID | Message | Resolution steps
-Event ID | Message | Resolution steps
+:---|:---|:---
-:---|:---|:---
+5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection).
-5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the machine has Internet access](#ensure-the-endpoint-has-an-internet-connection).
+6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).
-6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).
+7 |  Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection), then run the entire onboarding process again.
-7 |  Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the machine has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
+9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). <br><br>If the event happened during offboarding, contact support.
-9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). <br><br>If the event happened during offboarding, contact support.
+10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). <br><br>If the problem persists, contact support.
-10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). <br><br>If the problem persists, contact support.
+15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection).
-15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the machine has Internet access](#ensure-the-endpoint-has-an-internet-connection).
+17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). If the problem persists, contact support.
-17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). If the problem persists, contact support.
+25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
-25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
+27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support.
-27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support.
+29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the machine has Internet access, then run the entire offboarding process again.
-29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the machine has Internet access, then run the entire offboarding process again.
+30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender Advanced Threat Protection. Failure code: %1 | Contact support.
-30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender Advanced Threat Protection. Failure code: %1 | Contact support.
+32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine.
-32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine.
+55 | Failed to create the Secure ETW autologger. Failure code: %1	| Reboot the machine.
-55 | Failed to create the Secure ETW autologger. Failure code: %1	| Reboot the machine.
+63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4	| Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type.
-63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4	| Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type.
+64 |	Starting stopped external service. Name: %1, exit code: %2 |	Contact support if the event keeps re-appearing.
-64 |	Starting stopped external service. Name: %1, exit code: %2 |	Contact support if the event keeps re-appearing.
+68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3	| Identify what is causing changes in start type. Fix mentioned service start type.
-68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3	| Identify what is causing changes in start type. Fix mentioned service start type.
+69 |	The service is stopped. Service name: %1	| Start the mentioned service. Contact support if persists.
-69 |	The service is stopped. Service name: %1	| Start the mentioned service. Contact support if persists.
+
-
+<br>
-<br>
+There are additional components on the machine that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
-There are additional components on the machine that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
+
-
+<span id="ensure-the-diagnostics-service-is-enabled" />
-<span id="ensure-the-diagnostics-service-is-enabled" />
+### Ensure the diagnostic data service is enabled
-### Ensure the diagnostic data service is enabled
+If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the machine. The service might have been disabled by other programs or user configuration changes.
-If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the machine. The service might have been disabled by other programs or user configuration changes.
+
-
+First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
-First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
+
-
+### Ensure the service is set to start
-### Ensure the service is set to start
+
-
+**Use the command line to check the Windows 10 diagnostic data service startup type**:
-**Use the command line to check the Windows 10 diagnostic data service startup type**:
+
-
+1.  Open an elevated command-line prompt on the machine:
-1.  Open an elevated command-line prompt on the machine:
+
-
+  a.  Click **Start**, type **cmd**, and press **Enter**.
-  a.  Click **Start**, type **cmd**, and press **Enter**.
+
-
+  b.  Right-click **Command prompt** and select **Run as administrator**.
-  b.  Right-click **Command prompt** and select **Run as administrator**.
+
-
+2.  Enter the following command, and press **Enter**:
-2.  Enter the following command, and press **Enter**:
+
-
+    ```text
-    ```text
+    sc qc diagtrack
-    sc qc diagtrack
+    ```
-    ```
+
-
+    If the service is enabled, then the result should look like the following screenshot:
-    If the service is enabled, then the result should look like the following screenshot:
+
-
+    ![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
-    ![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
+
-
+    If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
-    If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
+
-
+
-
+**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
-**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
+
-
+1.  Open an elevated command-line prompt on the machine:
-1.  Open an elevated command-line prompt on the machine:
+
-
+  a.  Click **Start**, type **cmd**, and press **Enter**.
-  a.  Click **Start**, type **cmd**, and press **Enter**.
+
-
+  b.  Right-click **Command prompt** and select **Run as administrator**.
-  b.  Right-click **Command prompt** and select **Run as administrator**.
+
-
+2.  Enter the following command, and press **Enter**:
-2.  Enter the following command, and press **Enter**:
+
-
+    ```text
-    ```text
+    sc config diagtrack start=auto
-    sc config diagtrack start=auto
+    ```
-    ```
+
-
+3.  A success message is displayed. Verify the change by entering the following command, and press **Enter**:
-3.  A success message is displayed. Verify the change by entering the following command, and press **Enter**:
+
-
+    ```text
-    ```text
+    sc qc diagtrack
-    sc qc diagtrack
+    ```
-    ```
+
-
+4. Start the service.
-4. Start the service.
+
-
+  a. In the command prompt, type the following command and press **Enter**:
-  a. In the command prompt, type the following command and press **Enter**:
+
-
+  ```text
-  ```text
+  sc start diagtrack
-  sc start diagtrack
+  ```
-  ```
+
-
+### Ensure the machine has an Internet connection
-### Ensure the machine has an Internet connection
+
-
+The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
-The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
+
-
+WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.
-WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.
+
-
+To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic.
-To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic.
+
-
+If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.
-If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.
+
-
+### Ensure that Windows Defender Antivirus is not disabled by a policy
-### Ensure that Windows Defender Antivirus is not disabled by a policy
+**Problem**: The Windows Defender ATP service does not start after onboarding.
-**Problem**: The Windows Defender ATP service does not start after onboarding.
+
-
+**Symptom**: Onboarding successfully completes, but you see error 577 when trying to start the service.
-**Symptom**: Onboarding successfully completes, but you see error 577 when trying to start the service.
+
-
+**Solution**: If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
-**Solution**: If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
+
-
+- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:
-- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:
+
-
+  - DisableAntiSpyware
-  - DisableAntiSpyware
+  - DisableAntiVirus
-  - DisableAntiVirus
+
-
+  For example, in Group Policy there should be no entries such as the following values:
-  For example, in Group Policy there should be no entries such as the following values:
+
-
+  - ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>```
-  - ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>```
+  - ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiVirus"/></Key>```
-  - ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiVirus"/></Key>```
+-  After clearing the policy, run the onboarding steps again.
--  After clearing the policy, run the onboarding steps again.
+
-
+- You can also check the following registry key values to verify that the policy is disabled:
-- You can also check the following registry key values to verify that the policy is disabled:
+
-
+  1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```.
-  1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```.
+  2. Ensure that the value ```DisableAntiSpyware``` is not present.
-  2. Ensure that the value ```DisableAntiSpyware``` is not present.
+
-
+    ![Image of registry key for Windows Defender Antivirus](images/atp-disableantispyware-regkey.png)
-    ![Image of registry key for Windows Defender Antivirus](images/atp-disableantispyware-regkey.png)
+
-
+
-
+## Troubleshoot onboarding issues on a server
-## Troubleshoot onboarding issues on a server
+If you encounter issues while onboarding a server, go through the following verification steps to address possible issues.
-If you encounter issues while onboarding a server, go through the following verification steps to address possible issues.
+
-
+- [Ensure Microsoft Monitoring Agent (MMA) is installed and configured to report sensor data to the service](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-mma)
-- [Ensure Microsoft Monitoring Agent (MMA) is installed and configured to report sensor data to the service](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-mma)
+- [Ensure that the server proxy and Internet connectivity settings are configured properly](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-proxy)
-- [Ensure that the server proxy and Internet connectivity settings are configured properly](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-proxy)
+
-
+You might also need to check the following:
-You might also need to check the following:
+- Check that there is a Windows Defender Advanced Threat Protection Service running in the **Processes** tab in **Task Manager**. For example:
-- Check that there is a Windows Defender Advanced Threat Protection Service running in the **Processes** tab in **Task Manager**. For example:
+
-
+    ![Image of process view with Windows Defender Advanced Threat Protection Service running](images/atp-task-manager.png)
-    ![Image of process view with Windows Defender Advanced Threat Protection Service running](images/atp-task-manager.png)
+
-
+- Check **Event Viewer** > **Applications and Services Logs** > **Operation Manager** to see if there are any errors.
-- Check **Event Viewer** > **Applications and Services Logs** > **Operation Manager** to see if there are any errors.
+
-
+- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example, 
-- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example, 
+
-
+    ![Image of Services](images/atp-services.png)
-    ![Image of Services](images/atp-services.png)
+
-
+- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running. 
-- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running. 
+
-
+    ![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png)
-    ![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png)
+
-
+- Check to see that machines are reflected in the **Machines list** in the portal. 
-- Check to see that machines are reflected in the **Machines list** in the portal. 
+
-
+
-
+## Licensing requirements
-## Licensing requirements
+Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
-Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
+
-
+  -	Windows 10 Enterprise E5
-  -	Windows 10 Enterprise E5
+  -	Windows 10 Education E5
-  -	Windows 10 Education E5
+  - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
-  - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
+
-
+For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
-For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
+
-
+
-
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink)
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink)
+
-
+
-
+## Related topics
-## Related topics
+- [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
-- [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
+- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
-- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
+- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+
-

windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md

@@ -24,6 +24,18 @@ Some applications, including device drivers, may be incompatible with HVCI.
 This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. 
 If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. 
 
+>[!NOTE]
+>HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*.
+
+>[!TIP]
+> "The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode (RUM).". Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book
+
+## HVCI Features
+
+* HVCI protects modification of the Code Flow Guard (CFG) bitmap.
+* HVCI also ensure your other Truslets, like Credential Guard have a valid certificate.
+* Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.
+
 ## How to turn on HVCI in Windows 10 
 
 To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options:
@@ -279,6 +291,6 @@ Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
 ### Requirements for running HVCI in Hyper-V virtual machines 
  -   The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
  -   The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. 
- -   HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. 
+ -   HVCI and [virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
  -   Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
  -   The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.

windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md

@@ -37,7 +37,7 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua
 
 ## Requirements
 
-Network protection requires Windows 10 Enterprise E3 and Windows Defender AV real-time protection.
+Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection.
 
 Windows 10 version | Windows Defender Antivirus
 - | -

windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md

@@ -36,7 +36,7 @@ There are four steps to troubleshooting these problems:
 Attack surface reduction rules will only work on devices with the following conditions:
 
 >[!div class="checklist"]
-> - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update).
+> - Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
 > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
 > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
 > - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).

windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md

@@ -60,7 +60,7 @@ This section covers requirements for each feature in Windows Defender EG.
 | Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 |
 | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: |
 | Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
-| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) |
+| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
 | Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
 | Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |