diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 224abb8ddd..82a24ff791 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -524,6 +524,10 @@
"master": [
"Publish",
"Pdf"
+ ],
+ "atp-api-danm": [
+ "Publish",
+ "Pdf"
]
},
"need_generate_pdf_url_template": true,
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 97405d2d24..78189003c5 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -5421,6 +5421,11 @@
"redirect_document_id": true
},
{
+"source_path": "devices/surface/manage-surface-dock-firmware-updates.md",
+"redirect_url": "devices/surface/update",
+"redirect_document_id": true
+},
+{
"source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md",
"redirect_url": "/surface-hub/finishing-your-surface-hub-meeting",
"redirect_document_id": true
@@ -13884,6 +13889,11 @@
"source_path": "education/windows/windows-automatic-redeployment.md",
"redirect_url": "/education/windows/autopilot-reset",
"redirect_document_id": true
+},
+{
+"source_path": "windows/privacy/manage-windows-endpoints.md",
+"redirect_url": "/windows/privacy/manage-windows-1809-endpoints",
+"redirect_document_id": true
}
]
}
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index 5e6c740970..b314f85b52 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -1,8 +1,9 @@
# [Microsoft HoloLens](index.md)
## [What's new in Microsoft HoloLens](hololens-whats-new.md)
-## [Insider preview for Microsoft HoloLens](hololens-insider.md)
## [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md)
+## [Insider preview for Microsoft HoloLens](hololens-insider.md)
## [Set up HoloLens](hololens-setup.md)
+## [Install localized version of HoloLens](hololens-install-localized.md)
## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)
## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
## [Manage updates to HoloLens](hololens-updates.md)
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index 8f2862fc81..1fc820a243 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -16,6 +16,10 @@ ms.date: 11/05/2018
This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
+## Windows 10 Holographic for Business, version 1809
+
+The topics in this library have been updated for Windows 10 Holographic for Business, version 1809.
+
## November 2018
New or changed topic | Description
@@ -37,7 +41,7 @@ New or changed topic | Description
New or changed topic | Description
--- | ---
-[Insider preview for Microsoft HoloLens](hololens-insider.md) | New
+Insider preview for Microsoft HoloLens | New (topic retired on release of Windows 10, version 1809)
## June 2018
diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md
index c11b07759d..3a90c8fe68 100644
--- a/devices/hololens/hololens-insider.md
+++ b/devices/hololens/hololens-insider.md
@@ -37,77 +37,11 @@ To opt out of Insider builds:
- On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**.
- Follow the instructions to opt out your device.
-## New features for HoloLens
-
-The latest Insider Preview (RS5) has arrived for all HoloLens customers! This latest flight is packed with improvements that have been introduced since the [last major release of HoloLens software in May 2018](https://docs.microsoft.com/windows/mixed-reality/release-notes-october-2018).
-### For everyone
-
-
-Feature | Details | Instructions
---- | --- | ---
-Stop video capture from the Start or quick actions menu | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) | To start recording, select **Start > Video**. To stop recording, select **Start > Stop video**.
-Project to a Miracast-enabled device | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter | On **Start**, select **Connect**. Select the device you want to project to.
-New notifications | View and respond to notification toasts on HoloLens, just like you do on a PC. | You’ll now see notifications from apps that provide them. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture).
-HoloLens overlays (file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | When you’re using an immersive app, input text, select a file from the file picker, or interact with dialogs without leaving the app.
-Visual feedback overlay UI for volume change | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. | Adjust the device volume using the volume up/down buttons located on the right arm of the HoloLens. Use the visual display to track the volume level.
-New UI for device boot | A loading indicator was added during the boot process to provide visual feedback that the system is loading. | Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo.
-Share UX: Nearby Sharing | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. | Capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge). Select a nearby Windows device to share with.
-Share from Microsoft Edge | Share button is now available on Microsoft Edge windows on HoloLens. | In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content.
-
-### For developers
-
-- Support for Holographic [Camera Capture UI API](https://docs.microsoft.com/windows/uwp/audio-video-camera/capture-photos-and-video-with-cameracaptureui), which will let developers expose a way for users to seamlessly invoke camera or video capture from within their applications. For example, users can now capture and insert photo or video content directly within apps like Word.
-- Mixed Reality Capture has been improved to exclude hidden mesh from captures, which means videos captures by apps will no longer contain black corners around the content.
-
-### For commercial customers
-
-
-Feature | Details | Instructions
---- | --- | ---
-Enable post-setup provisioning | Can now apply a runtime provisioning package at any time using **Settings**. | On your PC:
1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md).
2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC.
3. Drag and drop the provisioning package to the Documents folder on the HoloLens.
On your HoloLens:
1. Go to **Settings > Accounts > Access work or school**.
2. In **Related Settings**, select **Add or remove a provisioning package**.
3. On the next page, select **Add a package** to launch the file picker and select your provisioning package.
**Note:** if the folder is empty, make sure you select **This Device** and select **Documents**.
After your package has been applied, it will show in the list of Installed packages. To view package details or to remove the package from the device, select the listed package.
-Assigned access with Azure AD groups | Flexibility to use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. | Prepare XML file to configure Assigned Access on PC:
1. In a text editor, open [the provided file AssignedAccessHoloLensConfiguration_AzureADGroup.xml](#xml).
2. Change the group ID to one available in your Azure AD tenant. You can find the group ID of an Azure Active Directory Group by either :
- following the steps at [Azure Active Directory version 2 cmdlets for group management](https://docs.microsoft.com/azure/active-directory/active-directory-accessmanagement-groups-settings-v2-cmdlets),
OR
- in the Azure portal, with the steps at [Manage the settings for a group in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-groups-settings-azure-portal).
**Note:** The sample configures the following apps: Skype, Learning, Feedback Hub, Flow, Camera, and Calibration.
Create provisioning package with WCD:
1. On a PC, follow the steps at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md) to create a provisioning package.
2. Ensure that you include the license file in **Set up device**.
3. Select **Switch to advanced editor** (bottom left), and **Yes** for warning prompt.
4. Expand the runtime settings selection in the **Available customizations** panel and select **AssignedAccess > MultiAppAssignedAccessSettings**.
5. In the middle panel, you should now see the setting displayed with documentation in the panel below. Browse to the XML you modified for Assigned Access.
6. On the **Export** menu, select **Provisioning package**.
**Warning:** If you encrypt the provisioning package, provisioning the HoloLens device will fail.
7. Select **Next** to specify the output location where you want the provisioning package to go once it's built.
8. Select **Next**, and then select **Build** to start building the package.
9. When the build completes, select **Finish**.
Apply the package to HoloLens:
1. Connect HoloLens via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). HoloLens will show up as a device in File Explorer on the PC.
2. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
3. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the fit page.
4. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
5. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.
Enable assigned access on HoloLens:
1. After applying the provisioning package, during the **Account Setup** flows in OOBE, select **My work or school owns this** to set up your device with an Azure AD account.
**Note:** This account must not be in the group chosen for Assigned Access.
2. Once you reach the Shell, ensure the Skype app is installed either via your MDM environment or from the Store.
3. After the Skype app is installed, sign out.
4. On the sign-in screen, select the **Other User** option and enter an Azure AD account email address that belongs to the group chosen for Assigned Access. Then enter the password to sign in. You should now see this user with only the apps configured in the Assigned Access profile.
-PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**. | When signing in as **Other User**, the PIN option is now available under **Sign-In options**.
-Sign in with Web Cred Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. Look for additional web sign-in methods coming in the future. | From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.
-Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view HoloLens device serial number.
-Set HoloLens device name through MDM (rename) | IT administrators can see and rename HoloLens devices in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view and set your HoloLens device name (rename).
-
-### For international customers
-
-
-Feature | Details | Instructions
---- | --- | ---
-Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands. | See below.
-
-#### Installing the Chinese or Japanese versions of the Insider builds
-
-In order to switch to the Chinese or Japanese version of HoloLens, you’ll need to download the build for the language on a PC and then install it on your HoloLens using the Windows Device Recovery Tool (WDRT).
-
->[!IMPORTANT]
->Installing the Chinese or Japanese builds of HoloLens using WDRT will delete existing data, like personal files and settings, from your HoloLens.
-
-1. On a retail HoloLens device, [opt in to Insider Preview builds](#get-insider) to prepare your device for the RS5 Preview.
-2. On your PC, download and install [the Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379).
-3. Download the package for the language you want to your PC: [Simplified Chinese](https://aka.ms/hololenspreviewdownload-ch) or [Japanese](https://aka.ms/hololenspreviewdownload-jp).
-4. When the download is finished, select **File Explorer > Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all... > Extract** to unzip it.
-5. Connect your HoloLens to your PC using the micro-USB cable it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)
-6. The tool will automatically detect your HoloLens. Select the Microsoft HoloLens tile.
-7. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the extension “.ffu”.)
-8. Select **Install software** and follow the instructions to finish installing.
-9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions.
-10. After you complete setup, go to **Settings -> Update & Security -> Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build.
-
-
-
-
-## Note for language support
-
-- You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language.
-- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the Shift key on a hardware keyboard toggles the keyboard to type in English).
## Note for developers
-You are welcome and encouraged to try developing your applications using this build of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with this latest build of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development.
+You are welcome and encouraged to try developing your applications using Insider builds of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with Insider builds of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development.
## Provide feedback and report issues
@@ -116,75 +50,3 @@ Please use [the Feedback Hub app](https://docs.microsoft.com/windows/mixed-reali
>[!NOTE]
>Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted).
-
-## AssignedAccessHoloLensConfiguration_AzureADGroup.xml
-
-Copy this sample XML to use for the [**Assigned access with Azure AD groups** feature](#for-commercial-customers).
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ]]>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
diff --git a/devices/hololens/hololens-install-localized.md b/devices/hololens/hololens-install-localized.md
new file mode 100644
index 0000000000..8e5a72150a
--- /dev/null
+++ b/devices/hololens/hololens-install-localized.md
@@ -0,0 +1,35 @@
+---
+title: Install localized versions of HoloLens (HoloLens)
+description: Learn how to install the Chinese or Japanese versions of HoloLens
+ms.prod: hololens
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 11/13/2018
+---
+
+# Install localized versions of HoloLens
+
+In order to switch to the Chinese or Japanese version of HoloLens, you’ll need to download the build for the language on a PC and then install it on your HoloLens using the Windows Device Recovery Tool (WDRT).
+
+>[!IMPORTANT]
+>Installing the Chinese or Japanese builds of HoloLens using WDRT will delete existing data, like personal files and settings, from your HoloLens.
+
+
+2. On your PC, download and install [the Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379).
+3. Download the package for the language you want to your PC: [Simplified Chinese](https://aka.ms/hololensdownload-ch) or [Japanese](https://aka.ms/hololensdownload-jp).
+4. When the download is finished, select **File Explorer > Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all... > Extract** to unzip it.
+5. Connect your HoloLens to your PC using the micro-USB cable it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)
+6. The tool will automatically detect your HoloLens. Select the Microsoft HoloLens tile.
+7. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the extension “.ffu”.)
+8. Select **Install software** and follow the instructions to finish installing.
+9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions.
+
+
+## Note for language support
+
+- You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language.
+- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the ~ key on a hardware keyboard toggles the keyboard to type in English).
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index 8f05c5e15c..c888927596 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -7,7 +7,7 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
-ms.date: 08/14/2018
+ms.date: 11/13/2018
---
# Set up HoloLens in kiosk mode
@@ -20,7 +20,17 @@ When HoloLens is configured as a multi-app kiosk, only the allowed apps are avai
Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings.
-The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration.
+The following table lists the device capabilities in the different kiosk modes.
+
+Kiosk mode | Voice and Bloom commands | Quick actions menu | Camera and video | Miracast
+--- | --- | --- | --- | ---
+Single-app kiosk |  |  |  | 
+Multi-app kiosk |  |  with **Home** and **Volume** (default)
Photo and video buttons shown in Quick actions menu if the Camera app is enabled in the kiosk configuration.
Miracast is shown if the Camera app and device picker app are enabled in the kiosk configuration. |  if the Camera app is enabled in the kiosk configuration. |  if the Camera app and device picker app are enabled in the kiosk configuration.
+
+>[!NOTE]
+>Use the Application User Model ID (AUMID) to allow apps in your kiosk configuration. The Camera app AUMID is `HoloCamera_cw5n1h2txyewy!HoloCamera`. The device picker app AUMID is `HoloDevicesFlow_cw5n1h2txyewy!HoloDevicesFlow`.
+
+The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration.
>[!WARNING]
>The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access.
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index c1a90edadb..00a7436e23 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -7,7 +7,7 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/30/2018
+ms.date: 11/13/2018
---
# Configure HoloLens using a provisioning package
@@ -49,8 +49,7 @@ Provisioning packages can include management instructions and policies, customiz
> [!TIP]
> Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
->
->
+
### Create the provisioning package
@@ -77,8 +76,8 @@ Use the Windows Configuration Designer tool to create a provisioning package.
|  Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network. |  |
|  You can enroll the device in Azure Active Directory, or create a local account on the deviceBefore you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions. To create a local account, select that option and enter a user name and password. **Important:** (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. |  |
|  To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used. |  |
-| Toggle **Yes** or **No** to enable Developer Mode on the HoloLens. [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode) |  |
-| Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail. |  |
+|  Toggle **Yes** or **No** to enable Developer Mode on the HoloLens. [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode) |  |
+|  Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail. |  |
After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
@@ -137,7 +136,7 @@ After you're done, click **Create**. It only takes a few seconds. When the packa
10. When the build completes, click **Finish**.
-## Apply a provisioning package to HoloLens
+## Apply a provisioning package to HoloLens during setup
1. Connect the device via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box).
@@ -156,6 +155,23 @@ After you're done, click **Create**. It only takes a few seconds. When the packa
>[!NOTE]
>If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package.
+## Apply a provisioning package to HoloLens after setup
+
+>[!NOTE]
+>Windows 10, version 1809 only
+
+On your PC:
+1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md).
+2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC.
+3. Drag and drop the provisioning package to the Documents folder on the HoloLens.
+
+On your HoloLens:
+1. Go to **Settings > Accounts > Access work or school**.
+2. In **Related Settings**, select **Add or remove a provisioning package**.
+3. On the next page, select **Add a package** to launch the file picker and select your provisioning package. If the folder is empty, make sure you select **This Device** and select **Documents**.
+
+After your package has been applied, it will show in the list of **Installed packages**. To view package details or to remove the package from the device, select the listed package.
+
## What you can configure
Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
diff --git a/devices/hololens/hololens-whats-new.md b/devices/hololens/hololens-whats-new.md
index 75556a83db..4648c8b5d9 100644
--- a/devices/hololens/hololens-whats-new.md
+++ b/devices/hololens/hololens-whats-new.md
@@ -1,18 +1,60 @@
---
title: What's new in Microsoft HoloLens (HoloLens)
-description: Windows Holographic for Business gets new features in Windows 10, version 1803.
+description: Windows Holographic for Business gets new features in Windows 10, version 1809.
ms.prod: hololens
ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/30/2018
+ms.date: 11/13/2018
---
# What's new in Microsoft HoloLens
+## Windows 10, version 1809 for Microsoft HoloLens
+### For everyone
+
+Feature | Details
+--- | ---
+Quick actions menu | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app. See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.
+Stop video capture from the Start or quick actions menu | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.)
+Project to a Miracast-enabled device | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode.
+New notifications | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture).
+HoloLens overlays (file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps.
+Visual feedback overlay UI for volume change | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level.
+New UI for device boot | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo.
+Share UX: Nearby Sharing | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with.
+Share from Microsoft Edge | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content.
+
+
+
+### For administrators
+
+
+Feature | Details
+--- | ---
+[Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**.
+Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration.
+PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**. | When signing in as **Other User**, the PIN option is now available under **Sign-In options**.
+Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.
+Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions.
+Set HoloLens device name through MDM (rename) | IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions.
+
+### For international customers
+
+
+Feature | Details
+--- | ---
+Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands.
+Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English.
+
+[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens-install-localized.md)
+
+
+
+## Windows 10, version 1803 for Microsoft HoloLens
Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes:
diff --git a/devices/hololens/images/account-management-details.png b/devices/hololens/images/account-management-details.png
index 4094dabd85..20816830a4 100644
Binary files a/devices/hololens/images/account-management-details.png and b/devices/hololens/images/account-management-details.png differ
diff --git a/devices/hololens/images/account-management.PNG b/devices/hololens/images/account-management.PNG
index 34165dfcd6..da53cb74b8 100644
Binary files a/devices/hololens/images/account-management.PNG and b/devices/hololens/images/account-management.PNG differ
diff --git a/devices/hololens/images/add-certificates.PNG b/devices/hololens/images/add-certificates.PNG
index 24cb605d1c..7a16dffd26 100644
Binary files a/devices/hololens/images/add-certificates.PNG and b/devices/hololens/images/add-certificates.PNG differ
diff --git a/devices/hololens/images/developer-setup-details.png b/devices/hololens/images/developer-setup-details.png
index 0a32af7ba7..d445bf5759 100644
Binary files a/devices/hololens/images/developer-setup-details.png and b/devices/hololens/images/developer-setup-details.png differ
diff --git a/devices/hololens/images/developer-setup.png b/devices/hololens/images/developer-setup.png
index 826fda5f25..a7e49873b0 100644
Binary files a/devices/hololens/images/developer-setup.png and b/devices/hololens/images/developer-setup.png differ
diff --git a/devices/hololens/images/finish.PNG b/devices/hololens/images/finish.PNG
index 7c65da1799..975caba764 100644
Binary files a/devices/hololens/images/finish.PNG and b/devices/hololens/images/finish.PNG differ
diff --git a/devices/hololens/images/set-up-device-details.PNG b/devices/hololens/images/set-up-device-details.PNG
index 85b7dd382e..7325e06e86 100644
Binary files a/devices/hololens/images/set-up-device-details.PNG and b/devices/hololens/images/set-up-device-details.PNG differ
diff --git a/devices/hololens/images/set-up-device.PNG b/devices/hololens/images/set-up-device.PNG
index 0c9eb0e3ff..577117a26a 100644
Binary files a/devices/hololens/images/set-up-device.PNG and b/devices/hololens/images/set-up-device.PNG differ
diff --git a/devices/hololens/images/set-up-network.PNG b/devices/hololens/images/set-up-network.PNG
index a0e856c103..19fd3ff7bb 100644
Binary files a/devices/hololens/images/set-up-network.PNG and b/devices/hololens/images/set-up-network.PNG differ
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index 2f5741df7e..9b7ed69845 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -22,9 +22,9 @@ ms.date: 07/27/2018
| Topic | Description |
| --- | --- |
| [What's new in Microsoft HoloLens](hololens-whats-new.md) | Discover the new features in the latest update. |
-[Insider preview for Microsoft HoloLens](hololens-insider.md) | Learn about new HoloLens features available in the latest Insider Preview build.
| [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management |
| [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time |
+[Install localized version of HoloLens](hololens-install-localized.md) | Install the Chinese or Japanese version of HoloLens
| [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic for Business |
| [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft Intune |
| [Manage updates to HoloLens](hololens-updates.md) | Use mobile device management (MDM) policies to configure settings for updates. |
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index e68eb9a565..3f99c917af 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -14,7 +14,6 @@
## [Surface firmware and driver updates](update.md)
### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
-### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
### [Surface Dock Updater](surface-dock-updater.md)
### [Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md)
## [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md)
@@ -26,6 +25,9 @@
### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
+## [Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md)
+### [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
+### [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
## [Surface Data Eraser](microsoft-surface-data-eraser.md)
## [Top support solutions for Surface devices](support-solutions-surface.md)
## [Change history for Surface documentation](change-history-for-surface.md)
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index 0e0ff5dcc7..5c34d22900 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -7,13 +7,22 @@ ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.topic: article
-ms.date: 10/15/2018
+ms.date: 11/15/2018
---
# Change history for Surface documentation
This topic lists new and updated topics in the Surface documentation library.
+## November 2018
+
+New or changed topic | Description
+--- | ---
+|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Pro 6 |
+[Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) | New
+[Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) | New
+[Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) | New
+
## October 2018
New or changed topic | Description
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
index 116df9446d..84f48dfd07 100644
--- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
+++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: brecords
-ms.date: 10/15/2018
+ms.date: 11/15/2018
ms.author: jdecker
ms.topic: article
---
@@ -67,8 +67,15 @@ Download the following updates for [Surface Pro (Model 1796) from the Microsoft
Download the following updates for [Surface Pro with LTE Advanced from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56278).
+
* SurfacePro_LTE_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+## Surface Pro 6
+
+Download the following updates for [Surface Pro 6 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=57514).
+
+* SurfacePro6_Win10_17134_xxxxx_xxxxxx.msi
+
## Surface Studio
diff --git a/devices/surface/images/sdt-1.png b/devices/surface/images/sdt-1.png
new file mode 100644
index 0000000000..fb10753608
Binary files /dev/null and b/devices/surface/images/sdt-1.png differ
diff --git a/devices/surface/images/sdt-2.png b/devices/surface/images/sdt-2.png
new file mode 100644
index 0000000000..be951967f0
Binary files /dev/null and b/devices/surface/images/sdt-2.png differ
diff --git a/devices/surface/images/sdt-3.png b/devices/surface/images/sdt-3.png
new file mode 100644
index 0000000000..0d3077cc1b
Binary files /dev/null and b/devices/surface/images/sdt-3.png differ
diff --git a/devices/surface/images/sdt-4.png b/devices/surface/images/sdt-4.png
new file mode 100644
index 0000000000..babddbb240
Binary files /dev/null and b/devices/surface/images/sdt-4.png differ
diff --git a/devices/surface/images/sdt-5.png b/devices/surface/images/sdt-5.png
new file mode 100644
index 0000000000..5c5346d93a
Binary files /dev/null and b/devices/surface/images/sdt-5.png differ
diff --git a/devices/surface/images/sdt-6.png b/devices/surface/images/sdt-6.png
new file mode 100644
index 0000000000..acf8e684b3
Binary files /dev/null and b/devices/surface/images/sdt-6.png differ
diff --git a/devices/surface/images/sdt-7.png b/devices/surface/images/sdt-7.png
new file mode 100644
index 0000000000..5e16961c6b
Binary files /dev/null and b/devices/surface/images/sdt-7.png differ
diff --git a/devices/surface/images/sdt-desk-1.png b/devices/surface/images/sdt-desk-1.png
new file mode 100644
index 0000000000..f1ecc03b30
Binary files /dev/null and b/devices/surface/images/sdt-desk-1.png differ
diff --git a/devices/surface/images/sdt-desk-2.png b/devices/surface/images/sdt-desk-2.png
new file mode 100644
index 0000000000..3d066cb3e5
Binary files /dev/null and b/devices/surface/images/sdt-desk-2.png differ
diff --git a/devices/surface/images/sdt-desk-3.png b/devices/surface/images/sdt-desk-3.png
new file mode 100644
index 0000000000..bbd9709300
Binary files /dev/null and b/devices/surface/images/sdt-desk-3.png differ
diff --git a/devices/surface/images/sdt-desk-4.png b/devices/surface/images/sdt-desk-4.png
new file mode 100644
index 0000000000..f533646605
Binary files /dev/null and b/devices/surface/images/sdt-desk-4.png differ
diff --git a/devices/surface/images/sdt-desk-5.png b/devices/surface/images/sdt-desk-5.png
new file mode 100644
index 0000000000..664828762e
Binary files /dev/null and b/devices/surface/images/sdt-desk-5.png differ
diff --git a/devices/surface/images/sdt-desk-6.png b/devices/surface/images/sdt-desk-6.png
new file mode 100644
index 0000000000..1b9ce9f7e2
Binary files /dev/null and b/devices/surface/images/sdt-desk-6.png differ
diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md
deleted file mode 100644
index 45bf61629f..0000000000
--- a/devices/surface/manage-surface-dock-firmware-updates.md
+++ /dev/null
@@ -1,124 +0,0 @@
----
-title: Manage Surface Dock firmware updates (Surface)
-description: Read about the different methods you can use to manage the process of Surface Dock firmware updates.
-ms.assetid: 86DFC0C0-C842-4CD1-A2D7-4425471FFE3F
-ms.localizationpriority: medium
-keywords: firmware, update, install, drivers
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.pagetype: surface, devices
-ms.sitesec: library
-author: jobotto
-ms.author: jdecker
-ms.topic: article
-ms.date: 07/27/2017
----
-
-# Manage Surface Dock firmware updates
-
-
-Read about the different methods you can use to manage the process of Surface Dock firmware updates.
-
-The Surface Dock provides external connectivity to Surface devices through a single cable connection that includes Power, Ethernet, Audio, USB 3.0, and DisplayPort. The numerous connections provided by the Surface Dock are enabled by a smart chipset within the Surface Dock device. Like a Surface device’s chipset, the chipset that is built into the Surface Dock is controlled by firmware. For more information about the Surface Dock, see the [Surface Dock demonstration](https://technet.microsoft.com/mt697552) video.
-
-Like the firmware for Surface devices, firmware for Surface Dock is also contained within a downloaded driver that is visible in Device Manager. This driver stages the firmware update files on the Surface device. When a Surface Dock is connected and the driver is loaded, the newer version of the firmware staged by the driver is detected and firmware files are copied to the Surface Dock. The Surface Dock then begins a two-phase process to apply the firmware internally. Each phase requires the Surface Dock to be disconnected from the Surface device before the firmware is applied. The driver copies the firmware into the dock, but only applies it when the user disconnects the Surface device from the Surface Dock. This ensures that there are no disruptions because the firmware is only applied when the user leaves their desk with the device.
-
-
->[!NOTE]
->You can learn more about the firmware update process for Surface devices and how firmware is updated through driver installation at the following links:
->- [How to manage and update Surface drivers and firmware](https://technet.microsoft.com/mt697551) from Microsoft Mechanics
->- [Windows Update Makes Surface Better](https://go.microsoft.com/fwlink/p/?LinkId=785354) on the Microsoft Devices Blog
-
-
-
-
-The Surface Dock firmware update process shown in Figure 1 follows these steps:
-
-1. Drivers for Surface Dock are installed on Surface devices that are connected, or have been previously connected, to a Surface Dock.
-
-2. The drivers for Surface Dock are loaded when a Surface Dock is connected to the Surface device.
-
-3. The firmware version installed in the Surface Dock is compared with the firmware version staged by the Surface Dock driver.
-
-4. If the firmware version on the Surface Dock is older than the firmware version contained in the Surface Dock driver, the main chipset firmware update files are copied from the driver to the Surface Dock.
-
-5. When the Surface Dock is disconnected, the Surface Dock installs the firmware update to the main chipset.
-
-6. When the Surface Dock is connected again, the main chipset firmware is verified against the firmware present in the Surface Dock driver.
-
-7. If the firmware update for the main chipset is installed successfully, the Surface Dock driver copies the firmware update for the DisplayPort.
-
-8. When the Surface Dock is disconnected for a second time, the Surface dock installs the firmware update to the DisplayPort chipset. This process takes up to 3 minutes to apply.
-
-
-
-*1- Driver installation can be performed by Windows Update, manual installation, or automatically downloaded with Microsoft Surface Dock Updater*
-
-*2 - The Surface Dock firmware installation process takes approximately 3 minutes*
-
-Figure 1. The Surface Dock firmware update process
-
-If the firmware installation process is interrupted (for example, if power is disconnected from the Surface Dock during firmware installation), the Surface Dock will automatically revert to the prior firmware without disruption to the user, and the update process will restart the next time the Surface Dock is disconnected. For most users this update process should be entirely transparent.
-
-## Methods for updating Surface Dock firmware
-
-
-There are three methods you can use to update the firmware of the Surface Dock:
-
-- [Automatic installation of drivers with Windows Update](#automatic-installation)
-
-- [Deployment of drivers downloaded from the Microsoft Download Center](#deployment-dlc)
-
-- [Manually update with Microsoft Surface Dock Updater](#manual-updater)
-
-## Automatic installation with Windows Update
-
-
-Windows Update is the method that most users will use. The drivers for the Surface Dock are downloaded automatically from Windows Update and the dock update process is initiated without additional user interaction. The two-phase dock update process described earlier occurs in the background as the user connects and disconnects the Surface Dock during normal use.
-
->[!NOTE]
->The driver version that is displayed in Device Manager may be different from the firmware version that the Surface Dock is using.
-
-
-
-## Deployment of drivers downloaded from the Microsoft Download Center
-
-
-This method is used mostly in environments where Surface device drivers and firmware are managed separately from Windows Update. See [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) for more information about the different methods to manage Surface device driver and firmware updates. Updating the Surface Dock firmware through this method involves downloading and deploying an MSI package to the Surface device that contains the updated Surface Dock drivers and firmware. This is the same method recommended for updating all other Surface drivers and firmware. The two-phase firmware update process occurs in the background each time the Surface Dock is disconnected, just like it does with the Windows Update method.
-
-For more information about how to deploy MSI packages see [Create and deploy an application with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/get-started/create-and-deploy-an-application).
-
->[!NOTE]
->When drivers are installed through Windows Update or the MSI package, registry keys are added that indicate the version of firmware installed on the Surface Dock and contained within the Surface Dock driver. These registry keys can be found in:
-> **HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WUDF\\Services\\SurfaceDockFwUpdate\\Parameters**
-
-Firmware status is displayed for both the main chipset (displayed as **Component10**) and the DisplayPort chipset (displayed as **Component20**). For each chipset there are four keys, where *xx* is **10** or **20** corresponding to each chipset:
-
-- **Component*xx*CurrentFwVersion** – This key displays the version of firmware that is installed on the currently connected or most recently connected Surface Dock.
-
-- **Component*xx*OfferFwVersion** – This key displays the version of firmware staged by the Surface Dock driver.
-
-- **Component*xx*FirmwareUpdateStatus** – This key displays the stage of the Surface Dock firmware update process.
-
-- **Component*xx*FirmwareUpdateStatusRejectReason** – This key changes as the firmware update is processed. It should result in 0 after the successful installation of Surface Dock firmware.
-
->[!NOTE]
->These registry keys are not present unless you have installed updated Surface Dock drivers through Windows Update or MSI deployment.
-
-
-
-## Manually update with Microsoft Surface Dock Updater
-
-
-The manual method using the Microsoft Surface Dock Updater tool to update the Surface Dock is used mostly in environments where IT prepares Surface Docks prior to delivery to the end user, or for troubleshooting of a Surface Dock. Microsoft Surface Dock Updater is a tool that you can run from any Surface device that is compatible with the Surface Dock, and will walk you through the process of performing the Surface Dock firmware update in the least possible amount of time. You can also use this tool to verify the firmware status of a connected Surface Dock.
-
-For more information about how to use the Microsoft Surface Dock Updater tool, please see [Microsoft Surface Dock Updater](surface-dock-updater.md). You can download the Microsoft Surface Dock Updater tool from the [Surface Tools for IT page](https://www.microsoft.com/download/details.aspx?id=46703) on the Microsoft Download Center.
-
-
-
-
-
-
-
-
-
diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md
new file mode 100644
index 0000000000..5d59e6aa14
--- /dev/null
+++ b/devices/surface/surface-diagnostic-toolkit-business.md
@@ -0,0 +1,165 @@
+---
+title: Surface Diagnostic Toolkit for Business
+description: This topic explains how to use the Surface Diagnostic Toolkit for Business.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.date: 11/15/2018
+---
+
+# Surface Diagnostic Toolkit for Business
+
+The Microsoft Surface Diagnostic Toolkit for Business (SDT) enables IT administrators to quickly investigate, troubleshoot, and resolve hardware, software, and firmware issues with Surface devices. You can run a range of diagnostic tests and software repairs in addition to obtaining device health insights and guidance for resolving issues.
+
+Specifically, SDT for Business enables you to:
+
+- [Customize the package.](#create-custom-sdt)
+- [Run the app using commands.](surface-diagnostic-toolkit-command-line.md)
+- [Run multiple hardware tests to troubleshoot issues.](surface-diagnostic-toolkit-desktop-mode.md#multiple)
+- [Generate logs for analyzing issues.](surface-diagnostic-toolkit-desktop-mode.md#logs)
+- [Obtain detailed report comparing device vs optimal configuration.](surface-diagnostic-toolkit-desktop-mode.md#detailed-report)
+
+
+## Primary scenarios and download resources
+
+To run SDT for Business, download the components listed in the following table.
+
+>[!NOTE]
+>In contrast to the way you typically install MSI packages, the SDT distributable MSI package can only be created by running Windows Installer (MSI.exe) at a command prompt and setting the custom flag `ADMINMODE = 1`. For details, see [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md).
+
+Mode | Primary scenarios | Download | Learn more
+--- | --- | --- | ---
+Desktop mode | Assist users in running SDT on their Surface devices to troubleshoot issues.
Create a custom package to deploy on one or more Surface devices allowing users to select specific logs to collect and analyze. | SDT distributable MSI package
Microsoft Surface Diagnostic Toolkit for Business Installer.MSI
[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Use Surface Diagnostic Toolkit in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
+Command line | Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:
`-DataCollector` collects all log files
`-bpa` runs health diagnostics using Best Practice Analyzer.
`-windowsupdate` checks Windows update for missing firmware or driver updates.
**Note:** Support for the ability to confirm warranty information will be available via the command `-warranty` | SDT console app
Microsoft Surface Diagnostics App Console.exe
[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md)
+
+## Supported devices
+
+SDT for Business is supported on Surface 3 and later devices, including:
+
+- Surface Pro 6
+- Surface Laptop 2
+- Surface Go
+- Surface Go with LTE
+- Surface Book 2
+- Surface Pro with LTE Advanced (Model 1807)
+- Surface Pro (Model 1796)
+- Surface Laptop
+- Surface Studio
+- Surface Studio 2
+- Surface Book
+- Surface Pro 4
+- Surface 3 LTE
+- Surface 3
+- Surface Pro 3
+
+## Installing Surface Diagnostic Toolkit for Business
+
+To create an SDT package that you can distribute to users in your organization, you first need to install SDT at a command prompt and set a custom flag to install the tool in admin mode. SDT contains the following install option flags:
+
+- `SENDTELEMETRY` sends telemetry data to Microsoft. The flag accepts `0` for disabled or `1` for enabled. The default value is `1` to send telemetry.
+- `ADMINMODE` configures the tool to be installed in admin mode. The flag accepts `0` for Business client mode or `1` for Business Administrator mode. The default value is `0`.
+
+**To install SDT in ADMINMODE:**
+
+1. Sign into your Surface device using the Administrator account.
+2. Download SDT Windows Installer Package (.msi) from the [Surface Tools for IT download page](https://www.microsoft.com/download/details.aspx?id=46703) and copy it to a preferred location on your Surface device, such as Desktop.
+3. Open a command prompt and enter:
+
+ ```
+ msiexec.exe /i ADMINMODE=1.
+ ```
+ **Example:**
+
+ ```
+ C:\Users\Administrator> msiexec.exe/I"C:\Users\Administrator\Desktop\Microsoft_Surface_Diagnostic_Toolkit_for_Business_Installer.msi" ADMINMODE=1
+ ```
+
+4. The SDT setup wizard appears, as shown in figure 1. Click **Next**.
+
+ >[!NOTE]
+ >If the setup wizard does not appear, ensure that you are signed into the Administrator account on your computer.
+
+ 
+
+ *Figure 1. Surface Diagnostic Toolkit setup wizard*
+
+5. When the SDT setup wizard appears, click **Next**, accept the End User License Agreement (EULA), and select a location to install the package.
+
+6. Click **Next** and then click **Install**.
+
+## Locating SDT on your Surface device
+
+Both SDT and the SDT app console are installed at `C:\Program Files\Microsoft\Surface\Microsoft Surface Diagnostic Toolkit for Business`.
+
+In addition to the .exe file, SDT installs a JSON file and an admin.dll file (modules\admin.dll), as shown in figure 2.
+
+
+
+*Figure 2. Files installed by SDT*
+
+
+## Preparing the SDT package for distribution
+
+Creating a custom package allows you to target the tool to specific known issues.
+
+1. Click **Start > Run**, enter **Surface** and then click **Surface Diagnostic Toolkit for Business**.
+2. When the tool opens, click **Create Custom Package**, as shown in figure 3.
+
+ 
+
+ *Figure 3. Create custom package*
+
+### Language and telemetry page
+
+
+When you start creating the custom package, you’re asked whether you agree to send data to Microsoft to help improve the application. For more information,see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). Sharing is on by default, so uncheck the box if you wish to decline.
+
+>[!NOTE]
+>This setting is limited to only sharing data generated while running packages.
+
+
+
+*Figure 4. Select language and telemetry settings*
+
+### Windows Update page
+
+Select the option appropriate for your organization. Most organizations with multiple users will typically select to receive updates via Windows Server Update Services (WSUS), as shown in figure 5. If using local Windows update packages or WSUS, enter the path as appropriate.
+
+
+
+*Figure 5. Windows Update option*
+
+### Software repair page
+
+This allows you to select or remove the option to run software repair updates.
+
+
+
+*Figure 6. Software repair option*
+
+### Collecting logs and saving package page
+
+You can select to run a wide range of logs across applications, drivers, hardware, and the operating system. Click the appropriate area and select from the menu of available logs. You can then save the package to a software distribution point or equivalent location that users can access.
+
+
+
+*Figure 7. Log option and save package*
+
+## Next steps
+
+- [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
+- [Use Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
+
+
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md
new file mode 100644
index 0000000000..24e4b2011d
--- /dev/null
+++ b/devices/surface/surface-diagnostic-toolkit-command-line.md
@@ -0,0 +1,143 @@
+---
+title: Run Surface Diagnostic Toolkit for Business using commands
+description: How to run Surface Diagnostic Toolkit in a command console
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.date: 11/15/2018
+---
+
+# Run Surface Diagnostic Toolkit for Business using commands
+
+Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features.
+
+>[!NOTE]
+>To run SDT using commands, you must be signed in to the Administrator account or signed in to an account that is a member of the Administrator group on your Surface device.
+
+## Running SDT app console
+
+Download and install SDT app console from the [Surface Tools for IT download page](https://www.microsoft.com/download/details.aspx?id=46703). You can use the Windows command prompt (cmd.exe) or Windows PowerShell to:
+
+- Collect all log files.
+- Run health diagnostics using Best Practice Analyzer.
+- Check update for missing firmware or driver updates.
+
+By default, output files are saved to C:\Administrator\user. Refer to the following table for a complete list of commands.
+
+Command | Notes
+--- | ---
+-DataCollector "output file" | Collects system details into a zip file. "output file" is the file path to create system details zip file.
**Example**:
`Microsoft.Surface.Diagnostics.App.Console.exe -DataCollector SDT_DataCollection.zip`
+-bpa "output file" | Checks several settings and health indicators in the device. “output file" is the file path to create the HTML report.
**Example**:
`Microsoft.Surface.Diagnostics.App.Console.exe -bpa BPA.html`
+-windowsupdate | Checks Windows Update online servers for missing firmware and/or driver updates.
**Example**:
Microsoft.Surface.Diagnostics.App.Console.exe -windowsupdate
+
+>[!NOTE]
+>To run the SDT app console remotely on target devices, you can use a configuration management tool such as System Center Configuration Manager. Alternatively, you can create a .zip file containing the console app and appropriate console commands and deploy per your organization’s software distribution processes.
+
+## Running Best Practice Analyzer
+
+You can run BPA tests across key components such as BitLocker, Secure Boot, and Trusted Platform Module (TPM) and then output the results to a shareable file. The tool generates a series of tables with color-coded headings and condition descriptors along with guidance about how to approach resolving the issue.
+
+- Green indicates the component is running in an optimal condition (optimal).
+- Orange indicates the component is not running in an optimal condition (not optimal).
+- Red indicates the component is in an abnormal state.
+
+### Sample BPA results output
+
+
+| BitLocker |
|---|
+| Description: | Checks if BitLocker is enabled on the system drive. |
+| Value: | Protection On |
+| Condition: | Optimal |
+| Guidance: | It is highly recommended to enable BitLocker to protect your data. |
+
+
+
+| Secure Boot |
|---|
+| Description: | Checks if Secure Boot is enabled. |
+| Value: | True |
+| Condition: | Optimal |
+| Guidance: | It is highly recommended to enable Secure Boot to protect your PC. |
+
+
+
+| Trusted Platform Module |
|---|
+| Description: | Ensures that the TPM is functional. |
+| Value: | True |
+| Condition: | Optimal |
+| Guidance: | Without a functional TPM, security-based functions such as BitLocker may not work properly. |
+
+
+
+| Connected Standby |
|---|
+| Description: | Checks if Connected Standby is enabled. |
+| Value: | True |
+| Condition: | Optimal |
+| Guidance: | Connected Standby allows a Surface device to receive updates and notifications while not being used. For best experience, Connected Standby should be enabled. |
+
+
+
+| Bluetooth |
|---|
+| Description: | Checks if Bluetooth is enabled. |
+| Value: | Enabled |
+| Condition: | Optimal |
+| Guidance: | |
+
+
+
+| Debug Mode |
|---|
+| Description: | Checks if the operating system is in Debug mode. |
+| Value: | Normal |
+| Condition: | Optimal |
+| Guidance: | The debug boot option enables or disables kernel debugging of the Windows operating system. Enabling this option can cause system instability and can prevent DRM (digital rights managemend) protected media from playing. |
+
+
+
+| Test Signing |
|---|
+| Description: | Checks if Test Signing is enabled. |
+| Value: | Normal |
+| Condition: | Optimal |
+| Guidance: | Test Signing is a Windows startup setting that should only be used to test pre-release drivers. |
+
+
+
+| Active Power Plan |
|---|
+| Description: | Checks that the correct power plan is active. |
+| Value: | Balanced |
+| Condition: | Optimal |
+| Guidance: | It is highly recommended to use the "Balanced" power plan to maximize productivity and battery life. |
+
+
+
+| Windows Update |
|---|
+| Description: | Checks if the device is up to date with Windows updates. |
+| Value: | Microsoft Silverlight (KB4023307), Definition Update for Windows Defender Antivirus - KB2267602 (Definition 1.279.1433.0) |
+| Condition: | Not Optimal |
+| Guidance: | Updating to the latest windows makes sure you are on the latest firmware and drivers. It is recommended to always keep your device up to date |
+
+
+
+| Free Hard Drive Space |
|---|
+| Description: | Checks for low free hard drive space. |
+| Value: | 66% |
+| Condition: | Optimal |
+| Guidance: | For best performance, your hard drive should have at least 10% of its capacity as free space. |
+
+
+
+| Non-Functioning Devices |
|---|
+| Description: | List of non-functioning devices in Device Manager. |
+| Value: | |
+| Condition: | Optimal |
+| Guidance: | Non-functioning devices in Device Manager may cause unpredictable problems with Surface devices such as, but not limited to, no power savings for the respective hardware component. |
+
+
+
+| External Monitor |
|---|
+| Description: | Checks for an external monitor that may have compatibility issues. |
+| Value: | |
+| Condition: | Optimal |
+| Guidance: | Check with the original equipment manufacturer for compatibility with your Surface device. |
+
\ No newline at end of file
diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
new file mode 100644
index 0000000000..6420daacb2
--- /dev/null
+++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
@@ -0,0 +1,99 @@
+---
+title: Use Surface Diagnostic Toolkit for Business in desktop mode
+description: How to use SDT to help users in your organization run the tool to identify and diagnose issues with the Surface device.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.date: 11/15/2018
+---
+
+# Use Surface Diagnostic Toolkit for Business in desktop mode
+
+This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error.
+
+1. Direct the user to install [the SDT package](surface-diagnostic-toolkit-business.md#create-custom-sdt) from a software distribution point or network share. After it is installed, you’re ready to guide the user through a series of tests.
+
+2. Begin at the home page, which allows users to enter a description of the issue, and click **Continue**, as shown in figure 1.
+
+ 
+
+ *Figure 1. SDT in desktop mode*
+
+3. When SDT indicates the device has the latest updates, click **Continue** to advance to the catalog of available tests, as shown in figure 2.
+
+ 
+
+ *Figure 2. Select from SDT options*
+
+4. You can choose to run all the diagnostic tests. Or, if you already suspect a particular issue such as a faulty display or a power supply problem, click **Select** to choose from the available tests and click **Run Selected**, as shown in figure 3. See the following table for details of each test.
+
+ 
+
+ *Figure 3. Select hardware tests*
+
+ Hardware test | Description
+ --- | ---
+ Power Supply and Battery | Checks Power supply is functioning optimally
+ Display and Sound | Checks brightness, stuck or dead pixels, speaker and microphone functioning
+ Ports and Accessories | Checks accessories, screen attach and USB functioning
+ Connectivity | Checks Bluetooth, wireless and LTE connectivity
+ Security | Checks security related issues
+ Touch | Checks touch related issues
+ Keyboard and touch | Checks integrated keyboard connection and type cover
+ Sensors | Checks functioning of different sensors in the device
+ Hardware | Checks issues with different hardware components such as graphics card and camera
+
+
+
+
+
+
+## Running multiple hardware tests to troubleshoot issues
+
+SDT is designed as an interactive tool that runs a series of tests. For each test, SDT provides instructions summarizing the nature of the test and what users should expect or look for in order for the test to be successful. For example, to diagnose if the display brightness is working properly, SDT starts at zero and increases the brightness to 100 percent, asking users to confirm – by answering **Yes** or **No** -- that brightness is functioning as expected, as shown in figure 4.
+
+For each test, if functionality does not work as expected and the user clicks **No**, SDT generates a report of the possible causes and ways to troubleshoot it.
+
+
+
+*Figure 4. Running hardware diagnostics*
+
+1. If the brightness successfully adjusts from 0-100 percent as expected, direct the user to click **Yes** and then click **Continue**.
+2. If the brightness fails to adjust from 0-100 percent as expected, direct the user to click **No** and then click **Continue**.
+3. Guide users through remaining tests as appropriate. When finished, SDT automatically provides a high-level summary of the report of the possible causes of any hardware issues along with guidance for resolution.
+
+
+### Repairing applications
+
+SDT enables you to diagnose and repair applications that may be causing issues, as shown in figure 5.
+
+
+
+*Figure 5. Running repairs*
+
+
+
+
+
+### Generating logs for analyzing issues
+
+SDT provides extensive log-enabled diagnosis support across applications, drivers, hardware, and operating system issues, as shown in figure 6.
+
+
+
+*Figure 6. Generating logs*
+
+
+
+
+### Generating detailed report comparing device vs. optimal configuration
+
+Based on the logs, SDT generates a report for software- and firmware-based issues that you can save to a preferred location.
+
+## Related topics
+
+- [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
+
diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md
index 925b058eb0..9c644b79eb 100644
--- a/devices/surface/surface-dock-updater.md
+++ b/devices/surface/surface-dock-updater.md
@@ -112,7 +112,7 @@ Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in
## Changes and updates
-Microsoft periodically updates Surface Dock Updater. To learn more about the application of firmware by Surface Dock Updater, see [Manage Surface Dock firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-dock-firmware-updates).
+Microsoft periodically updates Surface Dock Updater.
>[!Note]
>Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater.
@@ -191,7 +191,7 @@ This version of Surface Dock Updater adds support for the following:
* Update for Surface Dock DisplayPort firmware
-## Related topics
+
-[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
+
diff --git a/devices/surface/update.md b/devices/surface/update.md
index 29e0b9517b..df7a6e3c5d 100644
--- a/devices/surface/update.md
+++ b/devices/surface/update.md
@@ -8,7 +8,7 @@ ms.sitesec: library
author: heatherpoulsen
ms.author: jdecker
ms.topic: article
-ms.date: 12/01/2016
+ms.date: 11/13/2018
---
# Surface firmware and driver updates
@@ -22,7 +22,6 @@ Find out how to download and manage the latest firmware and driver updates for y
|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically. |
| [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.|
| [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.|
-| [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)| Read about the different methods you can use to manage the process of Surface Dock firmware updates.|
| [Surface Dock Updater](surface-dock-updater.md)| Get a detailed walkthrough of Microsoft Surface Dock Updater.|
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
index ceacdbb6dc..2473c384ee 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
@@ -56,7 +56,7 @@ Use the following table to get information about supported versions of Office an
-[Planning for Using App-V with coexsiting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting) |
+[Planning for Using App-V with coexisting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting) |
Considerations for installing different versions of Office on the same computer |
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
index d2b4fb5e5e..3cf91ddf99 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
@@ -56,7 +56,7 @@ Use the following table to get information about supported versions of Office an
-[Planning for Using App-V with coexsiting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting) |
+[Planning for Using App-V with coexisting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting) |
Considerations for installing different versions of Office on the same computer |
diff --git a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
index b183080d0a..bb717d6751 100644
--- a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
+++ b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
@@ -22,7 +22,7 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
1. Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531)
-2. Run the downloaded file to extract the template folders.
+2. Expand the downloaded .cab file by running `expand \MDOP_ADMX_Templates.cab -F:* `
**Warning**
Do not extract the templates directly to the Group Policy deployment directory. Multiple technologies and versions are bundled in this file.
diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md
index 393503a4e4..db464151f8 100644
--- a/smb/cloud-mode-business-setup.md
+++ b/smb/cloud-mode-business-setup.md
@@ -297,7 +297,7 @@ In this part of the walkthrough, we'll be working on the Microsoft Intune management portal, select **Admin**.
-2. In the **Administration** workspace, click **Mobile Device Management**. If this is the first tiem you're using the portal, click **manage mobile devices** in the **Mobile Device Management** window. The page will refresh and you'll have new options under **Mobile Device Management**.
+2. In the **Administration** workspace, click **Mobile Device Management**. If this is the first item you're using the portal, click **manage mobile devices** in the **Mobile Device Management** window. The page will refresh and you'll have new options under **Mobile Device Management**.
**Figure 24** - Mobile device management
@@ -433,7 +433,7 @@ In the Intune management
2. Log in to the Intune management portal.
3. Select **Groups** and then go to **Devices**.
4. In the **All Devices** page, look at the list of devices and select the entry that matches the name of your PC.
- - Check that the device name appears in the list. Select the device and it will also show the user that's currently logged in in the **General Information** section.
+ - Check that the device name appears in the list. Select the device and it will also show the current logged-in user in the **General Information** section.
- Check the **Management Channel** column and confirm that it says **Managed by Microsoft Intune**.
- Check the **AAD Registered** column and confirm that it says **Yes**.
diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md
index 93b1e53290..54f8ce99cd 100644
--- a/windows/client-management/TOC.md
+++ b/windows/client-management/TOC.md
@@ -14,6 +14,7 @@
## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md)
### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md)
### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
+### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
## [Mobile device management for solution providers](mdm/index.md)
## [Change history for Client management](change-history-for-client-management.md)
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
new file mode 100644
index 0000000000..207d12b5d3
--- /dev/null
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -0,0 +1,389 @@
+---
+title: Advanced troubleshooting for Windows boot problems
+description: Learn how to troubleshoot when Windows is unable to boot
+ms.prod: w10
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 11/16/2018
+---
+
+# Advanced troubleshooting for Windows boot problems
+
+>[!NOTE]
+>This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415).
+
+## Summary
+
+There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck:
+
+| **Phase** | **Boot Process** | **BIOS** | **UEFI** |
+|--------|----------------------|------------------------------| |
+| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware |
+| 2 | Windows Boot Manager | %SystemDrive%\bootmgr | \EFI\Microsoft\Boot\bootmgfw.efi |
+| 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi |
+| 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe | |
+
+
+**1. PreBoot**
+
+The PC’s firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot
+Manager.
+
+**2. Windows Boot Manager**
+
+Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
+
+**3. Windows operating system loader**
+
+Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
+
+**4. Windows NT OS Kernel**
+
+The kernel loads into memory the system registry hive and additional drivers that are marked as BOOT_START.
+
+The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that are not marked BOOT_START.
+
+Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement.
+
+
+[Click to enlarge](img-boot-sequence.md)
+
+
+
+
+Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases.
+
+>[!NOTE]
+>If the computer repeatedly boots to the recovery options, run the following command at a command prompt to break the cycle:
+>
+>`Bcdedit /set {default} recoveryenabled no`
+>
+>If the F8 options don't work, run the following command:
+>
+>`Bcdedit /set {default} bootmenupolicy legacy`
+
+
+## BIOS phase
+
+To determine whether the system has passed the BIOS phase, follow these steps:
+
+1. If there are any external peripherals connected to the computer, disconnect them.
+2. Check whether the hard disk drive light on the physical computer is working. If it is not working, this indicates that the startup process is stuck at the BIOS phase.
+3. Press the NumLock key to see whether the indicator light toggles on and off. If it does not, this indicates that the startup process is stuck at BIOS.
+
+If the system is stuck at the BIOS phase, there may be a hardware problem.
+
+## Boot loader phase
+
+If the screen is completely black except for a blinking cursor, or if you receive one of the following error codes, this indicates that the boot process is stuck in the Boot Loader phase:
+
+- Boot Configuration Data (BCD) missing or corrupted
+- Boot file or MBR corrupted
+- Operating system Missing
+- Boot sector missing or corrupted
+- Bootmgr missing or corrupted
+- Unable to boot due to system hive missing or corrupted
+
+To troubleshoot this problem, use Windows installation media to start the computer, press Shift+F10 for a command prompt, and then use any of the following methods.
+
+
+### Method 1: Startup Repair tool
+
+The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically.
+
+To do this, follow these steps.
+
+>[!NOTE]
+>For additional methods to start WinRE, see [Entry points into WinRE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
+
+1. Start the system to the installation media for the installed version of Windows.
+ **Note** For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088).
+
+2. On the **Install Windows** screen, select **Next** > **Repair your computer**.
+
+3. On the **System Recovery Options** screen, select **Next** > **Command Prompt**.
+
+4. After Startup Repair, select **Shutdown**, then turn on your PC to see if Windows can boot properly.
+
+The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location:
+
+**%windir%\System32\LogFiles\Srt\Srttrail.txt**
+
+
+For more information see, [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s)
+
+
+### Method 2: Repair Boot Codes
+
+To repair boot codes, run the following command:
+
+```dos
+BOOTREC /FIXMBR
+```
+
+To repair the boot sector, run the following command:
+
+```dos
+BOOTREC /FIXBOOT
+```
+
+>[!NOTE]
+>Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem.
+
+### Method 3: Fix BCD errors
+
+If you receive BCD-related errors, follow these steps:
+
+1. Scan for all the systems that are installed. To do this, run the following command:
+ ```dos
+ Bootrec /ScanOS
+ ```
+
+2. Restart the computer to check whether the problem is fixed.
+
+3. If the problem is not fixed, run the following command:
+ ```dos
+ Bootrec /rebuildbcd
+ ```
+
+4. You might receive one of the following outputs:
+
+ - Scanning all disks for Windows installations. Please wait, since this may take a while...Successfully scanned Windows installations. Total identified Windows installations: 0
+ The operation completed successfully.
+
+ - Scanning all disks for Windows installations. Please wait, since this may take a while... Successfully scanned Windows installations. Total identified Windows installations: 1
+ D:\Windows
+ Add installation to boot list? Yes/No/All:
+
+If the output shows **windows installation: 0**, run the following commands:
+
+```dos
+bcdedit /export c:\bcdbackup
+
+attrib c:\\boot\\bcd -h -r –s
+
+ren c:\\boot\\bcd bcd.old
+
+bootrec /rebuildbcd
+```
+
+After you run the command, you receive the following output:
+
+ Scanning all disks for Windows installations. Please wait, since this may take a while...Successfully scanned Windows installations. Total identified Windows installations: 1{D}:\Windows
+Add installation to boot list? Yes/No/All: Y
+
+5. Try again to start the system.
+
+### Method 4: Replace Bootmgr
+
+If methods 1 and 2 do not fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this, follow these steps:
+
+1. At a command prompt, change the directory to the System Reserved partition.
+
+2. Run the **attrib** command to unhide the file:
+ ```dos
+ attrib-s -h -r
+ ```
+
+3. Run the same **attrib** command on the Windows (system drive):
+ ```dos
+ attrib-s -h –r
+ ```
+
+4. Rename the Bootmgr file as Bootmgr.old:
+ ```dos
+ ren c:\\bootmgr bootmgr.old
+ ```
+
+5. Start a text editor, such as Notepad.
+
+6. Navigate to the system drive.
+
+7. Copy the Bootmgr file, and then paste it to the System Reserved partition.
+
+8. Restart the computer.
+
+### Method 5: Restore System Hive
+
+If Windows cannot load the system registry hive into memory, you must restore the system hive. To do this, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config.
+
+If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
+
+
+## Kernel Phase
+
+If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following:
+
+- A Stop error appears after the splash screen (Windows Logo screen).
+
+- Specific error code is displayed.
+ For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
+ (To troubleshoot the 0x0000007B error, see [Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)](https://internal.support.services.microsoft.com/help/4343769/troubleshooting-guide-for-windows-boot-problems#0x7bstoperror))
+
+- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
+
+- A black screen appears after the splash screen.
+
+To troubleshoot these problems, try the following recovery boot options one at a time.
+
+**Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration**
+
+On the **Advanced Boot Options** screen, try to start the computer in **Safe Mode** or **Safe Mode with Networking**. If either of these options works, use Event Viewer to help identify and diagnose the cause of the boot problem. To view events that are recorded in the event logs, follow these steps:
+
+1. Use one of the following methods to open Event Viewer:
+
+ - Click **Start**, point to **Administrative Tools**, and then click
+ **Event Viewer**.
+
+ - Start the Event Viewer snap-in in Microsoft Management Console (MMC).
+
+2. In the console tree, expand Event Viewer, and then click the log that you
+ want to view. For example, click **System log** or **Application log**.
+
+3. In the details pane, double-click the event that you want to view.
+
+4. On the **Edit** menu, click **Copy**, open a new document in the program in
+ which you want to paste the event (for example, Microsoft Word), and then
+ click **Paste**.
+
+5. Use the Up Arrow or Down Arrow key to view the description of the previous
+ or next event.
+
+
+### Clean boot
+
+To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig).
+Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you cannot find the cause, try including system services. However, in most cases, the problematic service is third-party.
+
+Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**.
+
+For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows).
+
+If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement:
+[Troubleshooting boot problem caused by missing driver signature (x64)](https://blogs.technet.microsoft.com/askcore/2012/04/15/troubleshooting-boot-issues-due-to-missing-driver-signature-x64/)
+
+>[!NOTE]
+>If the computer is a domain controller, try Directory Services Restore mode (DSRM).
+>
+>This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2"
+
+
+**Examples**
+
+>[!WARNING]
+>Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these
+problems can be solved. Modify the registry at your own risk.
+
+*Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)*
+
+To troubleshoot this Stop error, follow these steps to filter the drivers:
+
+1. Go to Window Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of same version of Windows or a later version.
+
+2. Open the registry.
+
+3. Load the system hive, and name it as "test."
+
+4. Under the following registry subkey, check for lower filter and upper filter items for Non-Microsoft Drivers:
+
+ **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class**
+
+5. For each third-party driver that you locate, click the upper or lower filter, and then delete the value data.
+
+6. Search through the whole registry for similar items. Process as an appropriate, and then unload the registry hive.
+
+7. Restart the server in Normal mode.
+
+For additional troubleshooting steps, see the following articles:
+
+- [Troubleshooting a Stop 0x7B in Windows](https://blogs.technet.microsoft.com/askcore/2013/08/05/troubleshooting-a-stop-0x7b-in-windows/)
+
+- [Advanced troubleshooting for "Stop error code 0x0000007B (INACCESSIBLE_BOOT_DEVICE)" errors in Windows XP](https://internal.support.services.microsoft.com/help/324103).
+
+To fix problems that occur after you install Windows updates, check for pending updates by using these steps:
+
+1. Open a Command Prompt winodw in WinRE.
+
+2. Run the command:
+ ```dos
+ dism /image:C:\ /get-packages
+ ```
+
+3. If there are any pending updates, uninstall them by running the following commands:
+ ```dos
+ DISM /image:C:\ /remove-package /packagename: name of the package
+ ```
+ ```dos
+ Dism /Image:C:\ /Cleanup-Image /RevertPendingActions
+ ```
+
+Try to start the computer.
+
+If the computer does not start, follow these steps:
+
+1. Open A Command Prompt window in WinRE, and start a text editor, such as Notepad.
+
+2. Navigate to the system drive, and search for windows\winsxs\pending.xml.
+
+3. If the Pending.xml file is found, rename the file as Pending.xml.old.
+
+4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as a test.
+
+5. Highlight the loaded test hive, and then search for the **pendingxmlidentifier** value.
+
+6. If the **pendingxmlidentifier** value exists, delete the value.
+
+7. Unload the test hive.
+
+8. Load the system hive, name it as "test".
+
+9. Navigate to the following subkey:
+
+ **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TrustedInstaller**
+
+10. Change the **Start** value from **1** to **4**
+
+11. Unload the hive.
+
+12. Try to start the computer.
+
+If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following Knowledge Base article:
+
+- [969028](https://support.microsoft.com/help/969028) How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2
+
+For more information about page file problems in Windows 10 or Windows Server 2016, see the following Knowledge Base article:
+
+- [4133658](https://support.microsoft.com/help/4133658) Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows
+
+For more information about Stop errors, see the following Knowledge Base article:
+
+- [3106831](https://support.microsoft.com/help/3106831) Troubleshooting Stop error problems for IT Pros
+
+
+If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines:
+
+- Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
+
+- If the driver is not important and has no dependencies, load the system hive, and then disable the driver.
+
+- If the stop error indicates system file corruption, run the system file checker in offline mode.
+ - To do this, open WinRE, open a command prompt, and then run the following command:
+ ```dos
+ SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows
+ ```
+ For more information, see [Using System File Checker (SFC) To Fix Issues](https://blogs.technet.microsoft.com/askcore/2007/12/18/using-system-file-checker-sfc-to-fix-issues/)
+
+ - If there is disk corruption, run the check disk command:
+ ```dos
+ chkdsk /f /r
+ ```
+
+ - If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps:
+
+ 1. Start WinRE, and open a Command Prompt window.
+ 2. Start a text editor, such as Notepad.
+ 3. Navigate to C\Windows\System32\Config\.
+ 4. Rename the all five hives by appending ".old" to the name.
+ 5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md
index aea4ddbb30..f8a9d1a2c6 100644
--- a/windows/client-management/data-collection-for-802-authentication.md
+++ b/windows/client-management/data-collection-for-802-authentication.md
@@ -14,538 +14,371 @@ ms.date: 10/29/2018
# Data Collection for Troubleshooting 802.1x Authentication
-## Steps to capture Wireless/Wired functionality logs
-
+## Capture wireless/wired functionality logs
+
+Use the following steps to collect wireless and wired logs on Windows and Windows Server:
+
1. Create C:\MSLOG on the client machine to store captured logs.
-2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log:
+2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log.
-**On Windows 8.1, Windows 10 Wireless Client**
+ **Wireless Windows 8.1 and Windows 10:**
-```dos
-netsh ras set tracing * enabled
-```
-```dos
-netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
-```
+ ```
+ netsh ras set tracing * enabled
+ netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
+ ```
-**On Windows 7, Winodws 8 Wireless Client**
-```dos
-netsh ras set tracing * enabled
-```
-```dos
-netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
-```
+ **Wireless Windows 7 and Windows 8:**
+ ```
+ netsh ras set tracing * enabled
+ netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
+ ```
-**On Wired network client**
-
-```dos
-netsh ras set tracing * enabled
-```
-```dos
-netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_cli.etl
-```
+ **Wired client, regardless of version**
+ ```
+ netsh ras set tracing * enabled
+ netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_cli.etl
+ ```
-3. Run the followind command to enable CAPI2 logging:
-
-```dos
-wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
-```
+3. Run the following command to enable CAPI2 logging:
+
+ ```
+ wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
+ ```
4. Create C:\MSLOG on the NPS to store captured logs.
5. Launch a command prompt as an administrator on the NPS and run the following commands to start RAS trace log and Wireless/Wired scenario log:
-**On Windows Server 2012 R2, Windows Server 2016 Wireless network**
+ **Windows Server 2012 R2, Windows Server 2016 wireless network:**
- ```dos
- netsh ras set tracing * enabled
```
- ```dos
- netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
+ netsh ras set tracing * enabled
+ netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
```
-**On Windows Server 2008 R2, Winodws Server 2012 Wireless network**
+ **Windows Server 2008 R2, Windows Server 2012 wireless network**
- ```dos
- netsh ras set tracing * enabled
```
- ```dos
- netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
+ netsh ras set tracing * enabled
+ netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
```
-**On wired network**
+ **Wired network**
- ```dos
- netsh ras set tracing * enabled
```
- ```dos
- netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_nps.etl
+ netsh ras set tracing * enabled
+ netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_nps.etl
```
-6. Run the followind command to enable CAPI2 logging:
+6. Run the following command to enable CAPI2 logging:
- ```dos
+ ```
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
```
-
7. Run the following command from the command prompt on the client machine and start PSR to capture screen images:
-
-> [!NOTE]
-> When the mouse button is clicked, the cursor will blink in red while capturing a screen image.
+ > [!NOTE]
+ > When the mouse button is clicked, the cursor will blink in red while capturing a screen image.
- ```dos
+ ```
psr /start /output c:\MSLOG\%computername%\_psr.zip /maxsc 100
```
-
8. Repro the issue.
-
-9. Run the following command on the client machine to stop the PSR capturing:
+9. Run the following command on the client PC to stop the PSR capturing:
- ```dos
- psr /stop
- ```
+ ```
+ psr /stop
+ ```
10. Run the following commands from the command prompt on the NPS.
-**Stopping RAS trace log and Wireless scenario log**
+ - To stop RAS trace log and wireless scenario log:
- ```dos
- netsh trace stop
- ```
- ```dos
- netsh ras set tracing * disabled
- ```
-
-**Disabling and copying CAPI2 log**
+ ```
+ netsh trace stop
+ netsh ras set tracing * disabled
+ ```
+ - To disable and copy CAPI2 log:
- ```dos
- wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
- ```
- ```dos
- wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
- ```
+ ```
+ wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
+ wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
+ ```
-11. Run the following commands from the prompt on the client machine.
+11. Run the following commands on the client PC.
+ - To stop RAS trace log and wireless scenario log:
+ ```
+ netsh trace stop
+ netsh ras set tracing * disabled
+ ```
-**Stopping RAS trace log and Wireless scenario log**
+ - To disable and copy the CAPI2 log:
+ ```
+ wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
+ wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
+ ```
+
+12. Save the following logs on the client and the NPS:
+
+ **Client**
+ - C:\MSLOG\%computername%_psr.zip
+ - C:\MSLOG\CAPI2_%COMPUTERNAME%.evtx
+ - C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
+ - C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab
+ - All log files and folders in %Systemroot%\Tracing
+
+ **NPS**
+ - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
+ - C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario)
+ - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario)
+ - All log files and folders in %Systemroot%\Tracing
- ```dos
- netsh trace stop
- ```
- ```dos
- netsh ras set tracing * disabled
- ```
-
-**Disabling and copying CAPI2 log**
+## Save environmental and configuration information
+
+### On Windows client
- ```dos
- wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
- ```
- ```dos
- wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
- ```
-
-12. Save the following logs on the client and the NPS.
-
-**Client**
- - C:\MSLOG\%computername%_psr.zip
- - C:\MSLOG\CAPI2_%COMPUTERNAME%.evtx
- - C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
- - C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab
- - All log files and folders in %Systemroot%\Tracing
-
-**NPS**
- - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
- - C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario)
- - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario)
- - All log files and folders in %Systemroot%\Tracing
-
-
-### Steps to save environmental / configuration information
-
-**Client**
1. Create C:\MSLOG to store captured logs.
2. Launch a command prompt as an administrator.
3. Run the following commands.
- - Environmental information and Group Policies application status
- ```dos
- gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.htm
-
- msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
-
- ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
-
- route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
- ```
-
-**Event logs**
-
-**Run the following command on Windows 8 and above **
-```dos
-wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
-
-wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
-
-wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
-```
-
-```dos
-wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
-
-wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
-
-wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
-
-wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
-
-wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx
-
-wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-Wired-AutoConfig-Operational.evtx
-
-wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
-
-wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
-```
-
-**Certificates Store information**
-
-```dos
-certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
-
-certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
-
-certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
-
-certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
-
-certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
-
-certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
-
-certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
-
-certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
-
-certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
-
-certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
-
-certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
-
-certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
-
-certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
-
-certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
-
-certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
-
-certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
-
-certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
-
-certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
-
-certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
-
-certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
-
-certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
-
-certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
-
-certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
-
-certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
-
-certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
-
-certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
-
-certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
-
-certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
-
-certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
-
-certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
-
-certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
-```
-
-**Wireless LAN Client information**
-```dos
-netsh wlan show all > c:\MSLOG\%COMPUTERNAME%\_wlan\_show\_all.txt
-
-netsh wlan export profile folder=c:\MSLOG\
-```
-
-**Wired LAN Client information**
-```dos
-netsh lan show all > c:\MSLOG\%COMPUTERNAME%\_lan\_show\_all.txt
-
-netsh lan export profile folder=c:\MSLOG\
-```
-
-4. Save the logs stored in C:\MSLOG.
-
-
-**NPS**
- 1. Create C:\MSLOG to store captured logs.
- 2. Launch a command prompt as an administrator.
- 3. Run the following commands:
-
- **Environmental information and Group Policies application status**
-
- ```dos
- gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
-
+ - Environmental information and Group Policies application status
+
+ ```
+ gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.htm
+ msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
+ ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
+ route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
+ ```
+ - Event logs
+
+ ```
+ wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
+ wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
+ wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
+ wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
+ wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx
+ wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-Wired-AutoConfig-Operational.evtx
+ wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
+ wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
+ ```
+ - For Windows 8 and later, also run these commands for event logs:
+
+ ```
+ wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
+ wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
+ wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
+ ```
+ - Certificates Store information:
+
+ ```
+ certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
+ certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
+ certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
+ certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
+ certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
+ certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
+ certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
+ certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
+ certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
+ certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
+ certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
+ certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
+ certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
+ certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
+ certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
+ certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
+ certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
+ certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
+ certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
+ certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
+ certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
+ certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
+ certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
+ certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
+ certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
+ certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
+ certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
+ certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
+ certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
+ certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
+ certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
+ ```
+ - Wireless LAN client information:
+
+ ```
+ netsh wlan show all > c:\MSLOG\%COMPUTERNAME%\_wlan\_show\_all.txt
+ netsh wlan export profile folder=c:\MSLOG\
+ ```
+ - Wired LAN Client information
+
+ ```
+ netsh lan show all > c:\MSLOG\%COMPUTERNAME%\_lan\_show\_all.txt
+ netsh lan export profile folder=c:\MSLOG\
+ ```
+4. Save the logs stored in C:\MSLOG.
+
+### On NPS
+
+1. Create C:\MSLOG to store captured logs.
+2. Launch a command prompt as an administrator.
+3. Run the following commands.
+ - Environmental information and Group Policies application status:
+
+ ```
+ gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
-
ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
-
route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
```
+ - Event logs:
+
+ ```
+ wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
+ wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
+ wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
+ wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
+ wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
+ wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
+ ```
+ - Run the following 3 commands on Windows Server 2012 and later:
+
+ ```
+ wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
+ wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
+ wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
+ ```
+ - Certificates store information
+
+ ```
+ certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
+ certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
+ certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
+ certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
+ certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
+ certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
+ certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
+ certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
+ certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
+ certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
+ certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
+ certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
+ certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
+ certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
+ certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
+ certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
+ certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
+ certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
+ certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
+ certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
+ certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
+ certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
+ certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
+ certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
+ certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
+ certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
+ certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
+ certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
+ certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
+ certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
+ certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
+ ```
+ - NPS configuration information:
+
+ ```
+ netsh nps show config > C:\MSLOG\%COMPUTERNAME%\_nps\_show\_config.txt
+ netsh nps export filename=C:\MSLOG\%COMPUTERNAME%\_nps\_export.xml exportPSK=YES
+ ```
+3. Take the following steps to save an NPS accounting log.
+ 1. Open **Administrative tools > Network Policy Server**.
+ 2. On the Network Policy Server administration tool, select **Accounting** in the left pane.
+ 3. Click **Change Log File Properties**.
+ 4. On the **Log File** tab, note the log file naming convention shown as **Name** and the log file location shown in **Directory** box.
+ 5. Copy the log file to C:\MSLOG.
-**Event logs**
-**Run the following 3 commands on Windows Server 2012 and above:**
-```dos
-wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
-
-wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
-
-wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
-```
+4. Save the logs stored in C:\MSLOG.
-```dos
-wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
-
-wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
-
-wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
-
-wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
-
-wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
-
-wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
-```
+### Certificate Authority (CA) (OPTIONAL)
-**Certificates store information**
-```dos
-certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
-
-certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
-
-certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
-
-certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
-
-certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
-
-certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
-
-certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
-
-certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
-
-certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
-
-certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
-
-certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
-
-certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
-
-certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
-
-certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
-
-certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
-
-certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
-
-certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
-
-certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
-
-certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
-
-certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
-
-certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
-
-certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
-
-certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
-
-certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
-
-certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
-
-certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
-
-certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
-
-certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
-
-certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
-
-certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
-
-certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
-```
-
-**NPS configuration information**
-```dos
-netsh nps show config > C:\MSLOG\%COMPUTERNAME%\_nps\_show\_config.txt
-
-netsh nps export filename=C:\MSLOG\%COMPUTERNAME%\_nps\_export.xml exportPSK=YES
-```
-
-3. Take the following steps to save an NPS accounting log:
-4. Launch **Administrative tools** - **Network Policy Server**.
- - On the Network Policy Server administration tool, select **Accounting** in the left pane.
- - Click **Change Log File Properties** in the right pane.
- - Click the **Log File** tab, note the log file naming convention shown as *Name* and the log file location shown in the **Directory** box.
- - Copy the log file to C:\MSLOG.
- - Save the logs stored in C:\MSLOG.
-
-
-**Certificate Authority (CA)** *Optional*
-
-1. On a CA, launch a command prompt as an administrator.
-2. Create C:\MSLOG to store captured logs.
-3. Run the following commands:
-
-Environmental information and Group Policies application status
-
-```dos
-gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
-
-msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
-
-ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
-
-route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
-```
-
-**Event logs**
-
-**Run the following 3 lines on Windows 2012 and up:**
-
-```dos
-wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
-
-wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
-
-wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
-```
-
-```dos
-wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
-
-wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
-
-wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
-
-wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
-
-wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
-
-wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
-```
-
-**Certificates store information**
-
-```dos
-certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
-
-certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
-
-certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
-
-certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
-
-certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
-
-certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
-
-certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
-
-certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
-
-certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
-
-certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
-
-certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
-
-certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
-
-certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
-
-certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
-
-certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
-
-certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
-
-certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
-
-certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
-
-certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
-
-certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
-
-certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
-
-certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
-
-certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
-
-certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
-
-certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
-
-certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
-
-certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
-
-certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
-
-certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
-
-certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
-
-certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
-```
-
-**CA configuration information**
-```dos
-reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.hiv
-
-reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.txt
-
-reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.hiv
-
-reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.tx
-```
-
-4. Copy the following files, if exist, to C:\MSLOG. %windir%\CAPolicy.inf
-5. Log on to a domain controller and create C:\MSLOG to store captured logs.
-6. Launch Windows PowerShell as an administrator.
-7. Run the following PowerShell commandlets
-
- \* Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain.
-```powershell
-Import-Module ActiveDirectory
-
-Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject\_$Env:COMPUTERNAME.txt
-```
-8. Save the following logs:
-- All files in C:\MSLOG on the CA
-- All files in C:\MSLOG on the domain controller
+1. On a CA, launch a command prompt as an administrator. Create C:\MSLOG to store captured logs.
+2. Run the following commands.
+ - Environmental information and Group Policies application status
+
+ ```
+ gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
+ msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
+ ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
+ route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
+ ```
+ - Event logs
+
+ ```
+ wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
+ wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
+ wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
+ wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
+ wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
+ wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
+ ```
+ - Run the following 3 lines on Windows 2012 and up
+
+ ```
+ wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
+ wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
+ wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
+ ```
+ - Certificates store information
+
+ ```
+ certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
+ certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
+ certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
+ certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
+ certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
+ certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
+ certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
+ certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
+ certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
+ certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
+ certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
+ certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
+ certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
+ certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
+ certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
+ certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
+ certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
+ certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
+ certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
+ certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
+ certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
+ certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
+ certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
+ certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
+ certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
+ certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
+ certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
+ certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
+ certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
+ certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
+ certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
+ ```
+ - CA configuration information
+
+ ```
+ reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.hiv
+ reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.txt
+ reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.hiv
+ reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.tx
+ ```
+3. Copy the following files, if exist, to C:\MSLOG: %windir%\CAPolicy.inf
+4. Log on to a domain controller and create C:\MSLOG to store captured logs.
+5. Launch Windows PowerShell as an administrator.
+6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain.
+
+ ```powershell
+ Import-Module ActiveDirectory
+ Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject\_$Env:COMPUTERNAME.txt
+ ```
+7. Save the following logs.
+ - All files in C:\MSLOG on the CA
+ - All files in C:\MSLOG on the domain controller
diff --git a/windows/client-management/images/boot-sequence-thumb.png b/windows/client-management/images/boot-sequence-thumb.png
new file mode 100644
index 0000000000..164f9f9848
Binary files /dev/null and b/windows/client-management/images/boot-sequence-thumb.png differ
diff --git a/windows/client-management/images/boot-sequence.png b/windows/client-management/images/boot-sequence.png
new file mode 100644
index 0000000000..31e6dc34c9
Binary files /dev/null and b/windows/client-management/images/boot-sequence.png differ
diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md
new file mode 100644
index 0000000000..ca385d841a
--- /dev/null
+++ b/windows/client-management/img-boot-sequence.md
@@ -0,0 +1,11 @@
+---
+description: A full-sized view of the boot sequence flowchart.
+title: Boot sequence flowchart
+ms.date: 11/16/2018
+---
+
+Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
+
+
+
+
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
index aa9b63bd2b..7b80381b7c 100644
--- a/windows/client-management/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -38,7 +38,7 @@ Policy paths:
The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon delimited list of URIs in **Settings Page Visiblity**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
>[!NOTE]
-> When you specify the URI in the Settings Page Visbility textbox, don't include **ms-settings:** in the string.
+> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string.
Here are some examples:
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index b1d8ac001f..8cc949f6b9 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -400,7 +400,7 @@ Location:
Example:
HTTP/1.1 302
-Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Acess%20is%20denied%2E
+Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Access%20is%20denied%2E
```
The following table shows the error codes.
diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
index 4e860c0b4b..8aa018c18c 100644
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@@ -79,7 +79,7 @@ Using the ICD, create a provisioning package using the enrollment information re
12. Enter the values for your package and specify the package output location.
- 
+ 
13. Click **Build**.
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 996f6c944d..47f25fad53 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 08/08/2018
+ms.date: 11/14/2018
---
# Policy CSP - Defender
@@ -1366,7 +1366,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.
-Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
+Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
@@ -1421,7 +1421,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.
-Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
+Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
@@ -1679,7 +1679,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess.
-Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
+Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md
index c212eae7d8..d540b098dd 100644
--- a/windows/client-management/windows-10-support-solutions.md
+++ b/windows/client-management/windows-10-support-solutions.md
@@ -7,45 +7,54 @@ ms.sitesec: library
ms.author: elizapo
author: kaushika-msft
ms.localizationpriority: medium
-ms.date: 11/08/2017
+ms.date: 11/08/2018
---
# Top support solutions for Windows 10
Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates:
-- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124/)
-- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825/)
-- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824/)
+- [Windows 10 version 1803 update history](https://support.microsoft.com/help/4099479)
+- [Windows 10 version 1709 update history](https://support.microsoft.com/help/4043454)
+- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124)
+- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825)
+- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824)
These are the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. The links below include links to KB articles, updates, and library articles.
-## Solutions related to installing Windows updates or hotfixes
-- [Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760/understanding-the-windowsupdate-log-file-for-advanced-users)
-- [You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer)
-- [Get-WindowsUpdateLog](https://technet.microsoft.com/itpro/powershell/windows/windowsupdate/get-windowsupdatelog)
-- [How to read the Windowsupdate.log file](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file)
-- [Can't download updates from Windows Update from behind a firewall or proxy server](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p)
-- [Computer staged from a SysPrepped image doesn't receive WSUS updates](https://support.microsoft.com/help/4010909/computer-staged-from-a-sysprepped-image-doesn-t-receive-wsus-updates)
-- [Servicing stack update for Windows 10 Version 1703: June 13, 2017](https://support.microsoft.com/help/4022405/servicingstackupdateforwindows10version1703june13-2017)
-- [Servicing stack update for Windows 10 Version 1607 and Windows Server 2016: March 14, 2017](https://support.microsoft.com/help/4013418/servicing-stack-update-for-windows-10-version-1607-and-windows-server)
+## Solutions related to installing Windows Updates
+- [How does Windows Update work](https://docs.microsoft.com/en-us/windows/deployment/update/how-windows-update-works)
+- [Windows Update log files](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-logs)
+- [Windows Update troubleshooting](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting)
+- [Windows Update common errors and mitigation](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-errors)
+- [Windows Update - additional resources](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-resources)
+
+## Solutions related to installing or upgrading Windows
+
+- [Quick Fixes](https://docs.microsoft.com/en-us/windows/deployment/upgrade/quick-fixes)
+- [Troubleshooting upgrade errors](https://docs.microsoft.com/en-us/windows/deployment/upgrade/troubleshoot-upgrade-errors)
+- [Resolution procedures](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolution-procedures)
+- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus)
+- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/en-in/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
+
+## Solutions related to BitLocker
+
+- [BitLocker recovery guide](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan)
+- [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock)
+- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker)
+- [BitLocker Group Policy settings](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings)
## Solutions related to Bugchecks or Stop Errors
- [Troubleshooting Stop error problems for IT Pros](https://support.microsoft.com/help/3106831/troubleshooting-stop-error-problems-for-it-pros)
- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s)
- [How to troubleshoot Windows-based computer freeze issues](https://support.microsoft.com/help/3118553/how-to-troubleshoot-windows-based-computer-freeze-issues)
-- [Understanding Bugchecks](https://blogs.technet.microsoft.com/askperf/2007/12/18/understanding-bugchecks/)
-- [Understanding Crash Dump Files](https://blogs.technet.microsoft.com/askperf/2008/01/08/understanding-crash-dump-files/)
+- [Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows](https://support.microsoft.com/help/4133658)
+
+
+## Solutions related to Windows Boot issues
+- [Troubleshooting Windows boot problems for IT Pros](https://support.microsoft.com/help/4343769)
+- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s)
-## Solutions related to installing or upgrading Windows
-- [Resolve Windows 10 upgrade errors : Technical information for IT Pros](/windows/deployment/upgrade/resolve-windows-10-upgrade-errors)
-- [Windows OOBE fails when you start a new Windows-based computer for the first time](https://support.microsoft.com/help/4020048/windows-oobe-fails-when-you-start-a-new-windows-based-computer-for-the)
-- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus)
-- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
-- [Updates fix in-place upgrade to Windows 10 version 1607 problem](https://support.microsoft.com/help/4020149/updates-fix-in-place-upgrade-to-windows-10-version-1607-problem)
-- [OOBE update for Windows 10 Version 1703: May 9, 2017](https://support.microsoft.com/help/4020008)
-- [OOBE update for Windows 10 Version 1607: May 30, 2017](https://support.microsoft.com/help/4022632)
-- [OOBE update for Windows 10 Version 1511: May 30, 2017](https://support.microsoft.com/help/4022633)
## Solutions related to configuring or managing the Start menu
- [Manage Windows 10 Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies)
@@ -57,7 +66,8 @@ These are the top Microsoft Support solutions for the most common issues experie
- [Modern apps are blocked by security software when you start the applications on Windows 10 Version 1607](https://support.microsoft.com/help/4016973/modern-apps-are-blocked-by-security-software-when-you-start-the-applic)
## Solutions related to wireless networking and 802.1X authentication
-
+- [Advanced Troubleshooting Wireless Network](Connectivity]https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-wireless-network-connectivity)
+- [Advanced Troubleshooting 802.1x Authentication](https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-802-authentication)
+- [Troubleshooting Windows 802.11 Wireless Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10))
+- [Troubleshooting Windows Secure 802.3 Wired Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749352(v%3dws.10))
- [Windows 10 devices can't connect to an 802.1X environment](https://support.microsoft.com/kb/3121002)
-- [Windows 10 wireless connection displays "Limited" status](https://support.microsoft.com/kb/3114149)
-- [Computer that has VPN software installed can't detect wireless network after upgrading to Windows 10](https://support.microsoft.com/kb/3084164)
diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
index 585fe8822f..eea5619b50 100644
--- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
+++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
@@ -84,7 +84,7 @@ Review the following tables for details about Office support in UE-V:
Microsoft PowerPoint 2016
Microsoft Project 2016
Microsoft Publisher 2016
-Microsoft SharePoint Designer 2013 (not udpated for 2016)
+Microsoft SharePoint Designer 2013 (not updated for 2016)
Microsoft Visio 2016
Microsoft Word 2016
Microsoft Office Upload Manager
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
index 70a65ed02e..b245647edf 100644
--- a/windows/configuration/wcd/wcd-devicemanagement.md
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -50,7 +50,7 @@ Use to configure device management settings.
| ProtocolVersion | Select between **1.1** and **1.2** for the OMA DM protocol version that the server supports |
| **Role** | Select between **Enterprise** and **Mobile Operator** for the role mask that the DM session runs with when it communicates with the server |
| **ServerID** | Enter the OMA DM server's unique identifier for the current OMA DM account |
-| SSLClientCertSearchCriteria | Specify the client certificate search criteria, by subject attribute and certficate stores. For details, see [DMAcc configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmacc-csp). |
+| SSLClientCertSearchCriteria | Specify the client certificate search criteria, by subject attribute and certificate stores. For details, see [DMAcc configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmacc-csp). |
| UseHardwareDeviceID | Specify whether to use the hardware ID for the ./DevInfo/DevID parameter in the DM account to identify the device |
| UseNonceResync | Specify whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication |
@@ -90,4 +90,4 @@ In **PROVURL**, enter the URL for a Trusted Provisioning Server (TPS).
## Related topics
- [DMAcc configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/dmacc-csp)
-- [PXLOGICAL CSP](https://docs.microsoft.com/windows/client-management/mdm/pxlogical-csp)
\ No newline at end of file
+- [PXLOGICAL CSP](https://docs.microsoft.com/windows/client-management/mdm/pxlogical-csp)
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index a70b584daf..c1d98d727b 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -73,7 +73,7 @@ For more information about integrating on-premises AD DS domains with Azure AD,
## Preparing for deployment: reviewing requirements
-Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
+Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
## Assigning licenses to users
@@ -225,7 +225,7 @@ Use the following figures to help you troubleshoot when users experience these c
### Review requirements on devices
-Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
+Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
**To determine if a device is Azure Active Directory joined:**
diff --git a/windows/deployment/planning/windows-10-1809-removed-features.md b/windows/deployment/planning/windows-10-1809-removed-features.md
index fe64501dab..0c87d5a683 100644
--- a/windows/deployment/planning/windows-10-1809-removed-features.md
+++ b/windows/deployment/planning/windows-10-1809-removed-features.md
@@ -7,7 +7,7 @@ ms.localizationpriority: medium
ms.sitesec: library
author: lizap
ms.author: elizapo
-ms.date: 08/31/2018
+ms.date: 11/16/2018
---
# Features removed or planned for replacement starting with Windows 10, version 1809
@@ -32,7 +32,7 @@ We're removing the following features and functionalities from the installed pro
|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.|
|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.|
|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.|
-|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 8 and Windows Embedded 8 Standard|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx).|
+|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.|
## Features we’re no longer developing
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index 420b02b8a3..365142d77b 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: Jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.date: 09/24/2018
+ms.date: 11/13/2018
---
# Servicing stack updates
@@ -28,6 +28,9 @@ Having the latest servicing stack update is a prerequisite to reliably installin
Currently, the servicing stack update releases are aligned with the monthly quality update release date, though sometimes they are released on a separate date if required.
+>[!NOTE]
+>You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
+
## What's the difference between a servicing stack update and a cumulative update?
Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 0b00273fa8..b44f133b50 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.date: 06/01/2018
+ms.date: 11/16/2018
---
# Configure Windows Update for Business
@@ -20,10 +20,6 @@ ms.date: 06/01/2018
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
->[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still appear in some of our products.
->
->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@@ -40,83 +36,77 @@ By grouping devices with similar deferral periods, administrators are able to cl
>In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/).
-## Configure devices for Current Branch (CB) or Current Branch for Business (CBB)
-With Windows Update for Business, you can set a device to be on either the Current Branch (CB) (now called Semi-Annual Channel (Targeted)) or the Current Branch for Business (CBB) (now called Semi-Annual Channel) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels).
+
+## Configure devices for the appropriate service channel
+
+With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the Semi-Annual Channel servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels).
**Release branch policies**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
-| GPO for version 1607 and above: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
-| GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
-| MDM for version 1607 and above: ../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
-| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
+| GPO for Windows 10, version 1607 or later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
+| GPO for Windows 10, version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
+| MDM for Windows 10, version 1607 or later: ../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
+| MDM for Windows 10, version 1511: ../Vendor/MSFT/Policy/Config/Update/**RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
-Starting with version 1703, users are able to configure their device's branch readiness level, by going to **Settings > Update & security > Windows Update > Advanced options**.
+Starting with Windows 10, version 1703, users can configure the branch readiness level for their device by using **Settings > Update & security > Windows Update > Advanced options**.
>[!NOTE]
>Users will not be able to change this setting if it was configured by policy.
->[!IMPORTANT]
->Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
-## Configure when devices receive Feature Updates
+## Configure when devices receive feature updates
-After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
+After you configure the servicing branch (Windows Insider Preview or Semi-Annual Channel), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
>[!IMPORTANT]
->This policy does not apply to Windows 10 Mobile Enterprise.
>
->You can only defer up to 180 days prior to version 1703.
+>You can only defer up to 180 days on devices running Windows 10, version 1703.
-**Examples**
+For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.
-| Settings | Scenario and behavior |
-| --- | --- |
-| Device is on CBDeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Device will not receive update until February, 30 days later. |
-| Device is on CBBDeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Four months later, in April, Feature Update X is released to CBB. Device will receive the Feature Update 30 days following this CBB release and will update in May. |
-**Defer Feature Updates policies**
+**Policy settings for deferring feature updates**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
-| GPO for version 1607 and above: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
-| GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
-| MDM for version 1607 and above: ../Vendor/MSFT/Policy/Config/Update/**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
-| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
+| GPO for Windows 10, version 1607 later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
+| GPO for Windows 10, version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
+| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
+| MDM for Windows 10, version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
>[!NOTE]
->If not configured by policy, users can defer feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
+>If not configured by policy, individual users can defer feature updates by using **Settings > Update & security > Windows Update > Advanced options**.
-## Pause Feature Updates
+## Pause feature updates
-You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
+You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, you can then pause Feature Updates for the device again.
-Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date.
+Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date.
-In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
+In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date.
>[!IMPORTANT]
->This policy does not apply to Windows 10 Mobile Enterprise.
>
->Prior to Windows 10, version 1703, feature updates could be paused by up to 60 days. This number has been changed to 35, similar to the number of days for quality updates.
+>In Windows 10, version 1703 and later versions, you can pause feature updates to 35 days, similar to the number of days for quality updates.
-**Pause Feature Updates policies**
+**Policy settings for pausing feature updates**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
-| GPO for version 1607 and above: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate |
-| GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
-| MDM for version 1607 and above: ../Vendor/MSFT/Policy/Config/Update/**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates **1703:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate |
-| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
+| GPO for Windows 10, version 1607 and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates**1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate |
+| GPO for Windows 10, version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
+| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate |
+| MDM for Windows 10, version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
-You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+You can check the date that Feature Updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
-The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+The local group policy editor (GPEdit.msc) will not reflect whether the Feature Update pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking Feature Updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
| Value | Status|
| --- | --- |
@@ -125,58 +115,58 @@ The local group policy editor (GPEdit.msc) will not reflect if your Feature Upda
| 2 | Feature Updates have auto-resumed after being paused |
>[!NOTE]
->If not configured by policy, users can pause feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
+>If not configured by policy, individual users can pause feature updates by using **Settings > Update & security > Windows Update > Advanced options**.
-With version 1703, pausing through the settings app will provide a more consistent experience:
-- Any active restart notification are cleared or closed
-- Any pending restarts are canceled
-- Any pending update installations are canceled
-- Any update installation running when pause is activated will attempt to rollback
+Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically:
+- Any active restart notification are cleared or closed.
+- Any pending restarts are canceled.
+- Any pending update installations are canceled.
+- Any update installation running when pause is activated will attempt to roll back.
## Configure when devices receive Quality Updates
-Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
+Quality Updates are typically published on the first Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
-You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When this is done, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates.
+You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates.
>[!IMPORTANT]
>This policy defers both Feature and Quality Updates on Windows 10 Mobile Enterprise.
-**Defer Quality Updates policies**
+**Policy settings for deferring quality updates**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
-| GPO for version 1607 and above: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays |
-| GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod |
-| MDM for version 1607 and above: ../Vendor/MSFT/Policy/Config/Update/**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays |
-| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate |
+| GPO for Windows 10, version 1607 and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays |
+| GPO for Windows 10, version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod |
+| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays |
+| MDM for Windows 10, version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate |
>[!NOTE]
->If not configured by policy, users can defer quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
+>If not configured by policy, individual users can defer quality updates by using **Settings > Update & security > Windows Update > Advanced options**.
-## Pause Quality Updates
+## Pause quality updates
-You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the system will scan Windows Updates for applicable Quality Updates. Following this scan, Quality Updates for the device can then be paused again.
+You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality Updates. Following this scan, you can then pause quality Updates for the device again.
-Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date.
+Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date.
-In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
+In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date.
->[!IMPORTANT]
->This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise.
+>[!NOTE]
+>Starting with Windows 10, version 1809, IT administrators can prevent individual users from pausing updates.
-**Pause Quality Updates policies**
+**Policy settings for pausing quality updates**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
-| GPO for version 1607 and above: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime |
-| GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
-| MDM for version 1607 and above: ../Vendor/MSFT/Policy/Config/Update/**PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates**1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime |
-| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
+| GPO for Windows 10, version 1607 and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime |
+| GPO for Windows 10, version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
+| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates**1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime |
+| MDM for Windows 10, version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
-You can check the date that Quality Updates were paused at by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+You can check the date that quality Updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
-The local group policy editor (GPEdit.msc) will not reflect if your Quality Update Pause period has expired. Although the device will resume Quality Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Quality Updates, you can check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+The local group policy editor (GPEdit.msc) will not reflect whether the quality Update pause period has expired. Although the device will resume quality Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
| Value | Status|
| --- | --- |
@@ -185,21 +175,22 @@ The local group policy editor (GPEdit.msc) will not reflect if your Quality Upda
| 2 | Quality Updates have auto-resumed after being paused |
>[!NOTE]
->If not configured by policy, users can pause quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
+>If not configured by policy, individual users can pause quality updates by using **Settings > Update & security > Windows Update > Advanced options**.
-With version 1703, pausing through the settings app will provide a more consistent experience:
+Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically:
- Any active restart notification are cleared or closed
- Any pending restarts are canceled
- Any pending update installations are canceled
- Any update installation running when pause is activated will attempt to rollback
-## Configure when devices receive Windows Insider preview builds
+## Configure when devices receive Windows Insider Preview builds
Starting with Windows 10, version 1709, you can set policies to manage preview builds and their delivery:
The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public.
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
* MDM: **Update/ManagePreviewBuilds**
+* System Center Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy**
>[!IMPORTANT]
>This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here:
@@ -212,18 +203,18 @@ The policy settings to **Select when Feature Updates are received** allows you t
## Exclude drivers from Quality Updates
-In Windows 10, starting with version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete.
+Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to Feature Updates, where drivers might be dynamically installed to ensure the Feature Update process can complete.
-**Exclude driver policies**
+**Policy settings to exclude drivers**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
-| GPO for version 1607 and above: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
-| MDM for version 1607 and above: ../Vendor/MSFT/Policy/Config/Update/**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
+| GPO for Windows 10, version 1607 and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
+| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
-## Summary: MDM and Group Policy for version 1703
+## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later
-Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607 and above.
+The following are quick-reference tables of the supported policy values for Windows Update for Business in Windows 10, version 1607 and later.
**GPO: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
@@ -252,25 +243,14 @@ Below are quick-reference tables of the supported Windows Update for Business po
## Update devices to newer versions
-Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, also uses a few GPO and MDM keys that are different to what's available in version 1607. However, Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator.
+Due to the changes in Windows Update for Business, Windows 10, version 1607 uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703 also uses a few GPO and MDM keys that are different from those available in version 1607. However, Windows Update for Business devices running older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator.
### How older version policies are respected on newer versions
-When a client running a newer version sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for it's version. If these are not present, it will then check to see if any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent.
+When a device running a newer version sees an update available on Windows Update, the device first evaluates and executes the Windows Updates for Business policy keys for its current (newer) version. If these are not present, it then checks whether any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent.
-### Comparing the version 1511 keys to the version 1607 keys
-In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates. In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other.
-
-Group Policy keys| Version 1511 GPO keys | Version 1607 GPO keys |
-| **DeferUpgrade**: *enable/disable*Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***Pause**: *enable/disable*Enabling will pause both upgrades and updates for a max of 35 days | **DeferFeatureUpdates**: *enable/disable***BranchReadinessLevel**Set device on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable*Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdates**: *Enable/disable***DeferQualityUpdatesPeriodinDays**: *0 - 35 days***PauseQualityUpdates**: *enable/disable*Enabling will pause Quality updates for a max of 35 days**ExcludeWUDrivers**: *enable/disable* |
-
-
-MDM keys| Version 1511 MDM keys | Version 1607 MDM keys |
-| **RequireDeferUpgade**: *bool*Puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***PauseDeferrals**: *bool*Enabling will pause both upgrades and updates for a max of 35 days | **BranchReadinessLevel**Set system on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable*Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdatesPeriodinDays**: *0 - 35 days***PauseQualityUpdates**: *enable/disable*Enabling will pause Quality updates for a max of 35 days**ExcludeWUDriversInQualityUpdate**: *enable/disable* |
-
-
-### Comparing the version 1607 keys to the version 1703 keys
+### Comparing keys in Windows 10, version 1607 to Windows 10, version 1703
| Version 1607 key | Version 1703 key |
| --- | --- |
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index bab0085402..4df6cd83e0 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.date: 06/01/2018
+ms.date: 11/16/2018
---
# Deploy updates using Windows Update for Business
@@ -20,12 +20,9 @@ ms.date: 06/01/2018
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
->[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still apear in some of our products.
->
->In the following settings, CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
-Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices.
+
+Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined devices. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices.
Specifically, Windows Update for Business allows for:
@@ -35,7 +32,7 @@ Specifically, Windows Update for Business allows for:
- Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution.
- Control over diagnostic data level to provide reporting and insights in Windows Analytics.
-Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education.
+Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education editions.
>[!NOTE]
>See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10.
@@ -48,79 +45,70 @@ Windows Update for Business provides three types of updates to Windows 10 device
- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates.
- **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.
-Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business.
+Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a deferral period of 365 days, the update will not be offered until 365 days after that update was released).
-| Category | Maximum deferral | Deferral increments | Example | Classification GUID |
+| Category | Maximum deferral | Deferral increments | Example | WSUS classification GUID |
| --- | --- | --- | --- | --- |
-| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 daysIn Windows 10, version 1703 maximum is 365 | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
-| Quality Updates | 30 days | Days | Security updatesDrivers (optional)Non-security updatesMicrosoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83varies |
+| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days.From Windows 10, version 1703 to version 1809, the maximum is 365 days. | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
+| Quality Updates | 30 days | Days | Security updatesDrivers (optional)Non-security updatesMicrosoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83varies |
| Non-deferrable | No deferral | No deferral | Definition updates | E0789628-CE08-4437-BE74-2495B842F43B |
>[!NOTE]
>For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/library/ff357803.aspx).
-## Changes to Windows Update for Business in Windows 10, version 1709
+## Windows Update for Business in various Windows 10 versions
-The group policy path for Windows Update for Business was changed to correctly reflect its association to Windows Update for Business.
+Windows Update for Business was first available in Windows 10, version 1511. This diagram lists new or changed capabilities and updated behavior in subsequent versions.
-| Prior to Windows 10, version 1709 | Windows 10, version 1709 |
-| --- | --- |
-| Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Update | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business |
-We have added the ability to manage Windows Insider preview builds and their delivery:
+| Windows 10, version 1511 | 1607 | 1703 | 1709 | 1803 | 1809 |
+| --- | --- | --- | --- | --- | --- |
+| Defer quality updatesDefer feature updatesPause updates | All 1511 features, plus: **WSUS integration** | All 1607 features, plus **Settings controls** | All 1703 features, plus **Ability to set slow vs. fast Insider Preview branch** | All 1709 features, plus **Uninstall updates remotely** | All 1803 features, plus **Option to use default automatic updates****Ability to set separate deadlines for feature vs. quality updates****Admins can prevent users from pausing updates**
+## Managing Windows Update for Business with Group Policy
-The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public.
-* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
-* MDM: **Update/ManagePreviewBuilds**
+The group policy path for Windows Update for Business has changed to correctly reflect its association to Windows Update for Business and provide the ability to easily manage pre-release Windows Insider Preview builds in Windows 10, version 1709.
->[!IMPORTANT]
->This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here:
->* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds**
->* MDM: **System/AllowBuildPreview**
+| Action | Windows 10 versions prior to 1709 | Windows 10 versions after 1709 |
+| --- | --- | --- |
+| Set Windows Update for Business Policies | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Update | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business |
+| Manage Windows Insider Preview builds | Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds | Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business - *Manage preview builds* |
+| Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received (Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business - **Select when Preview Builds and Feature Updates are received**) |
-The policy settings to **Select when Feature Updates are received** is now called **Select when Preview Builds and Feature Updates are received**. In addition to previous functionality, it now allows you to choose between preview flight rings, and allows you to defer or pause their delivery.
-* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received*
-* MDM: **Update/BranchReadinessLevel**
+## Managing Windows Update for Business with MDM
-## Changes to Windows Update for Business in Windows 10, version 1703
+Starting with Windows 10, version 1709, Windows Update for Business was changed to correctly reflect its association to Windows Update for Business and provide the ability to easily manage Windows Insider Preview builds in 1709.
-### Options added to Settings
+| Action | Windows 10 versions prior to 1709 | Windows 10 versions after 1709 |
+| --- | --- | --- |
+| Manage Windows Insider Preview builds | System/AllowBuildPreview | Update/ManagePreviewBuilds |
+| Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received (Update/BranchReadinessLevel) |
-We have added a few controls into settings to allow users to control Windows Update for Business through an interface.
-- [Configuring the device's branch readiness level](waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), through **Settings > Update & security > Windows Update > Advanced options**
-- [Pausing feature updates](waas-configure-wufb.md#pause-feature-updates), through **Settings > Update & security > Window Update > Advanced options**
+## Managing Windows Update for Business with Software Center Configuration Manager
-### Adjusted time periods
+Starting with Windows 10, version 1709, you can assign a collection of devices to have dual scan enabled and manage that collection with Windows Update for Business policies. Starting with Windows 10, version 1809, you can set a collection of devices to receive the Windows Insider Preview Feature Updates from Windows Update from within Software Center Configuration Manager.
-We have adjusted the maximum pause period for both quality and feature updates to be 35 days, as opposed to 30 and 60 days previously, respectively.
+| Action | Windows 10 versions between 1709 and 1809 | Windows 10 versions after 1809 |
+| --- | --- | --- |
+| Manage Windows Update for Business in Configuration Manager | Manage Feature or Quality Updates with Windows Update for Business via Dual Scan | Manage Insider pre-release builds with Windows Update for Business within Software Center Configuration Manager |
-We have also adjusted the maximum feature update deferral period to be 365 days, as opposed to 180 days previously.
+## Managing Windows Update for Business with Windows Settings options
+Windows Settings includes options to control certain Windows Update for Business features:
-### Additional changes
+- [Configure the readiness level](waas-configure-wufb.md#configure-devices-for-the-appropriate-service-channel) for a branch by using **Settings > Update & security > Windows Update > Advanced options**
+- [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) by using Settings > Update & security > Window Update > Advanced options
-The pause period is now calculated starting from the set start date. For additional details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). Due to that, some policy keys are now named differently. For more information, see [Comparing the version 1607 keys to the version 1703 keys](waas-configure-wufb.md#comparing-the-version-1607-keys-to-the-version-1703-keys).
+## Other changes in Windows Update for Business in Windows 10, version 1703 and later releases
-## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607
-Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.
+### Pause and deferral periods
->[!NOTE]
->For more information on Current Branch (Semi-Annual Channel (Targeted)) and Current Branch for Business (Semi-Annual Channel), see [Windows 10 servicing options](waas-overview.md#servicing-channels).
+The maximum pause time period is 35 days for both quality and feature updates. The maximum deferral period for feature updates is 365 days.
-
-
- | Capability | Windows 10, version 1511 | Windows 10, version 1607 |
-
|---|
-
-
- Select servicing options: CB or CBB | Not available. To defer updates, all systems must be on the Current Branch for Business (CBB) | Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB). |
-Quality Updates | Able to defer receiving Quality Updates: - Up to 4 weeks
- In weekly increments
| Able to defer receiving Quality Updates: - Up to 30 days
- In daily increments
|
-Feature Updates | Able to defer receiving Feature Updates: - Up to 8 months
- In monthly increments
| Able to defer receiving Feature Updates: - Up to 180 days
- In daily increments
|
-Pause updates | - Feature Updates and Quality Updates paused together
- Maximum of 35 days
| Features and Quality Updates can be paused separately. - Feature Updates: maximum 60 days
- Quality Updates: maximum 35 days
|
-Drivers | No driver-specific controls | Drivers can be selectively excluded from Windows Update for Business. |
-
+Also, the pause period is calculated from the set start date. For more details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). As a result, certain policy keys have different names; see the "Comparing keys in Windows 10, version 1607 to Windows 10, version 1703" section in [Configure Windows Update for Business](waas-configure-wufb.md) for details.
-## Monitor Windows Updates using Update Compliance
+
+
+## Monitor Windows Updates by using Update Compliance
Update Compliance, now **available in public preview**, provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated.
diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
index 8446553143..70cba0bcec 100644
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -54,7 +54,7 @@ Windows 10 quality update downloads can be large because every package contains
>Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business.
### How Microsoft supports Express
-- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update.
+- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update.
- **Express on WSUS Standalone**
Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 643e549073..49a13d74fc 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -28,9 +28,16 @@ Using Group Policy to manage Windows Update for Business is simple and familiar:
In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch.
->[!NOTE]
+>[!NOTES]
>The terms *feature updates* and *quality updates* in Windows 10, version 1607, correspond to the terms *upgrades* and *updates* in version 1511.
+>To follow the instructions in this article, you will need to download and install the relevant ADMX templates for your Windows 10 version.
+>See the following articles for instructions on the ADMX templates in your environment.
+
+> - [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759)
+> - [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/)
+
+
To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades.
## Configure Windows Update for Business in Windows 10 version 1511
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index 596c5c9540..d6cdab7ce2 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -66,7 +66,7 @@ Figure 2. The imported Windows 10 operating system after you rename it.
- Task sequence ID: W10-X64-UPG
- Task sequence name: Windows 10 Enterprise x64 RTM Upgrade
- Template: Standard Client Upgrade Task Sequence
- - Select OS: Windows 10 Enterprise x64 RTM RTM Default Image
+ - Select OS: Windows 10 Enterprise x64 RTM Default Image
- Specify Product Key: Do not specify a product key at this time
- Full Name: Contoso
- Organization: Contoso
@@ -103,4 +103,4 @@ After the task sequence completes, the computer will be fully upgraded to Window
[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-
\ No newline at end of file
+
diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md
index dab69519b0..e16013f4db 100644
--- a/windows/deployment/windows-autopilot/TOC.md
+++ b/windows/deployment/windows-autopilot/TOC.md
@@ -3,6 +3,7 @@
### [Configuration requirements](windows-autopilot-requirements-configuration.md)
### [Network requirements](windows-autopilot-requirements-network.md)
### [Licensing requirements](windows-autopilot-requirements-licensing.md)
+### [Intune Connector (preview)](intune-connector.md)
## [Scenarios and Capabilities](windows-autopilot-scenarios.md)
### [Support for existing devices](existing-devices.md)
### [User-driven mode](user-driven.md)
diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md
index 46286ceb3f..0eefe9fc9f 100644
--- a/windows/deployment/windows-autopilot/autopilot-faq.md
+++ b/windows/deployment/windows-autopilot/autopilot-faq.md
@@ -69,7 +69,7 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
| Question | Answer |
| --- | --- |
-| How does Autopilot handle motherboard replacement scenarios?” | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image - as is the case today.
To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K HH (or device ID).
**Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K HH info via a CSV file to customer, and let customer reregister the device via MSfB or Intune.|
+| How does Autopilot handle motherboard replacement scenarios?” | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image - as is the case today.
To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K HH (or device ID).
**Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K HH info via a CSV file to customer, and let customer reregister the device via MSfB or Intune.|
## SMBIOS
diff --git a/windows/deployment/windows-autopilot/images/connector-fail.png b/windows/deployment/windows-autopilot/images/connector-fail.png
new file mode 100644
index 0000000000..2d8abb5785
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/connector-fail.png differ
diff --git a/windows/deployment/windows-autopilot/intune-connector.md b/windows/deployment/windows-autopilot/intune-connector.md
new file mode 100644
index 0000000000..cc2d85e737
--- /dev/null
+++ b/windows/deployment/windows-autopilot/intune-connector.md
@@ -0,0 +1,66 @@
+---
+title: Intune Connector (preview) requirements
+description: Intune Connector (preview) issue workaround
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: low
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greg-lindsay
+ms.date: 11/13/2018
+---
+
+
+# Intune Connector (preview) language requirements
+
+**Applies to: Windows 10**
+
+Microsoft has released a [preview for Intune connector for Active Directory](https://docs.microsoft.com/intune/windows-autopilot-hybrid) that enables user-driven [Hybrid Azure Active Directory join](user-driven-hybrid.md) for Windows Autopilot.
+
+In this preview version of the Intune Connector, you might receive an error message indicating a setup failure with the following error code and message:
+
+**0x80070658 - Error applying transforms. Verify that the specified transform paths are valid.**
+
+See the following example:
+
+
+
+This error can be resolved by ensuring that the member server where Intune Connector is running has one of the following language packs installed and configured to be the default keyboard layout:
+
+en-US
+cs-CZ
+da-DK
+de-DE
+el-GR
+es-ES
+fi-FI
+fr-FR
+hu-HU
+it-IT
+ja-JP
+ko-KR
+nb-NO
+nl-NL
+pl-PL
+pt-BR
+ro-RO
+ru-RU
+sv-SE
+tr-TR
+zh-CN
+zh-TW
+
+This solution is a workaround and will be fully resolved in a future release of the Intune Connector.
+
+To change the default keyboard layout:
+
+1. Click **Settings > Time & language > Region and language**
+2. Select one of the languages listed above and choose **Set as default**.
+
+Note: If the language you need isn't listed, you can add additional languages by selecting **Add a language**.
+
+
+
+
diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md
index 88e4a87f15..a5fa678ff4 100644
--- a/windows/deployment/windows-autopilot/user-driven-hybrid.md
+++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greg-lindsay
-ms.date: 11/07/2018
+ms.date: 11/12/2018
---
@@ -23,7 +23,6 @@ Windows Autopilot requires that devices be Azure Active Directory joined. If you
To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:
-- Users must be able to join devices to Azure Active Directory.
- A Windows Autopilot profile for user-driven mode must be created and
- **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile.
- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group.
@@ -32,6 +31,8 @@ To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:
- The Intune Connector for Active Directory must be installed.
- Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf.
+**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default.
+
## Step by step instructions
See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid).
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
index 2b9a7d76f8..e7df24a12c 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
@@ -26,12 +26,13 @@ Windows Autopilot depends on specific capabilities available in Windows 10 and A
- Enterprise
- Education
- One of the following, to provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality:
- - Microsoft 365 Business subscriptions
- - Microsoft 365 F1 subscriptions
- - Microsoft 365 Enterprise E3 or E5 subscriptions, which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune)
- - Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune features
- - Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service)
+ - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business)
+ - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline)
+ - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx)
+ - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune)
+ - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features
+ - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/en-us/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service)
Additionally, the following are also recommended but not required:
-- Office 365 ProPlus, which can be deployed easily via Intune (or other MDM services)
+- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services)
- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise
diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md
index 6148d1201c..5a0db3b73e 100644
--- a/windows/privacy/TOC.md
+++ b/windows/privacy/TOC.md
@@ -14,7 +14,10 @@
## Full level categories
### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md)
### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
-## [Manage Windows 10 connection endpoints](manage-windows-endpoints.md)
+## Manage Windows 10 connection endpoints
+### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index c0acd3cd73..22aa33e4b3 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -335,7 +335,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+This event indicates that the DecisionApplicationFile object is no longer present.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -671,7 +671,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4460,7 +4460,7 @@ The following fields are available:
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index 7ed5621811..8e49f96e10 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -359,7 +359,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+This event indicates that the DecisionApplicationFile object is no longer present.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -706,7 +706,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4726,7 +4726,7 @@ The following fields are available:
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index 1a5a1aa9c7..8fed168ec8 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -372,7 +372,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+This event indicates that the DecisionApplicationFile object is no longer present.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -715,7 +715,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -5802,7 +5802,7 @@ The following fields are available:
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index b83547ea2a..f86fc65600 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -666,7 +666,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+This event indicates that the DecisionApplicationFile object is no longer present.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1013,7 +1013,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -5302,7 +5302,7 @@ The following fields are available:
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
diff --git a/windows/privacy/gdpr-win10-whitepaper.md b/windows/privacy/gdpr-win10-whitepaper.md
index 5a54e998e6..a8a0214f4a 100644
--- a/windows/privacy/gdpr-win10-whitepaper.md
+++ b/windows/privacy/gdpr-win10-whitepaper.md
@@ -293,7 +293,7 @@ For example, employees can’t send protected work files from a personal email a
#### Capabilities to classify, assign permissions and share data
Windows Information Protection is designed to coexist with advanced data loss prevention (DLP) capabilities found in Office 365 ProPlus, Azure Information Protection, and Azure Rights Management. Advanced DLP prevents printing, for example, or protects work data that is emailed outside your company.
-To continously protect your data, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android or Windows, the classification and protection needs to be built into the file itself, so this protection can travel with the data wherever it goes. Microsoft Azure Information Protection (AIP) is designed to provide this persistent data protection both on-premises and in the cloud.
+To continuously protect your data, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android or Windows, the classification and protection needs to be built into the file itself, so this protection can travel with the data wherever it goes. Microsoft Azure Information Protection (AIP) is designed to provide this persistent data protection both on-premises and in the cloud.
Data classification is an important part of any data governance plan. Adopting a classification scheme that applies throughout your business can be particularly helpful in responding to what the GDPR calls data subject (for example, your EU employee or customer) requests, because it enables enterprises to identify more readily and process personal data requests.
@@ -332,4 +332,4 @@ This article does not provide you with any legal rights to any intellectual prop
Published September 2017
Version 1.0
-© 2017 Microsoft. All rights reserved.
\ No newline at end of file
+© 2017 Microsoft. All rights reserved.
diff --git a/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md
new file mode 100644
index 0000000000..ee8ecf4a8b
--- /dev/null
+++ b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md
@@ -0,0 +1,92 @@
+---
+title: MICROSOFT WINDOWS DIAGNOSTIC DATA FOR POWERSHELL
+description: MICROSOFT SOFTWARE LICENSE TERMS
+keywords: privacy, license, terms
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: danihalfin
+ms.author: daniha
+ms.date: 11/16/2018
+robots: noindex,nofollow
+---
+
+MICROSOFT SOFTWARE LICENSE TERMS
+
+MICROSOFT WINDOWS DIAGNOSTIC DATA FOR POWERSHELL
+
+
+
+These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the software named above and any Microsoft services or software updates (except to the extent such services or updates are accompanied by new or additional terms, in which case those different terms apply prospectively and do not alter your or Microsoft’s rights relating to pre-updated software or services). IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW. BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS.
+
+1. INSTALLATION AND USE RIGHTS.
+
+a) General. You may install and use any number of copies of the software.
+
+b) Third Party Software. The software may include third party applications that Microsoft, not the third party, licenses to you under this agreement. Any included notices for third party applications are for your information only.
+
+2. DATA COLLECTION. The software may collect information about you and your use of the software and send that to Microsoft. Microsoft may use this information to provide services and improve Microsoft’s products and services. Your opt-out rights, if any, are described in the product documentation. Some features in the software may enable collection of data from users of your applications that access or use the software. If you use these features to enable data collection in your applications, you must comply with applicable law, including getting any required user consent, and maintain a prominent privacy policy that accurately informs users about how you use, collect, and share their data. You can learn more about Microsoft’s data collection and use in the product documentation and the Microsoft Privacy Statement at https://go.microsoft.com/fwlink/?LinkId=512132. You agree to comply with all applicable provisions of the Microsoft Privacy Statement.
+
+3. SCOPE OF LICENSE. The software is licensed, not sold. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you will not (and have no right to):
+
+a) work around any technical limitations in the software that only allow you to use it in certain ways;
+
+b) reverse engineer, decompile or disassemble the software;
+
+c) remove, minimize, block, or modify any notices of Microsoft or its suppliers in the software;
+
+d) use the software in any way that is against the law or to create or propagate malware; or
+
+e) share, publish, distribute, or lend the software, provide the software as a stand-alone hosted solution for others to use, or transfer the software or this agreement to any third party.
+
+4. EXPORT RESTRICTIONS. You must comply with all domestic and international export laws and regulations that apply to the software, which include restrictions on destinations, end users, and end use. For further information on export restrictions, visit http://aka.ms/exporting.
+
+5. SUPPORT SERVICES. Microsoft is not obligated under this agreement to provide any support services for the software. Any support provided is “as is”, “with all faults”, and without warranty of any kind.
+
+6. ENTIRE AGREEMENT. This agreement, and any other terms Microsoft may provide for supplements, updates, or third-party applications, is the entire agreement for the software.
+
+7. APPLICABLE LAW AND PLACE TO RESOLVE DISPUTES. If you acquired the software in the United States or Canada, the laws of the state or province where you live (or, if a business, where your principal place of business is located) govern the interpretation of this agreement, claims for its breach, and all other claims (including consumer protection, unfair competition, and tort claims), regardless of conflict of laws principles. If you acquired the software in any other country, its laws apply. If U.S. federal jurisdiction exists, you and Microsoft consent to exclusive jurisdiction and venue in the federal court in King County, Washington for all disputes heard in court. If not, you and Microsoft consent to exclusive jurisdiction and venue in the Superior Court of King County, Washington for all disputes heard in court.
+
+8. CONSUMER RIGHTS; REGIONAL VARIATIONS. This agreement describes certain legal rights. You may have other rights, including consumer rights, under the laws of your state, province, or country. Separate and apart from your relationship with Microsoft, you may also have rights with respect to the party from which you acquired the software. This agreement does not change those other rights if the laws of your state, province, or country do not permit it to do so. For example, if you acquired the software in one of the below regions, or mandatory country law applies, then the following provisions apply to you:
+
+a) Australia. You have statutory guarantees under the Australian Consumer Law and nothing in this agreement is intended to affect those rights.
+
+b) Canada. If you acquired this software in Canada, you may stop receiving updates by turning off the automatic update feature, disconnecting your device from the Internet (if and when you re-connect to the Internet, however, the software will resume checking for and installing updates), or uninstalling the software. The product documentation, if any, may also specify how to turn off updates for your specific device or software.
+
+c) Germany and Austria.
+
+i. Warranty. The properly licensed software will perform substantially as described in any Microsoft materials that accompany the software. However, Microsoft gives no contractual guarantee in relation to the licensed software.
+
+ii. Limitation of Liability. In case of intentional conduct, gross negligence, claims based on the Product Liability Act, as well as, in case of death or personal or physical injury, Microsoft is liable according to the statutory law.
+
+Subject to the foregoing clause ii., Microsoft will only be liable for slight negligence if Microsoft is in breach of such material contractual obligations, the fulfillment of which facilitate the due performance of this agreement, the breach of which would endanger the purpose of this agreement and the compliance with which a party may constantly trust in (so-called "cardinal obligations"). In other cases of slight negligence, Microsoft will not be liable for slight negligence.
+
+9. DISCLAIMER OF WARRANTY. THE SOFTWARE IS LICENSED “AS IS.” YOU BEAR THE RISK OF USING IT. MICROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. TO THE EXTENT PERMITTED UNDER APPLICABLE LAWS, MICROSOFT EXCLUDES ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
+
+10. LIMITATION ON AND EXCLUSION OF DAMAGES. IF YOU HAVE ANY BASIS FOR RECOVERING DAMAGES DESPITE THE PRECEDING DISCLAIMER OF WARRANTY, YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
+
+This limitation applies to (a) anything related to the software, services, content (including code) on third party Internet sites, or third party applications; and (b) claims for breach of contract, warranty, guarantee, or condition; strict liability, negligence, or other tort; or any other claim; in each case to the extent permitted by applicable law.
+
+It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your state, province, or country may not allow the exclusion or limitation of incidental, consequential, or other damages.
+
+
+
+Please note: As this software is distributed in Canada, some of the clauses in this agreement are provided below in French.
+
+Remarque: Ce logiciel étant distribué au Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français.
+
+EXONÉRATION DE GARANTIE. Le logiciel visé par une licence est offert « tel quel ». Toute utilisation de ce logiciel est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection des consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
+
+LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
+
+Cette limitation concerne:
+
+• tout ce qui est relié au logiciel, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et
+
+• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
+
+Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.
+
+EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.
\ No newline at end of file
diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md
new file mode 100644
index 0000000000..92c2dfc96e
--- /dev/null
+++ b/windows/privacy/manage-windows-1709-endpoints.md
@@ -0,0 +1,488 @@
+---
+title: Connection endpoints for Windows 10, version 1709
+description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
+keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+author: danihalfin
+ms.author: daniha
+ms.date: 6/26/2018
+---
+# Manage connection endpoints for Windows 10, version 1709
+
+**Applies to**
+
+- Windows 10, version 1709
+
+Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
+
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
+
+This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
+Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it.
+
+We used the following methodology to derive these network endpoints:
+
+1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
+2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 Enterprise connection endpoints
+
+## Apps
+
+The following endpoint is used to download updates to the Weather app Live Tile.
+If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| explorer | HTTP | tile-service.weather.microsoft.com |
+
+The following endpoint is used for OneNote Live Tile.
+To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | cdn.onenote.net/livetile/?Language=en-US |
+
+The following endpoints are used for Twitter updates.
+To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | wildcard.twimg.com |
+| svchost.exe | | oem.twimg.com/windows/tile.xml |
+
+The following endpoint is used for Facebook updates.
+To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | star-mini.c10r.facebook.com |
+
+The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online.
+To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
+
+The following endpoint is used for Candy Crush Saga updates.
+To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | TLS v1.2 | candycrushsoda.king.com |
+
+The following endpoint is used for by the Microsoft Wallet app.
+To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
+
+The following endpoint is used by the Groove Music app for update HTTP handler status.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com |
+
+## Cortana and Search
+
+The following endpoint is used to get images that are used for Microsoft Store suggestions.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| searchui | HTTPS |store-images.s-microsoft.com |
+
+The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost | HTTPS | www.bing.com/client |
+
+The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost | HTTPS | www.bing.com/proactive |
+
+The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx |
+
+## Certificates
+
+The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.
+
+Additionally, it is used to download certificates that are publicly known to be fraudulent.
+These settings are critical for both Windows security and the overall security of the Internet.
+We do not recommend blocking this endpoint.
+If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTP | ctldl.windowsupdate.com |
+
+## Device authentication
+
+The following endpoint is used to authenticate a device.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | login.live.com/ppsecure |
+
+## Device metadata
+
+The following endpoint is used to retrieve device metadata.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | dmd.metaservices.microsoft.com.akadns.net |
+
+## Diagnostic Data
+
+The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | cy2.vortex.data.microsoft.com.akadns.net |
+
+The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 |
+
+The following endpoints are used by Windows Error Reporting.
+To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| wermgr | | watson.telemetry.microsoft.com |
+| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net |
+
+## Font streaming
+
+The following endpoints are used to download fonts on demand.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | fs.microsoft.com |
+| | | fs.microsoft.com/fs/windows/config.json |
+
+## Licensing
+
+The following endpoint is used for online activation and some app licensing.
+To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content |
+
+## Location
+
+The following endpoint is used for location data.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | location-inference-westus.cloudapp.net |
+
+## Maps
+
+The following endpoint is used to check for updates to maps that have been downloaded for offline use.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | *g.akamaiedge.net |
+
+## Microsoft account
+
+The following endpoints are used for Microsoft accounts to sign in.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | login.msa.akadns6.net |
+| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
+
+## Microsoft Store
+
+The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | *.wns.windows.com |
+
+The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.
+To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | storecatalogrevocation.storequality.microsoft.com |
+
+The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net |
+
+The following endpoints are used to communicate with Microsoft Store.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | storeedgefd.dsx.mp.microsoft.com |
+| | HTTP | pti.store.microsoft.com |
+||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
+
+## Network Connection Status Indicator (NCSI)
+
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | www.msftconnecttest.com/connecttest.txt |
+
+## Office
+
+The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
+You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
+If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | *.a-msedge.net |
+| hxstr | | *.c-msedge.net |
+| | | *.e-msedge.net |
+| | | *.s-msedge.net |
+
+The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
+You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
+If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
+
+The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
+
+## OneDrive
+
+The following endpoint is a redirection service that’s used to automatically update URLs.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction |
+
+The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
+To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| onedrive | HTTPS | oneclient.sfx.ms |
+
+## Settings
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| dmclient | | cy2.settings.data.microsoft.com.akadns.net |
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| dmclient | HTTPS | settings.data.microsoft.com |
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | settings-win.data.microsoft.com |
+
+## Skype
+
+The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
+
+
+
+## Windows Defender
+
+The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | wdcp.microsoft.com |
+
+The following endpoints are used for Windows Defender definition updates.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | definitionupdates.microsoft.com |
+|MpCmdRun.exe|HTTPS|go.microsoft.com |
+
+## Windows Spotlight
+
+The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight).
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost | HTTPS | arc.msn.com |
+| backgroundtaskhost | | g.msn.com.nsatc.net |
+| |TLS v1.2| *.search.msn.com |
+| | HTTPS | ris.api.iris.microsoft.com |
+| | HTTPS | query.prod.cms.rt.microsoft.com |
+
+## Windows Update
+
+The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
+
+The following endpoints are used to download operating system patches and updates.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTP | *.windowsupdate.com |
+| | HTTP | fg.download.windowsupdate.com.c.footprint.net |
+
+The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | cds.d2s7q6s2.hwcdn.net |
+
+The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | *wac.phicdn.net |
+| | | *wac.edgecastcdn.net |
+
+The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired).
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net |
+
+The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | emdl.ws.microsoft.com |
+
+The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | fe2.update.microsoft.com |
+| svchost | | fe3.delivery.mp.microsoft.com |
+| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net |
+| svchost | HTTPS | sls.update.microsoft.com |
+
+The following endpoint is used for content regulation.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
+
+The following endpoints are used to download content.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | a122.dscd.akamai.net |
+| | | a1621.g.akamai.net |
+
+## Microsoft forward link redirection service (FWLink)
+
+The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer.
+
+If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|Various|HTTPS|go.microsoft.com|
+
+## Other Windows 10 versions and editions
+
+To view endpoints for other versions of Windows 10 enterprise, see:
+- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
+
+To view endpoints for non-Enterprise Windows 10 editions, see:
+- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
+- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
+
+## Related links
+
+- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
+- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
\ No newline at end of file
diff --git a/windows/privacy/manage-windows-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md
similarity index 68%
rename from windows/privacy/manage-windows-endpoints.md
rename to windows/privacy/manage-windows-1803-endpoints.md
index c324f877dd..5cbbfcd3d1 100644
--- a/windows/privacy/manage-windows-endpoints.md
+++ b/windows/privacy/manage-windows-1803-endpoints.md
@@ -1,5 +1,5 @@
---
-title: Windows 10 connection endpoints
+title: Connection endpoints for Windows 10, version 1803
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
@@ -10,11 +10,11 @@ author: danihalfin
ms.author: daniha
ms.date: 6/26/2018
---
-# Manage Windows 10 connection endpoints
+# Manage connection endpoints for Windows 10, version 1803
**Applies to**
-- Windows 10, version 1709 and later
+- Windows 10, version 1803
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
@@ -46,102 +46,102 @@ We used the following methodology to derive these network endpoints:
The following endpoint is used to download updates to the Weather app Live Tile.
If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| explorer | HTTP | tile-service.weather.microsoft.com | 1709 |
-| | HTTP | blob.weather.microsoft.com | 1803 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| explorer | HTTP | tile-service.weather.microsoft.com |
+| | HTTP | blob.weather.microsoft.com |
The following endpoint is used for OneNote Live Tile.
To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | cdn.onenote.net/livetile/?Language=en-US |
The following endpoints are used for Twitter updates.
To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | HTTPS | wildcard.twimg.com | 1709 |
-| svchost.exe | | oem.twimg.com/windows/tile.xml | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | wildcard.twimg.com |
+| svchost.exe | | oem.twimg.com/windows/tile.xml |
The following endpoint is used for Facebook updates.
To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | | star-mini.c10r.facebook.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | star-mini.c10r.facebook.com |
The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online.
To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
The following endpoint is used for Candy Crush Saga updates.
To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | TLS v1.2 | candycrushsoda.king.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | TLS v1.2 | candycrushsoda.king.com |
The following endpoint is used for by the Microsoft Wallet app.
To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
The following endpoint is used by the Groove Music app for update HTTP handler status.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com |
## Cortana and Search
The following endpoint is used to get images that are used for Microsoft Store suggestions.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| searchui | HTTPS |store-images.s-microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| searchui | HTTPS |store-images.s-microsoft.com |
The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| backgroundtaskhost | HTTPS | www.bing.com/client | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost | HTTPS | www.bing.com/client |
The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| backgroundtaskhost | HTTPS | www.bing.com/proactive | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost | HTTPS | www.bing.com/proactive |
The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx |
## Certificates
@@ -152,142 +152,142 @@ These settings are critical for both Windows security and the overall security o
We do not recommend blocking this endpoint.
If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | HTTP | ctldl.windowsupdate.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTP | ctldl.windowsupdate.com |
## Device authentication
The following endpoint is used to authenticate a device.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | HTTPS | login.live.com/ppsecure | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | login.live.com/ppsecure |
## Device metadata
The following endpoint is used to retrieve device metadata.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | | dmd.metaservices.microsoft.com.akadns.net | 1709 |
-| | HTTP | dmd.metaservices.microsoft.com | 1803 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | dmd.metaservices.microsoft.com.akadns.net |
+| | HTTP | dmd.metaservices.microsoft.com |
## Diagnostic Data
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | | cy2.vortex.data.microsoft.com.akadns.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | cy2.vortex.data.microsoft.com.akadns.net |
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 |
The following endpoints are used by Windows Error Reporting.
To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| wermgr | | watson.telemetry.microsoft.com | 1709 |
-| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| wermgr | | watson.telemetry.microsoft.com |
+| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net |
## Font streaming
The following endpoints are used to download fonts on demand.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | | fs.microsoft.com | 1709 |
-| | | fs.microsoft.com/fs/windows/config.json | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | fs.microsoft.com |
+| | | fs.microsoft.com/fs/windows/config.json |
## Licensing
The following endpoint is used for online activation and some app licensing.
To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content |
## Location
The following endpoint is used for location data.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | HTTP | location-inference-westus.cloudapp.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | location-inference-westus.cloudapp.net |
## Maps
The following endpoint is used to check for updates to maps that have been downloaded for offline use.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | HTTPS | *g.akamaiedge.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | *g.akamaiedge.net |
## Microsoft account
The following endpoints are used for Microsoft accounts to sign in.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | | login.msa.akadns6.net | 1709 |
-| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | login.msa.akadns6.net |
+| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
## Microsoft Store
The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | | *.wns.windows.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | *.wns.windows.com |
The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.
To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | HTTP | storecatalogrevocation.storequality.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | storecatalogrevocation.storequality.microsoft.com |
The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | 1709 |
-| backgroundtransferhost | HTTPS | store-images.microsoft.com | 1803 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net |
+| backgroundtransferhost | HTTPS | store-images.microsoft.com |
The following endpoints are used to communicate with Microsoft Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | HTTP | storeedgefd.dsx.mp.microsoft.com | 1709 |
-| | HTTP | pti.store.microsoft.com | 1709 |
-||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| 1709 |
-| svchost | HTTPS | displaycatalog.mp.microsoft.com | 1803 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | storeedgefd.dsx.mp.microsoft.com |
+| | HTTP | pti.store.microsoft.com |
+||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
+| svchost | HTTPS | displaycatalog.mp.microsoft.com |
## Network Connection Status Indicator (NCSI)
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | HTTP | www.msftconnecttest.com/connecttest.txt | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | www.msftconnecttest.com/connecttest.txt |
## Office
@@ -295,74 +295,74 @@ The following endpoints are used to connect to the Office 365 portal's shared in
You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | | *.a-msedge.net | 1709 |
-| hxstr | | *.c-msedge.net | 1709 |
-| | | *.e-msedge.net | 1709 |
-| | | *.s-msedge.net | 1709 |
-| | HTTPS | ocos-office365-s2s.msedge.net | 1803 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | *.a-msedge.net |
+| hxstr | | *.c-msedge.net |
+| | | *.e-msedge.net |
+| | | *.s-msedge.net |
+| | HTTPS | ocos-office365-s2s.msedge.net |
The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| system32\Auth.Host.exe | HTTPS | outlook.office365.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
## OneDrive
The following endpoint is a redirection service that’s used to automatically update URLs.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction |
The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| onedrive | HTTPS | oneclient.sfx.ms | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| onedrive | HTTPS | oneclient.sfx.ms |
## Settings
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| dmclient | | cy2.settings.data.microsoft.com.akadns.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| dmclient | | cy2.settings.data.microsoft.com.akadns.net |
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| dmclient | HTTPS | settings.data.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| dmclient | HTTPS | settings.data.microsoft.com |
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | HTTPS | settings-win.data.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | settings-win.data.microsoft.com |
## Skype
The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
@@ -371,102 +371,102 @@ The following endpoint is used to retrieve Skype configuration values. To turn o
The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | | wdcp.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | wdcp.microsoft.com |
The following endpoints are used for Windows Defender definition updates.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | | definitionupdates.microsoft.com | 1709 |
-|MpCmdRun.exe|HTTPS|go.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | definitionupdates.microsoft.com |
+|MpCmdRun.exe|HTTPS|go.microsoft.com |
## Windows Spotlight
The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight).
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| backgroundtaskhost | HTTPS | arc.msn.com | 1709 |
-| backgroundtaskhost | | g.msn.com.nsatc.net | 1709 |
-| |TLS v1.2| *.search.msn.com | 1709 |
-| | HTTPS | ris.api.iris.microsoft.com | 1709 |
-| | HTTPS | query.prod.cms.rt.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost | HTTPS | arc.msn.com |
+| backgroundtaskhost | | g.msn.com.nsatc.net |
+| |TLS v1.2| *.search.msn.com |
+| | HTTPS | ris.api.iris.microsoft.com |
+| | HTTPS | query.prod.cms.rt.microsoft.com |
## Windows Update
The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
The following endpoints are used to download operating system patches and updates.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | HTTP | *.windowsupdate.com | 1709 |
-| | HTTP | fg.download.windowsupdate.com.c.footprint.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTP | *.windowsupdate.com |
+| | HTTP | fg.download.windowsupdate.com.c.footprint.net |
The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | | cds.d2s7q6s2.hwcdn.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | cds.d2s7q6s2.hwcdn.net |
The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | HTTP | *wac.phicdn.net | 1709 |
-| | | *wac.edgecastcdn.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | *wac.phicdn.net |
+| | | *wac.edgecastcdn.net |
The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired).
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net |
The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | | emdl.ws.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | emdl.ws.microsoft.com |
The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | HTTPS | fe2.update.microsoft.com | 1709 |
-| svchost | | fe3.delivery.mp.microsoft.com | 1709 |
-| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | 1709 |
-| svchost | HTTPS | sls.update.microsoft.com | 1709 |
-| | HTTP | *.dl.delivery.mp.microsoft.com | 1803 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | fe2.update.microsoft.com |
+| svchost | | fe3.delivery.mp.microsoft.com |
+| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net |
+| svchost | HTTPS | sls.update.microsoft.com |
+| | HTTP | *.dl.delivery.mp.microsoft.com |
The following endpoint is used for content regulation.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
The following endpoints are used to download content.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| | | a122.dscd.akamai.net | 1709 |
-| | | a1621.g.akamai.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | a122.dscd.akamai.net |
+| | | a1621.g.akamai.net |
## Microsoft forward link redirection service (FWLink)
@@ -474,12 +474,16 @@ The following endpoint is used by the Microsoft forward link redirection service
If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|Various|HTTPS|go.microsoft.com| 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|Various|HTTPS|go.microsoft.com|
## Other Windows 10 editions
+To view endpoints for other versions of Windows 10 enterprise, see:
+- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
+
To view endpoints for non-Enterprise Windows 10 editions, see:
- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
new file mode 100644
index 0000000000..dd3a50a2fe
--- /dev/null
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -0,0 +1,524 @@
+---
+title: Connection endpoints for Windows 10, version 1803
+description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
+keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+author: danihalfin
+ms.author: daniha
+ms.date: 6/26/2018
+---
+# Manage connection endpoints for Windows 10, version 1809
+
+**Applies to**
+
+- Windows 10, version 1809
+
+Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
+
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
+
+This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
+Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it.
+
+We used the following methodology to derive these network endpoints:
+
+1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
+2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 Enterprise connection endpoints
+
+## Apps
+
+The following endpoint is used to download updates to the Weather app Live Tile.
+If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| explorer | HTTP | tile-service.weather.microsoft.com |
+| | HTTP | blob.weather.microsoft.com |
+
+The following endpoint is used for OneNote Live Tile.
+To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | cdn.onenote.net/livetile/?Language=en-US |
+
+The following endpoints are used for Twitter updates.
+To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | wildcard.twimg.com |
+| svchost.exe | | oem.twimg.com/windows/tile.xml |
+
+The following endpoint is used for Facebook updates.
+To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | star-mini.c10r.facebook.com |
+
+The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online.
+To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
+
+The following endpoint is used for Candy Crush Saga updates.
+To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | TLS v1.2 | candycrushsoda.king.com |
+
+The following endpoint is used for by the Microsoft Wallet app.
+To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
+
+The following endpoint is used by the Groove Music app for update HTTP handler status.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com |
+
+The following endpoints are used when using the Whiteboard app.
+To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | wbd.ms |
+| | HTTPS | int.whiteboard.microsoft.com |
+| | HTTPS | whiteboard.microsoft.com |
+| | HTTP / HTTPS | whiteboard.ms |
+
+## Cortana and Search
+
+The following endpoint is used to get images that are used for Microsoft Store suggestions.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| searchui | HTTPS |store-images.s-microsoft.com |
+
+The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost | HTTPS | www.bing.com/client |
+
+The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost | HTTPS | www.bing.com/proactive |
+
+The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx |
+
+## Certificates
+
+The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.
+
+Additionally, it is used to download certificates that are publicly known to be fraudulent.
+These settings are critical for both Windows security and the overall security of the Internet.
+We do not recommend blocking this endpoint.
+If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTP | ctldl.windowsupdate.com |
+
+## Device authentication
+
+The following endpoint is used to authenticate a device.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | login.live.com/ppsecure |
+
+## Device metadata
+
+The following endpoint is used to retrieve device metadata.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | dmd.metaservices.microsoft.com.akadns.net |
+| | HTTP | dmd.metaservices.microsoft.com |
+
+## Diagnostic Data
+
+The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | cy2.vortex.data.microsoft.com.akadns.net |
+
+The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 |
+
+The following endpoints are used by Windows Error Reporting.
+To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| wermgr | | watson.telemetry.microsoft.com |
+| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net |
+
+## Font streaming
+
+The following endpoints are used to download fonts on demand.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | fs.microsoft.com |
+| | | fs.microsoft.com/fs/windows/config.json |
+
+## Licensing
+
+The following endpoint is used for online activation and some app licensing.
+To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content |
+
+## Location
+
+The following endpoint is used for location data.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | location-inference-westus.cloudapp.net |
+| | HTTPS | inference.location.live.net |
+
+## Maps
+
+The following endpoint is used to check for updates to maps that have been downloaded for offline use.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | *g.akamaiedge.net |
+
+## Microsoft account
+
+The following endpoints are used for Microsoft accounts to sign in.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | login.msa.akadns6.net |
+| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
+| | | us.configsvc1.live.com.akadns.net |
+
+## Microsoft Store
+
+The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | *.wns.windows.com |
+
+The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.
+To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | storecatalogrevocation.storequality.microsoft.com |
+
+The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net |
+| backgroundtransferhost | HTTPS | store-images.microsoft.com |
+
+The following endpoints are used to communicate with Microsoft Store.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | storeedgefd.dsx.mp.microsoft.com |
+| | HTTP \ HTTPS | pti.store.microsoft.com |
+||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
+| svchost | HTTPS | displaycatalog.mp.microsoft.com |
+
+## Network Connection Status Indicator (NCSI)
+
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | www.msftconnecttest.com/connecttest.txt |
+
+## Office
+
+The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
+You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
+If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | *.a-msedge.net |
+| hxstr | | *.c-msedge.net |
+| | | *.e-msedge.net |
+| | | *.s-msedge.net |
+| | HTTPS | ocos-office365-s2s.msedge.net |
+| | HTTPS | nexusrules.officeapps.live.com |
+| | HTTPS | officeclient.microsoft.com |
+
+The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
+You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
+If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
+
+The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
+
+The following endpoint is used to connect the Office To-Do app to it's cloud service.
+To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| |HTTPS|to-do.microsoft.com|
+
+## OneDrive
+
+The following endpoint is a redirection service that’s used to automatically update URLs.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction |
+
+The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
+To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| onedrive | HTTPS | oneclient.sfx.ms |
+
+## Settings
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| dmclient | | cy2.settings.data.microsoft.com.akadns.net |
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| dmclient | HTTPS | settings.data.microsoft.com |
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | settings-win.data.microsoft.com |
+
+## Skype
+
+The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
+| | HTTPS | browser.pipe.aria.microsoft.com |
+| | | skypeecs-prod-usw-0-b.cloudapp.net |
+
+## Windows Defender
+
+The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | wdcp.microsoft.com |
+
+The following endpoints are used for Windows Defender definition updates.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | definitionupdates.microsoft.com |
+|MpCmdRun.exe|HTTPS|go.microsoft.com |
+
+The following endpoints are used for Windows Defender Smartscreen reporting and notifications.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Smartscreen notifications will no appear.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | ars.smartscreen.microsoft.com |
+| | HTTPS | unitedstates.smartscreen-prod.microsoft.com |
+| | | smartscreen-sn3p.smartscreen.microsoft.com |
+
+## Windows Spotlight
+
+The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight).
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost | HTTPS | arc.msn.com |
+| backgroundtaskhost | | g.msn.com.nsatc.net |
+| |TLS v1.2| *.search.msn.com |
+| | HTTPS | ris.api.iris.microsoft.com |
+| | HTTPS | query.prod.cms.rt.microsoft.com |
+
+## Windows Update
+
+The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
+
+The following endpoints are used to download operating system patches and updates.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTP | *.windowsupdate.com |
+| | HTTP | fg.download.windowsupdate.com.c.footprint.net |
+
+The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | cds.d2s7q6s2.hwcdn.net |
+
+The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | *wac.phicdn.net |
+| | | *wac.edgecastcdn.net |
+
+The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired).
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net |
+
+The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | emdl.ws.microsoft.com |
+
+The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | fe2.update.microsoft.com |
+| svchost | | fe3.delivery.mp.microsoft.com |
+| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net |
+| svchost | HTTPS | sls.update.microsoft.com |
+| | HTTP | *.dl.delivery.mp.microsoft.com |
+
+The following endpoint is used for content regulation.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
+
+The following endpoints are used to download content.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | a122.dscd.akamai.net |
+| | | a1621.g.akamai.net |
+
+## Microsoft forward link redirection service (FWLink)
+
+The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer.
+
+If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|Various|HTTPS|go.microsoft.com|
+
+## Other Windows 10 editions
+
+To view endpoints for other versions of Windows 10 enterprise, see:
+- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+
+To view endpoints for non-Enterprise Windows 10 editions, see:
+- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
+- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
+
+## Related links
+
+- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
+- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index d47f46ccc8..d855efc036 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -100,7 +100,7 @@ Sign-in to a domain controller or management workstation with access equivalent
4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog.
> [!NOTE]
-> For high-availabilty, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
+> For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
### Create the NDES Service Account
The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it is preferential to run services using a Group Managed Service Account (GMSA). While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration. The deployment uses a normal services account.
@@ -686,4 +686,4 @@ You have successfully completed the configuration. Add users that need to enrol
> * Install and Configure the NDES Role
> * Configure Network Device Enrollment Services to work with Microsoft Intune
> * Download, Install, and Configure the Intune Certificate Connector
-> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
\ No newline at end of file
+> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index ed91c63c54..20620f9410 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -75,7 +75,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> [!IMPORTANT]
> For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
-> * Install the root certificate authority certificate for your organization in the user's trusted root certifcate store.
+> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store.
> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url.
### Section Review ###
@@ -84,7 +84,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> * Minimum Windows Server 2012 Certificate Authority.
> * Enterprise Certificate Authority.
> * Functioning public key infrastructure.
-> * Root certifcate authority certificate (Azure AD Joined devices).
+> * Root certificate authority certificate (Azure AD Joined devices).
> * Highly available certificate revocation list (Azure AD Joined devices).
## Azure Active Directory ##
@@ -131,7 +131,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
> * Review the overview and uses of Azure Multifactor Authentication.
> * Review your Azure Active Directory subscription for Azure Multifactor Authentication.
> * Create an Azure Multifactor Authentication Provider, if necessary.
-> * Configure Azure Multufactor Authentiation features and settings.
+> * Configure Azure Multifactor Authentiation features and settings.
> * Understand the different User States and their effect on Azure Multifactor Authentication.
> * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index 621818ce66..70dd6093e7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -19,7 +19,7 @@ ms.date: 08/19/2018
- Key trust
-## Directory Syncrhonization
+## Directory Synchronization
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
new file mode 100644
index 0000000000..fb9afb773b
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
@@ -0,0 +1,31 @@
+---
+title: Microsoft-compatible security key
+description: Windows10 enables users to sign in to their device using a security key. How is a Microsoft-compatible security key different (and better) than any other FIDO2 security key
+keywords: FIDO2, security key, CTAP, Hello, WHFB
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: aabhathipsay
+ms.author: aathipsa
+ms.localizationpriority: medium
+ms.date: 11/14/2018
+---
+# What is a Microsoft-compatible security key?
+> [!Warning]
+> Some information relates to pre-released product that may change before it is commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+Microsoft has been aligned with the [FIDO Alliance](https://fidoalliance.org/) with a mission to replace passwords with an easy to use, strong 2FA credential. We have been working with our partners to extensively test and deliver a seamless and secure authentication experience to end users.
+
+The [FIDO2 CTAP specification](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html) contains a few optional features and extensions which are crucial to provide that seamless and secure experience.
+
+A security key **MUST** implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft-compatible:
+
+| # | Feature / Extension trust | Why is this required? |
+| --- | --- | --- |
+| 1 | Resident key | This feature enables the security key to be portable, where your credential is stored on the security key |
+| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have an user interface|
+| 3 | hmac-secret | This extension ensures you can sign-in to your device when it's off-line or in airplane mode |
+| 4 | Multiple accounts per RP | This feature ensures you can use the same security key across multiple services like Microsoft Account (MSA) and Azure Active Directory (AAD) |
+
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 15f9ab184e..851edc7279 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: operate
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
-ms.date: 09/19/2018
+ms.date: 11/16/2018
---
# How User Account Control works
@@ -182,7 +182,7 @@ To better understand each component, review the table below:
Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.
-Never notify (Disable UAC) will:
+Never notify (Disable UAC prompts) will:
- Not notify you when programs try to install software or make changes to your computer.
- Not notify you when you make changes to Windows settings.
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index 585264179f..cb56f52198 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.sitesec: library
ms.localizationpriority: medium
author: brianlic-msft
-ms.date: 10/13/2017
+ms.date: 11/16/2018
---
# Secure the Windows 10 boot process
@@ -122,9 +122,5 @@ Measured Boot uses the power of UEFI, TPM, and Windows 10 to give you a way to
## Summary
Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows 10, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows 10, you can truly trust the integrity of your operating system.
-For more information:
-
-- Watch a [video demonstration of Secure Boot](https://technet.microsoft.com/windows/jj737995.aspx)
-
## Additional resources
- [Windows 10 Enterprise Evaluation](https://technet.microsoft.com/evalcenter/hh699156.aspx?ocid=wc-tn-wctc)
diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md
index db918c0ba6..6f31a72d96 100644
--- a/windows/security/information-protection/tpm/manage-tpm-lockout.md
+++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md
@@ -31,7 +31,7 @@ The industry standards from the Trusted Computing Group (TCG) specify that TPM m
**TPM 2.0**
-TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 2 hours. This means that every continuous two hours of powered on operation without an event which increases the counter will cause the counter to decrease by 1.
+TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows 10 configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event which increases the counter will cause the counter to decrease by 1.
If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607.
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index a328d38a24..ea1d8e22a6 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -6,6 +6,7 @@
#### [Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md)
##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md)
###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md)
+####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
###### [System isolation](windows-defender-atp/how-hardware-based-containers-help-protect-windows.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
@@ -23,6 +24,7 @@
###### [Investigate incidents](windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md)
+
##### Alerts queue
###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
@@ -80,77 +82,11 @@
##### [Custom detections](windows-defender-atp/overview-custom-detections.md)
###### [Create custom detections rules](windows-defender-atp/custom-detection-rules.md)
+
#### [Management and APIs](windows-defender-atp/management-apis.md)
##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
-######Actor
-####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
-####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-######Alerts
-####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-######Domain
-####### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
-
-######File
-####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
-####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
-####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
-####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
-
-######IP
-####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-######Machines
-####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
-####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
-####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
-####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
-####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
-####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
-####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
-####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
-####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
-######Machines Security States
-####### [Get MachineSecurityStates collection](windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md)
-######Machine Groups
-####### [Get MachineGroups collection](windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md)
-
-######User
-####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
-####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
-
-######Windows updates (KB) info
-####### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md)
-######Common Vulnerabilities and Exposures (CVE) to KB map
-####### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md)
-
+##### [Windows Defender ATP APIs](windows-defender-atp/apis-intro.md)
##### [Managed security service provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md)
#### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md)
@@ -188,10 +124,12 @@
##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md)
###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
-##### [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-###### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md)
-####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
+##### Device control
+###### [Control USB devices](device-control/control-usb-devices-using-intune.md)
+###### [Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+####### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md)
+######## [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+######## [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md)
###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
@@ -290,6 +228,152 @@
###### [Troubleshoot onboarding issues](windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
####### [Troubleshoot subscription and portal access issues](windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/use-apis.md)
+###### Create your app
+####### [Get access on behalf of a user](windows-defender-atp/exposed-apis-create-app-nativeapp.md)
+####### [Get access without a user](windows-defender-atp/exposed-apis-create-app-webapp.md)
+###### [Supported Windows Defender ATP APIs](windows-defender-atp/exposed-apis-list.md)
+####### [Advanced Hunting](windows-defender-atp/run-advanced-query-api.md)
+
+####### [Alert](windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md)
+######## [List alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Create alert](windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)
+######## [Update Alert](windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related domains information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related IPs information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md)
+
+####### Domain
+######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md)
+######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md)
+
+####### [File](windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md)
+######## [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md)
+######## [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md)
+
+####### IP
+######## [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md)
+######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
+
+####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md)
+######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Add or Remove machine tags](windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md)
+######## [Find machines by IP](windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
+
+
+####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md)
+######## [List MachineActions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
+######## [Get MachineAction](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
+######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
+######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
+######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md)
+######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md)
+######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
+######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
+
+####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md)
+######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md)
+
+
+###### How to use APIs - Samples
+####### Advanced Hunting API
+######## [Schedule advanced Hunting using Microsoft Flow](windows-defender-atp/run-advanced-query-sample-ms-flow.md)
+######## [Advanced Hunting using PowerShell](windows-defender-atp/run-advanced-query-sample-powershell.md)
+######## [Advanced Hunting using Python](windows-defender-atp/run-advanced-query-sample-python.md)
+######## [Create custom Power BI reports](windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md)
+####### Multiple APIs
+######## [PowerShell](windows-defender-atp/exposed-apis-full-sample-powershell.md)
+####### [Using OData Queries](windows-defender-atp/exposed-apis-odata-samples.md)
+
+##### [Use the Windows Defender ATP exposed APIs (deprecated)](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
+###### [Supported Windows Defender ATP APIs (deprecated)](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
+#######Actor (deprecated)
+######## [Get actor information (deprecated)](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
+######## [Get actor related alerts (deprecated)](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+#######Alerts (deprecated)
+######## [Get alerts (deprecated)](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get alert information by ID (deprecated)](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+######## [Get alert related actor information (deprecated)](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related domain information (deprecated)](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related file information (deprecated)](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related IP information (deprecated)](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related machine information (deprecated)](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+#######Domain (deprecated)
+######## [Get domain related alerts (deprecated)](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get domain related machines (deprecated)](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get domain statistics (deprecated)](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
+######## [Is domain seen in organization (deprecated)](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+#######File(deprecated)
+######## [Block file (deprecated)](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
+######## [Get file information (deprecated)](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
+######## [Get file related alerts (deprecated)](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get file related machines (deprecated)](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get file statistics (deprecated)](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
+######## [Get FileActions collection (deprecated)](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+######## [Unblock file (deprecated)](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
+
+#######IP (deprecated)
+######## [Get IP related alerts (deprecated)](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get IP related machines (deprecated)](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get IP statistics (deprecated)](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
+######## [Is IP seen in organization (deprecated)](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+#######Machines (deprecated)
+######## [Collect investigation package (deprecated)](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
+######## [Find machine information by IP (deprecated)](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+######## [Get machines (deprecated)](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+######## [Get FileMachineAction object (deprecated)](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+######## [Get FileMachineActions collection (deprecated)](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+######## [Get machine by ID (deprecated)](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
+######## [Get machine log on users (deprecated)](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+######## [Get machine related alerts (deprecated)](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get MachineAction object (deprecated)](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
+######## [Get MachineActions collection (deprecated)](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+######## [Get machines (deprecated)](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+######## [Get package SAS URI (deprecated)](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+######## [Isolate machine (deprecated)](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
+######## [Release machine from isolation (deprecated)](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
+######## [Remove app restriction (deprecated)](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+######## [Request sample (deprecated)](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
+######## [Restrict app execution (deprecated)](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
+######## [Run antivirus scan (deprecated)](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
+######## [Stop and quarantine file (deprecated)](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+#######User (deprecated)
+######## [Get alert related user information (deprecated)](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+######## [Get user information (deprecated)](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
+######## [Get user related alerts (deprecated)](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get user related machines (deprecated)](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+
+#####Windows updates (KB) info
+###### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md)
+#####Common Vulnerabilities and Exposures (CVE) to KB map
+###### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md)
+
+
+
+
+
+
+
+
+
##### API for custom alerts
###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
###### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
new file mode 100644
index 0000000000..6629438e93
--- /dev/null
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -0,0 +1,86 @@
+---
+title: How to control USB devices and other removable media using Intune (Windows 10)
+description: You can configure Intune settings to reduce threats from removable storage such as USB devices.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+ms.author: justinha
+author: justinha
+ms.date: 11/15/2018
+---
+
+# How to control USB devices and other removable media using Intune
+
+**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+
+
+You can configure Intune settings to reduce threats from removable storage such as USB devices, including:
+
+- [Block unwanted removeable storage](#block-unwanted-removable-storage)
+- [Protect allowed removable storage](#protect-allowed-removable-storage)
+
+Protecting allowed removeable storage requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+We recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
+If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives.
+You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted.
+
+> [!NOTE]
+> These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For data loss prevention on Windows 10 devices, you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device.
+
+## Block unwanted removeable storage
+
+1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
+2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
+
+ 
+
+3. Use the following settings:
+
+ - Name: Windows 10 Device Configuration
+ - Description: Block removeable storage and USB connections
+ - Platform: Windows 10 and later
+ - Profile type: Device restrictions
+
+ 
+
+4. Click **Configure** > **General**.
+
+5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**.
+
+ 
+
+6. Click **OK** to close **General** settings and **Device restrictions**.
+
+7. Click **Create** to save the profile.
+
+Alternatively, you can create a custom profile in Intune and configure [DeviceInstallation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) policies.
+
+## Protect allowed removable storage
+
+These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+
+1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
+2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
+
+ 
+
+3. Use the following settings:
+
+ - Name: Type a name for the profile
+ - Description: Type a description
+ - Platform: Windows 10 or later
+ - Profile type: Endpoint protection
+
+ 
+
+4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**.
+
+5. For **Unsigned and untrusted processes that run from USB**, choose **Block**.
+
+ 
+
+6. Click **OK** to close **Attack Surface Reduction**, **Windows Defender Exploit Guard**, and **Endpoint protection**.
+
+7. Click **Create** to save the profile.
\ No newline at end of file
diff --git a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png
new file mode 100644
index 0000000000..3080e0d1f0
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png differ
diff --git a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png
new file mode 100644
index 0000000000..9d295dfa6b
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png differ
diff --git a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png
new file mode 100644
index 0000000000..1e0f0587a3
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png differ
diff --git a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png
new file mode 100644
index 0000000000..eaba30b27f
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png differ
diff --git a/windows/security/threat-protection/device-control/images/create-profile.png b/windows/security/threat-protection/device-control/images/create-profile.png
new file mode 100644
index 0000000000..ada168228e
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-profile.png differ
diff --git a/windows/security/threat-protection/device-control/images/general-settings.png b/windows/security/threat-protection/device-control/images/general-settings.png
new file mode 100644
index 0000000000..152822dc29
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/general-settings.png differ
diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
index 5b63d093b8..d5b8c58676 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
@@ -60,7 +60,7 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined
-| Default Domain Controler Policy | Not defined
+| Default Domain Controller Policy | Not defined
| Stand-Alone Server Default Settings | Disabled
| DC Effective Default Settings | Disabled
| Member Server Effective Default Settings | Disabled
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
index 6028668431..0c05506d7b 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: brianlic-msft
-ms.date: 04/19/2017
+author: justinha
+ms.date: 11/13/2018
---
# Minimum password age
@@ -20,7 +20,7 @@ Describes the best practices, location, values, policy management, and security
## Reference
-The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
+The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow password changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
### Possible values
@@ -29,9 +29,16 @@ The **Minimum password age** policy setting determines the period of time (in da
### Best practices
-Set **Minimum password age** to a value of 2 days. Setting the number of days to 0 allows immediate password changes, which is not recommended.
+[Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend setting **Minimum password age** to 1 day.
-If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box. Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**.
+Setting the number of days to 0 allows immediate password changes, which is not recommended.
+Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again.
+For example, suppose a password is "Ra1ny day!" and the history requirement is 24.
+If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!".
+The minimum password age of 1 day prevents that.
+
+If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box.
+Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**.
### Location
@@ -70,11 +77,11 @@ To address password reuse, you must use a combination of security settings. Usin
### Countermeasure
-Configure the **Minimum password age** policy setting to a value of at least 2 days. Users should know about this limitation and contact the Help Desk if they need to change their password during that two-day period. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend.
+Configure the **Minimum password age** policy setting to a value of 1 day. Users should know about this limitation and contact the Help Desk to change a password sooner. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend.
### Potential impact
-If you set a password for a user but wants that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day.
+If you set a password for a user but want that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index bba7a2624e..ae91d8d14b 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: brianlic-msft
-ms.date: 08/29/2017
+ms.date: 11/16/2018
---
# System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
@@ -50,7 +50,7 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP
### Best practices
-- For use with TLS, set this policy to **Enabled**. Client devices with this policy setting enabled will be unable to communicate through digitally encrypted or signed protocols with servers that do not support these algorithms. Client devices that are connected to the network and do not support these algorithms cannot use servers that require the algorithms for network communications. If you enable this policy setting, you must also configure Internet Explorer to use TLS.
+There are no best practices for this setting. Our previous guidance had recommended a setting of **Enabled**, primarily to align with US Federal government recommendations. [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend this setting be **Not Defined**, meaning that we leave the decision to customers. For a deeper explanation, see [Why We’re Not Recommending “FIPS Mode” Anymore](https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/).
### Location
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
index 801b935d4e..e063f1fda5 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 09/03/2018
+ms.date: 11/13/2018
---
# Enable and configure antivirus always-on protection and monitoring
@@ -42,7 +42,7 @@ Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Real-time protection | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled
Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the SmartScreen filter, which scans files before and during downloading | Enabled
-Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled
+Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled | Enabled
Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled
Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index 781b5ba5d5..97f4d15615 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -301,11 +301,10 @@ This setting will help ensure protection for a VM that has been offline for some
### Exclusions
On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
-- [Automatic exclusions for Windows Server Antimalware](https://technet.microsoft.com/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender)
+- [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus)
## Additional resources
- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
-- [Project VRC: Windows Defender Antivirus impact and best practices on VDI](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/)
- [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
index 569d88a51c..10d6f5bedc 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 09/03/2018
+ms.date: 11/16/2018
---
# Restore quarantined files in Windows Defender AV
@@ -25,7 +25,7 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y
1. Open **Windows Security**.
2. Click **Virus & threat protection** and then click **Threat History**.
3. Under **Quarantined threats**, click **See full history**.
-4. Click **Restore** for any items you want to keep. (If you prefer to remove them, you can click **Remove**.)
+4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.)
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-application-guard/TOC.md b/windows/security/threat-protection/windows-defender-application-guard/TOC.md
new file mode 100644
index 0000000000..9e42b2b691
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-guard/TOC.md
@@ -0,0 +1,7 @@
+# [Windows Defender Application Guard](wd-app-guard-overview.md)
+
+## [System requirements](reqs-wd-app-guard.md)
+## [Install WDAG](install-wd-app-guard.md)
+## [Configure WDAG policies](configure-wd-app-guard.md)
+## [Test scenarios](test-scenarios-wd-app-guard.md)
+## [FAQ](faq-wd-app-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index f05f3f551f..f8ba6e6e36 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -4,6 +4,7 @@
### [Attack surface reduction](overview-attack-surface-reduction.md)
#### [Hardware-based isolation](overview-hardware-based-isolation.md)
##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md)
+###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md)
##### [System isolation](how-hardware-based-containers-help-protect-windows.md)
#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
@@ -16,7 +17,6 @@
#### [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
-
#### [Incidents queue](incidents-queue.md)
##### [View and organize the Incidents queue](view-incidents-queue.md)
##### [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)
@@ -84,74 +84,7 @@
### [Management and APIs](management-apis.md)
#### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
-#####Actor
-###### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md)
-###### [Get actor related alerts](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-#####Alerts
-###### [Get alerts](get-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get alert related actor information](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related domain information](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-
-#####Domain
-###### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
-
-#####File
-###### [Block file API](block-file-windows-defender-advanced-threat-protection.md)
-###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md)
-###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md)
-###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md)
-
-#####IP
-###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-#####Machines
-###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md)
-###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md)
-###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
-#####Machines Security States
-###### [Get MachineSecurityStates collection](get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md)
-#####Machine Groups
-###### [Get MachineGroups collection](get-machinegroups-collection-windows-defender-advanced-threat-protection.md)
-#####User
-###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-###### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md)
-###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
-#####Windows updates (KB) info
-###### [Get KbInfo collection](get-kbinfo-collection-windows-defender-advanced-threat-protection.md)
-#####Common Vulnerabilities and Exposures (CVE) to KB map
-###### [Get CVE-KB map](get-cvekbmap-collection-windows-defender-advanced-threat-protection.md)
-
-
+#### [Windows Defender ATP APIs](apis-intro.md)
#### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md)
@@ -181,17 +114,19 @@
##### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
#### [Evaluate next generation protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
-### [Access the Windows Security app](community-windows-defender-advanced-threat-protection.md)
+### [Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md)
## [Configure and manage capabilities](onboard.md)
### [Configure attack surface reduction](configure-attack-surface-reduction.md)
#### [Hardware-based isolation](../windows-defender-application-guard/install-wd-app-guard.md)
##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md)
#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
-#### [Device control](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-##### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md)
-###### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-###### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
+#### Device control
+##### [Control USB devices](../device-control/control-usb-devices-using-intune.md)
+##### [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+###### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md)
+####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
#### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)
##### [Customize exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md)
##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
@@ -289,6 +224,160 @@
##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+
+#### [Use the Windows Defender ATP exposed APIs](use-apis.md)
+##### Create your app
+###### [Get access on behalf of a user](exposed-apis-create-app-nativeapp.md)
+###### [Get access without a user](exposed-apis-create-app-webapp.md)
+##### [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+###### [Advanced Hunting](run-advanced-query-api.md)
+
+###### [Alert](alerts-windows-defender-advanced-threat-protection-new.md)
+####### [List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)
+####### [Update Alert](update-alert-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related domains information](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related IPs information](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md)
+
+###### Domain
+####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection-new.md)
+####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md)
+
+###### [File](files-windows-defender-advanced-threat-protection-new.md)
+####### [Get file information](get-file-information-windows-defender-advanced-threat-protection-new.md)
+####### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md)
+
+###### IP
+####### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection-new.md)
+####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
+
+###### [Machine](machine-windows-defender-advanced-threat-protection-new.md)
+####### [Get machines](get-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
+####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
+####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Add or Remove machine tags](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md)
+####### [Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
+
+###### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md)
+####### [List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
+####### [Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
+####### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
+####### [Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
+####### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md)
+####### [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md)
+####### [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md)
+####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
+
+
+###### [User](user-windows-defender-advanced-threat-protection-new.md)
+####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md)
+
+##### How to use APIs - Samples
+###### Advanced Hunting API
+####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md)
+####### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
+####### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
+####### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
+###### Multiple APIs
+####### [PowerShell](exposed-apis-full-sample-powershell.md)
+###### [Using OData Queries](exposed-apis-odata-samples.md)
+
+#### [Use the Windows Defender ATP exposed APIs (deprecated)](exposed-apis-windows-defender-advanced-threat-protection.md)
+##### [Supported Windows Defender ATP APIs (deprecated)](supported-apis-windows-defender-advanced-threat-protection.md)
+######Actor (deprecated)
+####### [Get actor information (deprecated)](get-actor-information-windows-defender-advanced-threat-protection.md)
+####### [Get actor related alerts (deprecated)](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+######Alerts (deprecated)
+####### [Get alerts (deprecated)](get-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get alert information by ID (deprecated)](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get alert related actor information (deprecated)](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related domain information (deprecated)](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related file information (deprecated)](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related IP information (deprecated)](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related machine information (deprecated)](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+######Domain (deprecated)
+####### [Get domain related alerts (deprecated)](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get domain related machines (deprecated)](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get domain statistics (deprecated)](get-domain-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is domain seen in organization (deprecated)](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+######File(deprecated)
+####### [Block file (deprecated)](block-file-windows-defender-advanced-threat-protection.md)
+####### [Get file information (deprecated)](get-file-information-windows-defender-advanced-threat-protection.md)
+####### [Get file related alerts (deprecated)](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get file related machines (deprecated)](get-file-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get file statistics (deprecated)](get-file-statistics-windows-defender-advanced-threat-protection.md)
+####### [Get FileActions collection (deprecated)](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Unblock file (deprecated)](unblock-file-windows-defender-advanced-threat-protection.md)
+
+######IP (deprecated)
+####### [Get IP related alerts (deprecated)](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get IP related machines (deprecated)](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get IP statistics (deprecated)](get-ip-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is IP seen in organization (deprecated)](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+######Machines (deprecated)
+####### [Collect investigation package (deprecated)](collect-investigation-package-windows-defender-advanced-threat-protection.md)
+####### [Find machine information by IP (deprecated)](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+####### [Get machines (deprecated)](get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineAction object (deprecated)](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineActions collection (deprecated)](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machine by ID (deprecated)](get-machine-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get machine log on users (deprecated)](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+####### [Get machine related alerts (deprecated)](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get MachineAction object (deprecated)](get-machineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get MachineActions collection (deprecated)](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machines (deprecated)](get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get package SAS URI (deprecated)](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+####### [Isolate machine (deprecated)](isolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Release machine from isolation (deprecated)](unisolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Remove app restriction (deprecated)](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Request sample (deprecated)](request-sample-windows-defender-advanced-threat-protection.md)
+####### [Restrict app execution (deprecated)](restrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Run antivirus scan (deprecated)](run-av-scan-windows-defender-advanced-threat-protection.md)
+####### [Stop and quarantine file (deprecated)](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+######User (deprecated)
+####### [Get alert related user information (deprecated)](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+####### [Get user information (deprecated)](get-user-information-windows-defender-advanced-threat-protection.md)
+####### [Get user related alerts (deprecated)](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get user related machines (deprecated)](get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
#### API for custom alerts
##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
##### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..e28bac587b
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,110 @@
+---
+title: Add or Remove Machine Tags API
+description: Use this API to Add or Remove machine tags.
+keywords: apis, graph api, supported apis, tags, machine tags
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Add or Remove Machine Tags API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- Adds or remove tag to a specific machine.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Manage security setting' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/tags
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter | Type | Description
+:---|:---|:---
+Value | String | The tag name. **Required**.
+Action | Enum | Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**.
+
+
+## Response
+If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of a request that adds machine tag.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/863fed4b174465c703c6e412965a31b5e1884cc4/tags
+Content-type: application/json
+{
+ "Value" : "Test Tag",
+ "Action": "Add"
+}
+
+```
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
+ "id": "863fed4b174465c703c6e412965a31b5e1884cc4",
+ "computerDnsName": "mymachine55.contoso.com",
+ "firstSeen": "2018-07-31T14:20:55.8223496Z",
+ "lastSeen": "2018-09-27T08:44:05.6228836Z",
+ "osPlatform": "Windows10",
+ "osVersion": null,
+ "lastIpAddress": "10.248.240.38",
+ "lastExternalIpAddress": "167.220.2.166",
+ "agentVersion": "10.3720.16299.98",
+ "osBuild": 16299,
+ "healthStatus": "Active",
+ "isAadJoined": true,
+ "machineTags": [
+ "Test Tag"
+ ],
+ "rbacGroupId": 75,
+ "riskScore": "Medium",
+ "aadDeviceId": null
+}
+
+```
+
+To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..b1cde1afaf
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,81 @@
+---
+title: Get alerts API
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Alert resource type
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Represents an alert entity in WDATP.
+
+# Methods
+Method|Return Type |Description
+:---|:---|:---
+[Get alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) | Get a single [alert](alerts-windows-defender-advanced-threat-protection-new.md) object.
+[List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection.
+[Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)|[Alert](alerts-windows-defender-advanced-threat-protection-new.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md).
+[List related domains](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)|Domain collection| List URLs associated with the alert.
+[List related files](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) | [File](files-windows-defender-advanced-threat-protection-new.md) collection | List the [file](files-windows-defender-advanced-threat-protection-new.md) entities that are associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
+[List related IPs](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) | IP collection | List IPs that are associated with the alert.
+[Get related machines](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) | [Machine](machine-windows-defender-advanced-threat-protection-new.md) | The [machine](machine-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
+[Get related users](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) | [User](user-windows-defender-advanced-threat-protection-new.md) | The [user](user-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
+
+
+# Properties
+Property | Type | Description
+:---|:---|:---
+id | String | Alert ID
+severity | String | Severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'.
+status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
+description | String | Description of the threat, identified by the alert.
+recommendedAction | String | Action recommended for handling the suspected threat.
+alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
+category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'.
+title | string | Alert title
+threatFamilyName | string | Threat family
+detectionSource | string | Detection source
+assignedTo | String | Owner of the alert
+classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
+determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
+resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
+lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
+firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
+machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert.
+
+# JSON representation
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+ "id": "636688558380765161_2136280442",
+ "severity": "Informational",
+ "status": "InProgress",
+ "description": "Some alert description 1",
+ "recommendedAction": "Some recommended action 1",
+ "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+ "category": "General",
+ "title": "Some alert title 1",
+ "threatFamilyName": null,
+ "detectionSource": "WindowsDefenderAtp",
+ "classification": "TruePositive",
+ "determination": null,
+ "assignedTo": "best secop ever",
+ "resolvedTime": null,
+ "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+ "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+ "actorName": null,
+ "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/apis-intro.md b/windows/security/threat-protection/windows-defender-atp/apis-intro.md
new file mode 100644
index 0000000000..304eed3564
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/apis-intro.md
@@ -0,0 +1,57 @@
+---
+title: Windows Defender Advanced Threat Protection API overview
+description: Learn how you can use APIs to automate workflows and innovate based on Windows Defender ATP capabilities
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Windows Defender ATP API overview
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](prerelease.md)]
+
+Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+- Create an app
+- Get an access token
+- Use the token to access Windows Defender ATP API
+
+
+As a developer, you decide which permissions for Windows Defender ATP your app requests. When a user signs in to your app they (or, in some cases, an administrator) are given a chance to give consent to these permissions. If the user provides consent, your app is given access to the resources and APIs that it has requested. For apps that don't take a signed-in user, permissions can be pre-approved to by an administrator when the app is installed or during sign-up.
+
+## Delegated permissions, application permissions, and effective permissions
+
+Windows Defender ATP has two types of permissions: delegated permissions and application permissions.
+
+- **Delegated permissions**
+ Used by apps that have a signed-in user present. For these apps either the user or an administrator provides consent to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Windows Defender ATP. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent.
+- **Application permissions**
+ Used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.
+
+Effective permissions are permissions that your app will have when making requests to Windows Defender ATP. It is important to understand the difference between the delegated and application permissions that your app is granted and its effective permissions when making calls to Windows Defender ATP.
+
+- For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user may be determined by policy or by membership in one or more administrator roles. For more information about administrator roles, see [Assigning administrator roles in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles).
+
+ For example, assume your app has been granted the `Machine.CollectForensics` delegated permission. This permission nominally grants your app permission to collect investigation package from a machine. If the signed-in user has 'Alerts Investigation' permission, your app will be able to collect investigation package from a machine, if the machine belongs to a group the user is exposed to. However, if the signed-in user doesn't have 'Alerts Investigation' permission, your app won't be able to collect investigation package from any machine.
+
+- For application permissions, the effective permissions of your app will be the full level of privileges implied by the permission. For example, an app that has the `Machine.CollectForensics` application permission can collect investigation package from any machine in the organization.
+
+
+## Related topics
+- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md)
+- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md
index 16ae492cd3..64f4c8d321 100644
--- a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Block file API
+# Block file API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecatedinformation](deprecate.md)]
Prevent a file from being executed in the organization using Windows Defender Antivirus.
diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..bcd6861b37
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,98 @@
+---
+title: Collect investigation package API
+description: Use this API to create calls related to the collecting an investigation package from a machine.
+keywords: apis, graph api, supported apis, collect investigation package
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Collect investigation package API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Collect investigation package from a machine.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.CollectForensics | 'Collect forensics'
+Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter | Type | Description
+:---|:---|:---
+Comment | String | Comment to associate with the action. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
+Content-type: application/json
+{
+ "Comment": "Collect forensics due to alert 1234"
+}
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+ "id": "c9042f9b-8483-4526-87b5-35e4c2532223",
+ "type": "CollectInvestigationPackage",
+ "requestor": "Analyst@contoso.com",
+ "requestorComment": " Collect forensics due to alert 1234",
+ "status": "InProgress",
+ "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+ "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z",
+ "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z",
+ "relatedFileInfo": null
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md
index f6394dc5a6..74df3d6aa3 100644
--- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Collect investigation package API
+# Collect investigation package API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecatedinformation](deprecate.md)]
Collect investigation package from a machine.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index c7d9e056c4..2609656756 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
-ms.date: 09/12/2018
+ms.date: 11/14/2018
---
@@ -98,8 +98,28 @@ United Kingdom | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.dat
United States | ```us.vortex-win.data.microsoft.com```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com```
+
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.
+## Windows Defender ATP service backend IP range
+If you network devices don't support the URLs white-listed in the prior section, you can use the following information.
+
+Windows Defender ATP is built on Azure cloud, deployed in the following regions:
+
+- \+\
+- \+\
+- \+\
+- \+\
+- \+\
+- \+\
+- \+\
+
+
+You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653).
+
+>[!NOTE]
+> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
+
## Verify client connectivity to Windows Defender ATP service URLs
diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..53054cc36b
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,93 @@
+---
+title: Create alert from event API
+description: Creates an alert using event details
+keywords: apis, graph api, supported apis, get, alert, information, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Create alert from event API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+
+Enables using event data, as obtained from the [Advanced Hunting](run-advanced-query-api.md) for creating a new alert entity.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Alerts.ReadWrite.All | 'Read and write all alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/CreateAlertByReference
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | String | application/json. **Required**.
+
+## Request body
+In the request body, supply the following values (all are required):
+
+Property | Type | Description
+:---|:---|:---
+machineId | String | Id of the machine on which the event was identified. **Required**.
+severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
+title | String | Title for the alert. **Required**.
+description | String | Description of the alert. **Required**.
+recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert.
+eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**.
+reportId | String | The reportId, as obtained from the advanced query. **Required**.
+category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'.
+
+
+## Response
+If successful, this method returns 200 OK, and a new [alert](alerts-windows-defender-advanced-threat-protection-new.md) object in the response body. If event with the specified properties (_reportId_, _eventTime_ and _machineId_) was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/CreateAlertByReference
+Content-Length: application/json
+
+{
+ "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "severity": "Low",
+ "title": "test alert",
+ "description": "redalert",
+ "recommendedAction": "white alert",
+ "eventTime": "2018-08-03T16:45:21.7115183Z",
+ "reportId": "20776",
+ "category": "None"
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
index 8bc7172555..67591e6f98 100644
--- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -187,7 +187,6 @@ The API currently supports the following IOC types:
- Sha1
- Sha256
- Md5
-- FileName
- IpAddress
- DomainName
diff --git a/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..b0d3efb765
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,77 @@
+---
+title: Delete Ti Indicator.
+description: Deletes Ti Indicator entity by ID.
+keywords: apis, public api, supported apis, delete, ti indicator, entity, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Delete TI Indicator API
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+>[!Note]
+> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Retrieves a TI Indicator entity by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Ti.ReadWrite | 'Read and write TI Indicators'
+
+
+## HTTP request
+```
+Delete https://api.securitycenter.windows.com/api/tiindicators/{id}
+```
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If TI Indicator exist and deleted successfully - 204 OK without content.
+If TI Indicator with the specified id was not found - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+DELETE https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 204 NO CONTENT
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/deprecate.md b/windows/security/threat-protection/windows-defender-atp/deprecate.md
new file mode 100644
index 0000000000..fe73a4d416
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/deprecate.md
@@ -0,0 +1,7 @@
+---
+ms.date: 10/17/2018
+---
+>[!WARNING]
+
+
+> This page documents a feature that will soon be deprecated. For the updated and supported version, see [Use the Windows Defender ATP APIs](use-apis.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md
new file mode 100644
index 0000000000..679dc47866
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -0,0 +1,175 @@
+---
+title: Use Windows Defender Advanced Threat Protection APIs
+description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Use Windows Defender ATP APIs
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+
+[!include[Prerelease information](prerelease.md)]
+
+
+This page describe how to create an application to get programmatical access to Windows Defender ATP on behalf of a user.
+
+If you need programmatical access Windows Defender ATP without a user, refer to [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md).
+
+If you are not sure which access you need, read the [Introduction page](apis-intro.md).
+
+Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+- Create an app
+- Get an access token
+- Use the token to access Windows Defender ATP API
+
+This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission.
+
+>[!NOTE]
+> When accessing Windows Defender ATP API on behalf of a user, you will need the correct app permission and user permission.
+> If you are not familiar with user permissions on Windows Defender ATP, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md).
+
+>[!TIP]
+> If you have the permission to perform an action in the portal, you have the permission to perform the action in the API.
+
+## Create an app
+
+1. Log on to [Azure](https://portal.azure.com).
+
+2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**.
+
+ 
+
+3. In the Create window, enter the following information then click **Create**.
+
+ 
+
+ - **Name:** -Your app name-
+ - **Application type:** Native
+ - **Redirect URI:** `https://127.0.0.1`
+
+
+4. Click **Settings** > **Required permissions** > **Add**.
+
+ 
+
+5. Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
+
+ **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+
+ 
+
+6. Click **Select permissions** > check **Read alerts** and **Collect forensics** > **Select**.
+
+ >[!IMPORTANT]
+ >You need to select the relevant permissions. 'Read alerts' and 'Collect forensics' are only an example.
+
+ 
+
+ For instance,
+
+ - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
+ - To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission
+
+ To determine which permission you need, look at the **Permissions** section in the API you are interested to call.
+
+
+7. Click **Done**
+
+ 
+
+8. Click **Grant permissions**
+
+ In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button.
+
+ If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect.
+
+ 
+
+9. Write down your application ID.
+
+ 
+
+
+## Get an access token
+
+For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+
+### Using C#
+
+The code was below tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
+
+- Create a new Console Application
+- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
+- Add the below using
+
+ ```
+ using Microsoft.IdentityModel.Clients.ActiveDirectory;
+ ```
+
+- Copy/Paste the below code in your application (pay attention to the comments in the code)
+
+ ```
+ const string authority = "https://login.windows.net";
+ const string wdatpResourceId = "https://api.securitycenter.windows.com";
+
+ string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
+ string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
+
+ string username = "SecurityAdmin123@microsoft.com"; // Paste your username here
+ string password = GetPasswordFromSafePlace(); // Paste your own password here for a test, and then store it in a safe place!
+
+ UserPasswordCredential userCreds = new UserPasswordCredential(username, password);
+
+ AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}");
+ AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, appId, userCreds).GetAwaiter().GetResult();
+ string token = authenticationResult.AccessToken;
+ ```
+
+## Validate the token
+
+Sanity check to make sure you got a correct token:
+- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
+- Validate you get a 'scp' claim with the desired app permissions
+- In the screenshot below you can see a decoded token acquired from the app in the tutorial:
+
+
+
+## Use the token to access Windows Defender ATP API
+
+- Choose the API you want to use - [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- Set the Authorization header in the HTTP request you send to "Bearer {token}" (Bearer is the Authorization scheme)
+- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
+
+- Example of sending a request to get a list of alerts **using C#**
+ ```
+ var httpClient = new HttpClient();
+
+ var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
+
+ request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+ var response = await httpClient.SendAsync(request).ConfigureAwait(false);
+
+ // Do something useful with the response
+ ```
+
+## Related topics
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md
new file mode 100644
index 0000000000..ca0153916b
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md
@@ -0,0 +1,220 @@
+---
+title: Create an app to access Windows Defender ATP without a user
+description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Create an app to access Windows Defender ATP without a user
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](prerelease.md)]
+
+This page describes how to create an application to get programmatical access to Windows Defender ATP without a user.
+
+If you need programmatical access Windows Defender ATP on behalf of a user, see [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
+
+If you are not sure which access you need, see [Use Windows Defender ATP APIs](apis-intro.md).
+
+Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+- Create an app
+- Get an access token
+- Use the token to access Windows Defender ATP API
+
+This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission.
+
+## Create an app
+
+1. Log on to [Azure](https://portal.azure.com).
+
+2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**.
+
+ 
+
+3. In the Create window, enter the following information then click **Create**.
+
+ 
+
+ - **Name:** WdatpEcosystemPartner
+ - **Application type:** Web app / API
+ - **Redirect URI:** `https://WdatpEcosystemPartner.com` (The URL where user can sign in and use your app. You can change this URL later.)
+
+
+4. Click **Settings** > **Required permissions** > **Add**.
+
+ 
+
+5. Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
+
+ **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+
+ 
+
+6. Click **Select permissions** > **Run advanced queries** > **Select**.
+
+ **Important note**: You need to select the relevant permission. 'Run advanced queries' is only an example!
+
+ 
+
+ For instance,
+
+ - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
+ - To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission
+
+ To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
+
+7. Click **Done**
+
+ 
+
+8. Click **Grant permissions**
+
+ In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button.
+
+ If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect.
+
+ 
+
+9. Click **Keys** and type a key name and click **Save**.
+
+ **Important**: After you save, **copy the key value**. You won't be able to retrieve after you leave!
+
+ 
+
+10. Write down your application ID.
+
+ 
+
+11. Set your application to be multi-tenanted
+
+ This is **required** for 3rd party apps (for example, if you create an application that is intended to run in multiple customers tenant).
+
+ This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data)
+
+ Click **Properties** > **Yes** > **Save**.
+
+ 
+
+
+## Application consent
+You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer.
+
+You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
+
+Consent link is of the form:
+
+```
+https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
+```
+
+where 00000000-0000-0000-0000-000000000000 should be replaced with your Azure application ID
+
+
+## Get an access token
+
+For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+
+### Using C#
+
+>The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
+
+- Create a new Console Application
+- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
+- Add the below using
+
+ ```
+ using Microsoft.IdentityModel.Clients.ActiveDirectory;
+ ```
+
+- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```)
+
+ ```
+ string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
+ string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
+ string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place!
+
+ const string authority = "https://login.windows.net";
+ const string wdatpResourceId = "https://api.securitycenter.windows.com";
+
+ AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/");
+ ClientCredential clientCredential = new ClientCredential(appId, appSecret);
+ AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult();
+ string token = authenticationResult.AccessToken;
+ ```
+
+### Using PowerShell
+
+Refer to [Get token using PowerShell](run-advanced-query-sample-powershell.md#get-token)
+
+### Using Python
+
+Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token)
+
+### Using Curl
+
+> [!NOTE]
+> The below procedure supposed Curl for Windows is already installed on your computer
+
+- Open a command window
+- Set CLIENT_ID to your Azure application ID
+- Set CLIENT_SECRET to your Azure application secret
+- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access WDATP application
+- Run the below command:
+
+```
+curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
+```
+
+You will get an answer of the form:
+
+```
+{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn aWReH7P0s0tjTBX8wGWqJUdDA"}
+```
+
+## Validate the token
+
+Sanity check to make sure you got a correct token:
+- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
+- Validate you get a 'roles' claim with the desired permissions
+- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Wdatp's roles:
+
+
+
+## Use the token to access Windows Defender ATP API
+
+- Choose the API you want to use, for more information, see [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme)
+- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
+
+- Example of sending a request to get a list of alerts **using C#**
+ ```
+ var httpClient = new HttpClient();
+
+ var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
+
+ request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+ var response = await httpClient.SendAsync(request).ConfigureAwait(false);
+
+ // Do something useful with the response
+ ```
+
+## Related topics
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md
new file mode 100644
index 0000000000..5c554d4040
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md
@@ -0,0 +1,118 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/24/2018
+---
+
+# Windows Defender ATP APIs using PowerShell
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Full scenario using multiple APIs from Windows Defender ATP.
+
+In this section we share PowerShell samples to
+ - Retrieve a token
+ - Use token to retrieve the latest alerts in Windows Defender ATP
+ - For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL.
+
+>**Prerequisite**: You first need to [create an app](apis-intro.md).
+
+## Preparation Instructions
+
+- Open a PowerShell window.
+- If your policy does not allow you to run the PowerShell commands, you can run the below command:
+```
+Set-ExecutionPolicy -ExecutionPolicy Bypass
+```
+
+>For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
+
+## Get token
+
+- Run the below
+
+> - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
+> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)
+> - $appSecret: Secret of your AAD app
+> - $suspiciousUrl: The URL
+
+
+```
+$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
+$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
+$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
+$suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here
+
+$resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice'
+$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
+$authBody = [Ordered] @{
+ resource = "$resourceAppIdUri"
+ client_id = "$appId"
+ client_secret = "$appSecret"
+ grant_type = 'client_credentials'
+}
+$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
+$aadToken = $authResponse.access_token
+
+
+#Get latest alert
+$alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10"
+$headers = @{
+ 'Content-Type' = 'application/json'
+ Accept = 'application/json'
+ Authorization = "Bearer $aadToken"
+}
+$alertResponse = Invoke-WebRequest -Method Get -Uri $alertUrl -Headers $headers -ErrorAction Stop
+$alerts = ($alertResponse | ConvertFrom-Json).value
+
+$machinesToInvestigate = New-Object System.Collections.ArrayList
+
+Foreach($alert in $alerts)
+{
+ #echo $alert.id $alert.machineId $alert.severity $alert.status
+
+ $isSevereAlert = $alert.severity -in 'Medium', 'High'
+ $isOpenAlert = $alert.status -in 'InProgress', 'New'
+ if($isOpenAlert -and $isSevereAlert)
+ {
+ if (-not $machinesToInvestigate.Contains($alert.machineId))
+ {
+ $machinesToInvestigate.Add($alert.machineId) > $null
+ }
+ }
+}
+
+$commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","')
+
+$query = "NetworkCommunicationEvents
+| where MachineId in ($commaSeparatedMachines)
+| where RemoteUrl == `"$suspiciousUrl`"
+| summarize ConnectionsCount = count() by MachineId"
+
+$queryUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run"
+
+$queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query }
+$queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop
+$response = ($queryResponse | ConvertFrom-Json).Results
+$response
+
+```
+
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting API](run-advanced-query-api.md)
+- [Advanced Hunting using Python](run-advanced-query-sample-python.md)
+- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md
new file mode 100644
index 0000000000..101b345a77
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md
@@ -0,0 +1,58 @@
+---
+title: Supported Windows Defender Advanced Threat Protection query APIs
+description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to.
+keywords: apis, supported apis, actor, alerts, machine, user, domain, ip, file, advanced queries, advanced hunting
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 30/07/2018
+---
+
+# Supported Windows Defender ATP query APIs
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink)
+
+## End Point URI and Versioning
+
+### End Point URI:
+
+> The service base URI is: https://api.securitycenter.windows.com
+
+> The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to https://api.securitycenter.windows.com/api/alerts
+
+### Versioning:
+
+> The API supports versioning.
+
+> The current version is **V1.0**.
+
+> To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example: https://api.securitycenter.windows.com/api/v1.0/alerts
+
+> If you don't specify any version (e.g., https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version.
+
+
+Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
+
+## In this section
+Topic | Description
+:---|:---
+Advanced Hunting | Run queries from API.
+Alerts | Run API calls such as get alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information.
+Domain |Run API calls such as get domain related machines, domain related machines, statistics, and check if a domain is seen in your organization.
+File | Run API calls such as get file information, file related alerts, file related machines, and file statistics.
+IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization.
+Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID.
+User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines.
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md
new file mode 100644
index 0000000000..dfc82df1d8
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md
@@ -0,0 +1,232 @@
+---
+title: OData queries with Windows Defender ATP
+description: OData queries with Windows Defender ATP
+keywords: apis, supported apis, odata, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 11/15/2018
+---
+
+# OData queries with Windows Defender ATP
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+- If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/)
+
+- Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries.
+- [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter.
+
+### Example 1
+
+**Get all the machines with the tag 'ExampleTag'**
+
+```
+HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+ "value": [
+ {
+ "id": "b9d4c51123327fb2a25db29ff1b8f3b64888e7ba",
+ "computerDnsName": "examples.dev.corp.Contoso.com",
+ "firstSeen": "2018-03-07T11:19:11.7234147Z",
+ "lastSeen": "2018-11-15T11:23:38.3196947Z",
+ "osPlatform": "Windows10",
+ "osVersion": "10.0.0.0",
+ "lastIpAddress": "123.17.255.241",
+ "lastExternalIpAddress": "123.220.196.180",
+ "agentVersion": "10.6400.18282.1001",
+ "osBuild": 18282,
+ "healthStatus": "Active",
+ "isAadJoined": true,
+ "machineTags": [
+ "ExampleTag"
+ ],
+ "rbacGroupId": 5,
+ "rbacGroupName": "Developers",
+ "riskScore": "North",
+ "aadDeviceId": null
+ },
+ .
+ .
+ .
+ ]
+}
+```
+
+### Example 2
+
+- Get all the machines with 'High' 'RiskScore'
+
+```
+HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High'
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+ "value": [
+ {
+ "id": "e3a77eeddb83d581238792387b1239b01286b2f",
+ "computerDnsName": "examples.dev.corp.Contoso.com",
+ "firstSeen": "2016-11-02T23:26:03.7882168Z",
+ "lastSeen": "2018-11-12T10:27:08.708723Z",
+ "osPlatform": "Windows10",
+ "osVersion": "10.0.0.0",
+ "lastIpAddress": "123.123.10.33",
+ "lastExternalIpAddress": "124.124.160.172",
+ "agentVersion": "10.6300.18279.1001",
+ "osBuild": 18279,
+ "healthStatus": "ImpairedCommunication",
+ "isAadJoined": true,
+ "machineTags": [],
+ "rbacGroupId": 5,
+ "rbacGroupName": "Developers",
+ "riskScore": "High",
+ "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
+ },
+ .
+ .
+ .
+ ]
+}
+```
+
+### Example 3
+
+- Get top 100 machines with 'HealthStatus' not equals to 'Active'
+
+```
+HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+ "value": [
+ {
+ "id": "1113333ddb83d581238792387b1239b01286b2f",
+ "computerDnsName": "examples.dev.corp.Contoso.com",
+ "firstSeen": "2016-11-02T23:26:03.7882168Z",
+ "lastSeen": "2018-11-12T10:27:08.708723Z",
+ "osPlatform": "Windows10",
+ "osVersion": "10.0.0.0",
+ "lastIpAddress": "123.123.10.33",
+ "lastExternalIpAddress": "124.124.160.172",
+ "agentVersion": "10.6300.18279.1001",
+ "osBuild": 18279,
+ "healthStatus": "ImpairedCommunication",
+ "isAadJoined": true,
+ "machineTags": [],
+ "rbacGroupId": 5,
+ "rbacGroupName": "Developers",
+ "riskScore": "Medium",
+ "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
+ },
+ .
+ .
+ .
+ ]
+}
+```
+
+### Example 4
+
+- Get all the machines that last seen after 2018-10-20
+
+```
+HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-10-20Z
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+ "value": [
+ {
+ "id": "83113465ffceca4a731234e5dcde3357e026e873",
+ "computerDnsName": "examples-vm10",
+ "firstSeen": "2018-11-12T16:07:50.1706168Z",
+ "lastSeen": "2018-11-12T16:07:50.1706168Z",
+ "osPlatform": "WindowsServer2019",
+ "osVersion": null,
+ "lastIpAddress": "10.123.72.35",
+ "lastExternalIpAddress": "123.220.2.3",
+ "agentVersion": "10.6300.18281.1000",
+ "osBuild": 18281,
+ "healthStatus": "Active",
+ "isAadJoined": false,
+ "machineTags": [],
+ "rbacGroupId": 5,
+ "rbacGroupName": "Developers",
+ "riskScore": "None",
+ "aadDeviceId": null
+ },
+ .
+ .
+ .
+ ]
+}
+```
+
+### Example 5
+
+- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP
+
+```
+HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan'
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
+ "value": [
+ {
+ "id": "5c3e3322-d993-1234-1111-dfb136ebc8c5",
+ "type": "RunAntiVirusScan",
+ "requestor": "Analyst@examples.onmicrosoft.com",
+ "requestorComment": "1533",
+ "status": "Succeeded",
+ "machineId": "123321c10e44a82877af76b1d0161a17843f688a",
+ "creationDateTimeUtc": "2018-11-12T13:33:24.5755657Z",
+ "lastUpdateDateTimeUtc": "2018-11-12T13:34:32.0319826Z",
+ "relatedFileInfo": null
+ },
+ .
+ .
+ .
+ ]
+}
+```
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
index 82d6912c6d..67ec69e0e1 100644
--- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
ms.date: 10/23/2017
---
-# Use the Windows Defender ATP exposed APIs
+# Use the Windows Defender ATP exposed APIs (deprecated)
**Applies to:**
diff --git a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..076ab10d21
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,49 @@
+---
+title: File resource type
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# File resource type
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Represent a file entity in WDATP.
+
+# Methods
+Method|Return Type |Description
+:---|:---|:---
+[Get file](get-file-information-windows-defender-advanced-threat-protection-new.md) | [file](files-windows-defender-advanced-threat-protection-new.md) | Get a single file
+[List file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that are associated with the file.
+[List file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Get the [machine](machine-windows-defender-advanced-threat-protection-new.md) entities associated with the alert.
+[file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) | Statistics summary | Retrieves the prevalence for the given file.
+
+
+# Properties
+Property | Type | Description
+:---|:---|:---
+sha1 | String | Sha1 hash of the file content
+sha256 | String | Sha256 hash of the file content
+md5 | String | md5 hash of the file content
+globalPrevalence | Integer | File prevalence accross organization
+globalFirstObserved | DateTimeOffset | First time the file was observed.
+globalLastObserved | DateTimeOffset | Last time the file was observed.
+size | Integer | Size of the file.
+fileType | String | Type of the file.
+isPeFile | Boolean | true if the file is portable executable (e.g. "DLL", "EXE", etc.)
+filePublisher | String | File publisher.
+fileProductName | String | Product name.
+signer | String | File signer.
+issuer | String | File issuer.
+signerHash | String | Hash of the signing certificate.
+isValidCertificate | Boolean | Was signing certificate successfully verified by WDATP agent.
+
diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..5f1df97182
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,88 @@
+---
+title: Find machine information by internal IP API
+description: Use this API to create calls related to finding a machine entry around a specific timestamp by internal IP.
+keywords: ip, apis, graph api, supported apis, find machine, machine information
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 07/25/2018
+---
+
+# Find machine information by internal IP API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+Find a machine by internal IP.
+
+>[!NOTE]
+>The timestamp must be within the last 30 days.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Read.All | 'Read all machine profiles'
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+
+## HTTP request
+```
+GET /api/machines/find(timestamp={time},key={IP})
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine exists - 200 OK.
+If no machine found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61')
+Content-type: application/json
+```
+
+**Response**
+
+Here is an example of the response.
+
+The response will return a list of all machines that reported this IP address within sixteen minutes prior and after the timestamp.
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+ "value": [
+ {
+ "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb",
+ "computerDnsName": "",
+ "firstSeen": "2017-07-06T01:25:04.9480498Z",
+ "osPlatform": "Windows10",
+…
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
index 0f74a2e1cf..f1e846309d 100644
--- a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
ms.date: 07/25/2018
---
-# Find machine information by internal IP API
+# Find machine information by internal IP API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecated information](deprecate.md)]
Find a machine entity around a specific timestamp by internal IP.
diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..495830551e
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,105 @@
+---
+title: Find machines by internal IP API
+description: Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp
+keywords: apis, graph api, supported apis, get, machine, IP, find, find machine, by ip, ip
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Find machines by internal IP API
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp
+- The given timestamp must be in the past 30 days.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Read.All | 'Read all machine profiles'
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp})
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machines were found - 200 OK with list of the machines in the response body.
+If no machine found - 404 Not Found.
+If the timestamp is not in the past 30 days - 400 Bad Request.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2018-09-22T08:44:05Z)
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+ "value": [
+ {
+ "id": "863fed4b174465c703c6e412965a31b5e1884cc4",
+ "computerDnsName": "mymachine33.contoso.com",
+ "firstSeen": "2018-07-31T14:20:55.8223496Z",
+ "lastSeen": null,
+ "osPlatform": "Windows10",
+ "osVersion": null,
+ "lastIpAddress": "10.248.240.38",
+ "lastExternalIpAddress": "167.220.2.166",
+ "agentVersion": "10.3720.16299.98",
+ "osBuild": 16299,
+ "healthStatus": "Active",
+ "isAadJoined": true,
+ "machineTags": [],
+ "rbacGroupId": 75,
+ "riskScore": "Medium",
+ "aadDeviceId": null
+ }
+ ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
index 12e531ccb6..ac3608c9c2 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
@@ -15,12 +15,13 @@ ms.date: 12/08/2017
---
-# Get actor information API
+# Get actor information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecatedinformation](deprecate.md)]
Retrieves an actor information report.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
index 216bf3fd90..c0ff5a988c 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get actor related alerts API
+# Get actor related alerts API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecated information](deprecate.md)]
Retrieves all alerts related to a given actor.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..d2187f343b
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,98 @@
+---
+title: Get alert information by ID API
+description: Retrieves an alert by its ID.
+keywords: apis, graph api, supported apis, get, alert, information, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert information by ID API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Retrieves an alert by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Alert.Read.All | 'Read all alerts'
+Application | Alert.ReadWrite.All | 'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body. If alert with the specified id was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+ "id": "636688558380765161_2136280442",
+ "severity": "Informational",
+ "status": "InProgress",
+ "description": "Some alert description 1",
+ "recommendedAction": "Some recommended action 1",
+ "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+ "category": "General",
+ "title": "Some alert title 1",
+ "threatFamilyName": null,
+ "detectionSource": "WindowsDefenderAtp",
+ "classification": "TruePositive",
+ "determination": null,
+ "assignedTo": "best secop ever",
+ "resolvedTime": null,
+ "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+ "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+ "actorName": null,
+ "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
index d74debcef4..70160a3b2c 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get alert information by ID API
+# Get alert information by ID API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecated information](deprecate.md)]
Retrieves an alert by its ID.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
index 6eb366dc10..99fcbab5bf 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get alert related actor information API
+# Get alert related actor information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecatedinformation](deprecate.md)]
Retrieves the actor information related to the specific alert.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..a51d83949c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,86 @@
+---
+title: Get alert related domains information
+description: Retrieves all domains related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related domain
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related domain information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Retrieves all domains related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | URL.Read.All | 'Read URLs'
+Delegated (work or school account) | URL.Read.All | 'Read URLs'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/domains
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/domains
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/$metadata#Domains",
+ "value": [
+ {
+ "host": "www.example.com"
+ }
+ ]
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
index 4558e6c341..d0cfda9671 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,16 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get alert related domain information API
+# Get alert related domain information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecatedinformation](deprecate.md)]
+
+
Retrieves all domains related to a specific alert.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..aecd1dc46f
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,99 @@
+---
+title: Get alert related files information
+description: Retrieves all files related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related files
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related files information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Retrieves all files related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | File.Read.All | 'Read file profiles'
+Delegated (work or school account) | File.Read.All | 'Read file profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/files
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/files
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files",
+ "value": [
+ {
+ "sha1": "654f19c41d9662cf86be21bf0af5a88c38c56a9d",
+ "sha256": "2f905feec2798cee6f63da2c26758d86bfeaab954c01e20ac7085bf55fedde87",
+ "md5": "82849dc81d94056224445ea73dc6153a",
+ "globalPrevalence": 33,
+ "globalFirstObserved": "2018-07-17T18:17:27.5909748Z",
+ "globalLastObserved": "2018-08-06T16:07:12.9414137Z",
+ "windowsDefenderAVThreatName": null,
+ "size": 801112,
+ "fileType": "PortableExecutable",
+ "isPeFile": true,
+ "filePublisher": null,
+ "fileProductName": null,
+ "signer": "Microsoft Windows",
+ "issuer": "Microsoft Development PCA 2014",
+ "signerHash": "9e284231a4d1c53fc8d4492b09f65116bf97447f",
+ "isValidCertificate": true
+ }
+ ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
index 46fc01cffb..cc2ec68bf7 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get alert related files information API
+# Get alert related files information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecated information](deprecate.md)]
Retrieves all files related to a specific alert.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..3da5ca41df
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,89 @@
+---
+title: Get alert related IPs information
+description: Retrieves all IPs related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related ip
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related IP information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+
+Retrieves all IPs related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Ip.Read.All | 'Read IP address profiles'
+Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/ips
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/ips
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/$metadata#Ips",
+ "value": [
+ {
+ "id": "104.80.104.128"
+ },
+ {
+ "id": "23.203.232.228
+ }
+ ]
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
index 1952732087..fba77be35c 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get alert related IP information API
+# Get alert related IP information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecated information](deprecate.md)]
Retrieves all IPs related to a specific alert.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..33075d8e93
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,98 @@
+---
+title: Get alert related machine information
+description: Retrieves all machines related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related machine
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related machine information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Retrieves machine that is related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Read.All | 'Read all machine information'
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/machine
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and machine exist - 200 OK. If alert not found or machine not found - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/machine
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity",
+ "id": "ff0c3800ed8d66738a514971cd6867166809369f",
+ "computerDnsName": "amazingmachine.contoso.com",
+ "firstSeen": "2017-12-10T07:47:34.4269783Z",
+ "lastSeen": "2017-12-10T07:47:34.4269783Z",
+ "osPlatform": "Windows10",
+ "osVersion": "10.0.0.0",
+ "systemProductName": null,
+ "lastIpAddress": "172.17.0.0",
+ "lastExternalIpAddress": "167.220.0.0",
+ "agentVersion": "10.5830.17732.1001",
+ "osBuild": 17732,
+ "healthStatus": "Active",
+ "isAadJoined": true,
+ "machineTags": [],
+ "rbacGroupId": 75,
+ "riskScore": "Low",
+ "aadDeviceId": "80fe8ff8-0000-0000-9591-41f0491218f9"
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
index 52169b949b..a9abbd55bb 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get alert related machine information API
+# Get alert related machine information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecated information](deprecate.md)]
Retrieves all machines related to a specific alert.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..5d1de50542
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,90 @@
+---
+title: Get alert related user information
+description: Retrieves the user associated to a specific alert.
+keywords: apis, graph api, supported apis, get, alert, information, related, user
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related user information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+
+Retrieves the user associated to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | User.Read.All | 'Read user profiles'
+Delegated (work or school account) | User.Read.All | 'Read user profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/user
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and a user exists - 200 OK with user in the body. If alert or user not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/user
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
+ "id": "contoso\\user1",
+ "firstSeen": "2018-08-02T00:00:00Z",
+ "lastSeen": "2018-08-04T00:00:00Z",
+ "mostPrevalentMachineId": null,
+ "leastPrevalentMachineId": null,
+ "logonTypes": "Network",
+ "logOnMachinesCount": 3,
+ "isDomainAdmin": false,
+ "isOnlyNetworkUser": null
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
index c60acf0220..cd9221b4db 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get alert related user information API
+# Get alert related user information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecated information](deprecate.md)]
Retrieves the user associated to a specific alert.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..02ebbe143c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,130 @@
+---
+title: List alerts API
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# List alerts API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+
+Retrieves top recent alerts.
+
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Alert.Read.All | 'Read all alerts'
+Application | Alert.ReadWrite.All | 'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The response will include only alerts that are associated with machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts
+```
+
+## Optional query parameters
+Method supports $skip and $top query parameters.
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
+
+
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+ "value": [
+ {
+ "id": "636688558380765161_2136280442",
+ "severity": "Informational",
+ "status": "InProgress",
+ "description": "Some alert description 1",
+ "recommendedAction": "Some recommended action 1",
+ "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+ "category": "General",
+ "title": "Some alert title 1",
+ "threatFamilyName": null,
+ "detectionSource": "WindowsDefenderAtp",
+ "classification": "TruePositive",
+ "determination": null,
+ "assignedTo": "best secop ever",
+ "resolvedTime": null,
+ "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+ "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+ "actorName": null,
+ "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+ },
+ {
+ "id": "636688558380765161_2136280442",
+ "severity": "Informational",
+ "status": "InProgress",
+ "description": "Some alert description 2",
+ "recommendedAction": "Some recommended action 2",
+ "alertCreationTime": "2018-08-04T01:17:17.9516179Z",
+ "category": "General",
+ "title": "Some alert title 2",
+ "threatFamilyName": null,
+ "detectionSource": "WindowsDefenderAtp",
+ "classification": "TruePositive",
+ "determination": null,
+ "assignedTo": "best secop ever",
+ "resolvedTime": null,
+ "lastEventTime": "2018-08-03T07:02:52.0894451Z",
+ "firstEventTime": "2018-08-03T07:02:52.0894451Z",
+ "actorName": null,
+ "machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
+ }
+ ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
index 29b9ca446e..30daf66f8c 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get alerts API
+# Get alerts API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecated information](deprecate.md)]
Retrieves top recent alerts.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..b1e8502727
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,129 @@
+---
+title: Get domain related alerts API
+description: Retrieves a collection of alerts related to a given domain address.
+keywords: apis, graph api, supported apis, get, domain, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get domain related alerts API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+
+
+
+
+Retrieves a collection of alerts related to a given domain address.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Alert.Read.All | 'Read all alerts'
+Application | Alert.ReadWrite.All | 'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/domains/{domain}/alerts
+```
+
+## Request headers
+
+Header | Value
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities. If domain does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+ "value": [
+ {
+ "id": "636688558380765161_2136280442",
+ "severity": "Informational",
+ "status": "InProgress",
+ "description": "Some alert description 1",
+ "recommendedAction": "Some recommended action 1",
+ "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+ "category": "General",
+ "title": "Some alert title 1",
+ "threatFamilyName": null,
+ "detectionSource": "WindowsDefenderAtp",
+ "classification": "TruePositive",
+ "determination": null,
+ "assignedTo": "best secop ever",
+ "resolvedTime": null,
+ "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+ "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+ "actorName": null,
+ "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+ },
+ {
+ "id": "636688558380765161_2136280442",
+ "severity": "Informational",
+ "status": "InProgress",
+ "description": "Some alert description 2",
+ "recommendedAction": "Some recommended action 2",
+ "alertCreationTime": "2018-08-04T01:17:17.9516179Z",
+ "category": "General",
+ "title": "Some alert title 2",
+ "threatFamilyName": null,
+ "detectionSource": "WindowsDefenderAtp",
+ "classification": "TruePositive",
+ "determination": null,
+ "assignedTo": "best secop ever",
+ "resolvedTime": null,
+ "lastEventTime": "2018-08-03T07:02:52.0894451Z",
+ "firstEventTime": "2018-08-03T07:02:52.0894451Z",
+ "actorName": null,
+ "machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
+ }
+ ]
+}
+```
+
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
index 5f0b8ccfc5..4d2cd0fc45 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,15 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get domain related alerts API
+# Get domain related alerts API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecated information](deprecate.md)]
+
Retrieves a collection of alerts related to a given domain address.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..f5ac6e74f8
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,122 @@
+---
+title: Get domain related machines API
+description: Retrieves a collection of machines related to a given domain address.
+keywords: apis, graph api, supported apis, get, domain, related, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get domain related machines API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Retrieves a collection of machines that have communicated to or from a given domain address.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Read.All | 'Read all machine profiles'
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/domains/{domain}/machines
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities. If domain do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+ "value": [
+ {
+ "id": "02ea9a24e8bd39c247ed7ca0edae879c321684e5",
+ "computerDnsName": "testMachine1",
+ "firstSeen": "2018-07-30T20:12:00.3708661Z",
+ "lastSeen": "2018-07-30T20:12:00.3708661Z",
+ "osPlatform": "Windows10",
+ "osVersion": null,
+ "systemProductName": null,
+ "lastIpAddress": "10.209.67.177",
+ "lastExternalIpAddress": "167.220.1.210",
+ "agentVersion": "10.5830.18208.1000",
+ "osBuild": 18208,
+ "healthStatus": "Inactive",
+ "isAadJoined": false,
+ "machineTags": [],
+ "rbacGroupId": 75,
+ "riskScore": "Low",
+ "aadDeviceId": null
+ },
+ {
+ "id": "02efb9a9b85f07749a018fbf3f962b4700b3b949",
+ "computerDnsName": "testMachine2",
+ "firstSeen": "2018-07-30T19:50:47.3618349Z",
+ "lastSeen": "2018-07-30T19:50:47.3618349Z",
+ "osPlatform": "Windows10",
+ "osVersion": null,
+ "systemProductName": null,
+ "lastIpAddress": "10.209.70.231",
+ "lastExternalIpAddress": "167.220.0.28",
+ "agentVersion": "10.5830.18208.1000",
+ "osBuild": 18208,
+ "healthStatus": "Inactive",
+ "isAadJoined": false,
+ "machineTags": [],
+ "rbacGroupId": 75,
+ "riskScore": "None",
+ "aadDeviceId": null
+ }
+ ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
index c09460e204..9995b7a57f 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get domain related machines API
+# Get domain related machines API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecated information](deprecate.md)]
Retrieves a collection of machines related to a given domain address.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..c940edba9f
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,83 @@
+---
+title: Get domain statistics API
+description: Retrieves the prevalence for the given domain.
+keywords: apis, graph api, supported apis, get, domain, domain related machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get domain statistics API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Retrieves the prevalence for the given domain.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | URL.Read.All | 'Read URLs'
+Delegated (work or school account) | URL.Read.All | 'Read URLs'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/domains/{domain}/stats
+```
+
+## Request headers
+
+Header | Value
+:---|:---
+Authorization | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/domains/example.com/stats
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
+ "host": "example.com",
+ "orgPrevalence": "4070",
+ "orgFirstSeen": "2017-07-30T13:23:48Z",
+ "orgLastSeen": "2017-08-29T13:09:05Z"
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
index 2e3cde9b70..7cab84b5fb 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get domain statistics API
+# Get domain statistics API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecatedinformation](deprecate.md)]
Retrieves the prevalence for the given domain.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..82ba0c9a36
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,97 @@
+---
+title: Get file information API
+description: Retrieves a file by identifier Sha1, Sha256, or MD5.
+keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file information API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+
+Retrieves a file by identifier Sha1, Sha256, or MD5.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | File.Read.All | 'Read all file profiles'
+Delegated (work or school account) | File.Read.All | 'Read all file profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+
+## HTTP request
+```
+GET /api/files/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK with the [file](files-windows-defender-advanced-threat-protection-new.md) entity in the body. If file does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity",
+ "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
+ "sha256": "d4447dffdbb2889b4b4e746b0bc882df1b854101614b0aa83953ef3cb66904cf",
+ "md5": "7f05a371d2beffb3784fd2199f81d730",
+ "globalPrevalence": 7329,
+ "globalFirstObserved": "2018-04-08T05:50:29.4459725Z",
+ "globalLastObserved": "2018-08-07T23:35:11.1361328Z",
+ "windowsDefenderAVThreatName": null,
+ "size": 391680,
+ "fileType": "PortableExecutable",
+ "isPeFile": true,
+ "filePublisher": null,
+ "fileProductName": null,
+ "signer": null,
+ "issuer": null,
+ "signerHash": null,
+ "isValidCertificate": null
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
index 2d6f45993f..9683f68898 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get file information API
+# Get file information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecated information](deprecate.md)]
Retrieves a file by identifier Sha1, Sha256, or MD5.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..e34b9d8c77
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,106 @@
+---
+title: Get file related alerts API
+description: Retrieves a collection of alerts related to a given file hash.
+keywords: apis, graph api, supported apis, get, file, hash
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file related alerts API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+
+Retrieves a collection of alerts related to a given file hash.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Alert.Read.All | 'Read all alerts'
+Application | Alert.ReadWrite.All | 'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/files/{id}/alerts
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+ "value": [
+ {
+ "id": "636692391408655573_2010598859",
+ "severity": "Low",
+ "status": "New",
+ "description": "test alert",
+ "recommendedAction": "do this and that",
+ "alertCreationTime": "2018-08-07T11:45:40.0199932Z",
+ "category": "None",
+ "title": "test alert",
+ "threatFamilyName": null,
+ "detectionSource": "CustomerTI",
+ "classification": null,
+ "determination": null,
+ "assignedTo": null,
+ "resolvedTime": null,
+ "lastEventTime": "2018-08-03T16:45:21.7115182Z",
+ "firstEventTime": "2018-08-03T16:45:21.7115182Z",
+ "actorName": null,
+ "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
+ }
+ ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
index 89272a50e2..3967df849d 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get file related alerts API
+# Get file related alerts API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecated information](deprecate.md)]
Retrieves a collection of alerts related to a given file hash.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..79aaefa954
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,122 @@
+---
+title: Get file related machines API
+description: Retrieves a collection of machines related to a given file hash.
+keywords: apis, graph api, supported apis, get, machines, hash
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file related machines API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Retrieves a collection of machines related to a given file hash.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Read.All | 'Read all machine profiles'
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/files/{id}/machines
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+ "value": [
+ {
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "computerDnsName": "mymachine1.contoso.com",
+ "firstSeen": "2018-08-02T14:55:03.7791856Z",
+ "lasttSeen": "2018-07-09T13:22:45.1250071Z",
+ "osPlatform": "Windows10",
+ "osVersion": null,
+ "systemProductName": null,
+ "lastIpAddress": "172.17.230.209",
+ "lastExternalIpAddress": "167.220.196.71",
+ "agentVersion": "10.5830.18209.1001",
+ "osBuild": 18209,
+ "healthStatus": "Active",
+ "isAadJoined": true,
+ "machineTags": [],
+ "rbacGroupId": 140,
+ "riskScore": "Low",
+ "aadDeviceId": null
+ },
+ {
+ "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
+ "computerDnsName": "mymachine2.contoso.com",
+ "firstSeen": "2018-07-09T13:22:45.1250071Z",
+ "lasttSeen": "2018-07-09T13:22:45.1250071Z",
+ "osPlatform": "Windows10",
+ "osVersion": null,
+ "systemProductName": null,
+ "lastIpAddress": "192.168.12.225",
+ "lastExternalIpAddress": "79.183.65.82",
+ "agentVersion": "10.5820.17724.1000",
+ "osBuild": 17724,
+ "healthStatus": "Inactive",
+ "isAadJoined": true,
+ "machineTags": [],
+ "rbacGroupId": 140,
+ "riskScore": "Low",
+ "aadDeviceId": null
+ }
+ ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
index 62a8f25bcf..dc8a07b552 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get file related machines API
+# Get file related machines API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecated information](deprecate.md)]
Retrieves a collection of machines related to a given file hash.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..3f661dc422
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,92 @@
+---
+title: Get file statistics API
+description: Retrieves the prevalence for the given file.
+keywords: apis, graph api, supported apis, get, file, statistics
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file statistics API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+
+
+
+
+Retrieves the prevalence for the given file.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | File.Read.All | 'Read file profiles'
+Delegated (work or school account) | File.Read.All | 'Read file profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/files/{id}/stats
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/stats
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
+ "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
+ "orgPrevalence": "3",
+ "orgFirstSeen": "2018-07-15T06:13:59Z",
+ "orgLastSeen": "2018-08-03T16:45:21Z",
+ "topFileNames": [
+ "chrome_1.exe",
+ "chrome_2.exe"
+ ]
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
index 07424aafd3..e7b702fac8 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get file statistics API
+# Get file statistics API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecatedinformation](deprecate.md)]
Retrieves the prevalence for the given file.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md
index fb469ffac8..b83bae0e6d 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get FileActions collection API
+# Get FileActions collection API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecatedinformation](deprecate.md)]
Gets collection of actions done on files. Get FileActions collection API supports OData V4 queries.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md
index 0d846e906b..5fc6065ee7 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get FileMachineAction object API
+# Get FileMachineAction object API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecatedinformation](deprecate.md)]
Gets file and machine actions.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md
index 27eb723cd9..b00ad9d909 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get FileMachineActions collection API
+# Get FileMachineActions collection API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecatedinformation](deprecate.md)]
Get collection of file and machine actions. Get FileMachineActions collection API supports OData V4 queries.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..981c022145
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,105 @@
+---
+title: Get IP related alerts API
+description: Retrieves a collection of alerts related to a given IP address.
+keywords: apis, graph api, supported apis, get, ip, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get IP related alerts API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Retrieves a collection of alerts related to a given IP address.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Alert.Read.All | 'Read all alerts'
+Application | Alert.ReadWrite.All | 'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/ips/{ip}/alerts
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+ "value": [
+ {
+ "id": "636692391408655573_2010598859",
+ "severity": "Low",
+ "status": "New",
+ "description": "test alert",
+ "recommendedAction": "do this and that",
+ "alertCreationTime": "2018-08-07T11:45:40.0199932Z",
+ "category": "None",
+ "title": "test alert",
+ "threatFamilyName": null,
+ "detectionSource": "CustomerTI",
+ "classification": null,
+ "determination": null,
+ "assignedTo": null,
+ "resolvedTime": null,
+ "lastEventTime": "2018-08-03T16:45:21.7115182Z",
+ "firstEventTime": "2018-08-03T16:45:21.7115182Z",
+ "actorName": null,
+ "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
+ }
+ ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
index 32e5f6f95e..3502e90557 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get IP related alerts API
+# Get IP related alerts API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecated information](deprecate.md)]
Retrieves a collection of alerts related to a given IP address.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..3c68f72daf
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,122 @@
+---
+title: Get IP related machines API
+description: Retrieves a collection of machines related to a given IP address.
+keywords: apis, graph api, supported apis, get, ip, related, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get IP related machines API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+
+Retrieves a collection of machines that communicated with or from a particular IP.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Read.All | 'Read all machine profiles'
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/ips/{ip}/machines
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+ "value": [
+ {
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "computerDnsName": "mymachine1.contoso.com",
+ "firstSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "osPlatform": "Windows10",
+ "osVersion": null,
+ "systemProductName": null,
+ "lastIpAddress": "172.17.230.209",
+ "lastExternalIpAddress": "167.220.196.71",
+ "agentVersion": "10.5830.18209.1001",
+ "osBuild": 18209,
+ "healthStatus": "Active",
+ "isAadJoined": true,
+ "machineTags": [],
+ "rbacGroupId": 140,
+ "riskScore": "Low",
+ "aadDeviceId": null
+ },
+ {
+ "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
+ "computerDnsName": "mymachine2.contoso.com",
+ "firstSeen": "2018-07-09T13:22:45.1250071Z",
+ "lastSeen": "2018-07-09T13:22:45.1250071Z",
+ "osPlatform": "Windows10",
+ "osVersion": null,
+ "systemProductName": null,
+ "lastIpAddress": "192.168.12.225",
+ "lastExternalIpAddress": "79.183.65.82",
+ "agentVersion": "10.5820.17724.1000",
+ "osBuild": 17724,
+ "healthStatus": "Inactive",
+ "isAadJoined": true,
+ "machineTags": [],
+ "rbacGroupId": 140,
+ "riskScore": "Low",
+ "aadDeviceId": null
+ }
+ ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
index acbfa51a4a..72071848e6 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
@@ -37,8 +37,7 @@ Content type | application/json
Empty
## Response
-If successful and IP and machines exists - 200 OK.
-If IP or machines do not exist - 404 Not Found.
+If successful and IP and machines exists - 200 OK. If IP or machines do not exist - 404 Not Found.
## Example
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..763444713a
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,85 @@
+---
+title: Get IP statistics API
+description: Retrieves the prevalence for the given IP.
+keywords: apis, graph api, supported apis, get, ip, statistics, prevalence
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get IP statistics API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+
+
+Retrieves the prevalence for the given IP.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Ip.Read.All | 'Read IP address profiles'
+Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/ips/{ip}/stats
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/stats
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
+ "ipAddress": "10.209.67.177",
+ "orgPrevalence": "63515",
+ "orgFirstSeen": "2017-07-30T13:36:06Z",
+ "orgLastSeen": "2017-08-29T13:32:59Z"
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..4211bbbb1f
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,102 @@
+---
+title: Get machine by ID API
+description: Retrieves a machine entity by ID.
+keywords: apis, graph api, supported apis, get, machines, entity, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get machine by ID API
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Retrieves a machine entity by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Read.All | 'Read all machine profiles'
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+
+## HTTP request
+```
+GET /api/machines/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine exists - 200 OK with the [machine](machine-windows-defender-advanced-threat-protection-new.md) entity in the body.
+If machine with the specified id was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine",
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "computerDnsName": "mymachine1.contoso.com",
+ "firstSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "osPlatform": "Windows10",
+ "osVersion": null,
+ "systemProductName": null,
+ "lastIpAddress": "172.17.230.209",
+ "lastExternalIpAddress": "167.220.196.71",
+ "agentVersion": "10.5830.18209.1001",
+ "osBuild": 18209,
+ "healthStatus": "Active",
+ "isAadJoined": true,
+ "machineTags": [],
+ "rbacGroupId": 140,
+ "riskScore": "Low",
+ "aadDeviceId": null
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
index 078641587d..66f525a094 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get machine by ID API
+# Get machine by ID API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecated information](deprecate.md)]
Retrieves a machine entity by ID.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..93e70b3e10
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,104 @@
+---
+title: Get machine log on users API
+description: Retrieves a collection of logged on users.
+keywords: apis, graph api, supported apis, get, machine, log on, users
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get machine log on users API
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Retrieves a collection of logged on users.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | User.Read.All | 'Read user profiles'
+Delegated (work or school account) | User.Read.All | 'Read user profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include users only if the machine is visible to the user, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/machines/{id}/logonusers
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine exist - 200 OK with list of [user](user-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users",
+ "value": [
+ {
+ "id": "contoso\\user1",
+ "firstSeen": "2018-08-02T00:00:00Z",
+ "lastSeen": "2018-08-04T00:00:00Z",
+ "mostPrevalentMachineId": null,
+ "leastPrevalentMachineId": null,
+ "logonTypes": "Network",
+ "logOnMachinesCount": 3,
+ "isDomainAdmin": false,
+ "isOnlyNetworkUser": null
+ },
+ {
+ "id": "contoso\\user2",
+ "firstSeen": "2018-08-02T00:00:00Z",
+ "lastSeen": "2018-08-05T00:00:00Z",
+ "mostPrevalentMachineId": null,
+ "leastPrevalentMachineId": null,
+ "logonTypes": "Network",
+ "logOnMachinesCount": 3,
+ "isDomainAdmin": false,
+ "isOnlyNetworkUser": null
+ }
+ ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
index 0bf2c47c64..13530b98e5 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get machine log on users API
+# Get machine log on users API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecated information](deprecate.md)]
Retrieves a collection of logged on users.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..65ee88ebb5
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,105 @@
+---
+title: Get machine related alerts API
+description: Retrieves a collection of alerts related to a given machine ID.
+keywords: apis, graph api, supported apis, get, machines, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get machine related alerts API
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Retrieves a collection of alerts related to a given machine ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Alert.Read.All | 'Read all alerts'
+Application | Alert.ReadWrite.All | 'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/machines/{id}/alerts
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+ "value": [
+ {
+ "id": "636692391408655573_2010598859",
+ "severity": "Low",
+ "status": "New",
+ "description": "test alert",
+ "recommendedAction": "do this and that",
+ "alertCreationTime": "2018-08-07T11:45:40.0199932Z",
+ "category": "None",
+ "title": "test alert",
+ "threatFamilyName": null,
+ "detectionSource": "CustomerTI",
+ "classification": null,
+ "determination": null,
+ "assignedTo": null,
+ "resolvedTime": null,
+ "lastEventTime": "2018-08-03T16:45:21.7115182Z",
+ "firstEventTime": "2018-08-03T16:45:21.7115182Z",
+ "actorName": null,
+ "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
+ }
+ ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
index 4d976968c0..4803e86973 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get machine related alerts API
+# Get machine related alerts API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecated information](deprecate.md)]
Retrieves a collection of alerts related to a given machine ID.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..96a4953581
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,90 @@
+---
+title: Get MachineAction object API
+description: Use this API to create calls related to get machineaction object
+keywords: apis, graph api, supported apis, machineaction object
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get machineAction API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Get action performed on a machine.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Read.All | 'Read all machine profiles'
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/machineactions/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200, Ok response code with a [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. If machine action entity with the specified id was not found - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+ "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
+ "type": "RunAntiVirusScan",
+ "requestor": "Analyst@contoso.com",
+ "requestorComment": "Check machine for viruses due to alert 3212",
+ "status": "Succeeded",
+ "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+ "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
+ "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
+ "relatedFileInfo": null
+}
+
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md
index 2c94ca5628..b3ed113094 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get MachineAction object API
+# Get MachineAction object API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecatedinformation](deprecate.md)]
Get actions done on a machine.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..5a137cb5a8
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,169 @@
+---
+title: List machineActions API
+description: Use this API to create calls related to get machineactions collection
+keywords: apis, graph api, supported apis, machineaction collection
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# List MachineActions API
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+ Gets collection of actions done on machines.
+ Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Read.All | 'Read all machine profiles'
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/machineactions
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200, Ok response code with a collection of [machineAction](machineaction-windows-defender-advanced-threat-protection-new.md) entities.
+
+
+## Example 1
+
+**Request**
+
+Here is an example of the request on an organization that has three MachineActions.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machineactions
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
+ "value": [
+ {
+ "id": "69dc3630-1ccc-4342-acf3-35286eec741d",
+ "type": "CollectInvestigationPackage",
+ "requestor": "Analyst@contoso.com",
+ "requestorComment": "test",
+ "status": "Succeeded",
+ "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+ "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
+ "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
+ "relatedFileInfo": null
+ },
+ {
+ "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
+ "type": "RunAntiVirusScan",
+ "requestor": "Analyst@contoso.com",
+ "requestorComment": "Check machine for viruses due to alert 3212",
+ "status": "Succeeded",
+ "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+ "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
+ "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
+ "relatedFileInfo": null
+ },
+ {
+ "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
+ "type": "StopAndQuarantineFile",
+ "requestor": "Analyst@contoso.com",
+ "requestorComment": "test",
+ "status": "Succeeded",
+ "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+ "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z",
+ "lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z",
+ "relatedFileInfo": {
+ "fileIdentifier": "a0c659857ccbe457fdaf5fe21d54efdcbf6f6508",
+ "fileIdentifierType": "Sha1"
+ }
+ }
+ ]
+}
+```
+
+## Example 2
+
+**Request**
+
+Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions.
+
+```
+GET https://api.securitycenter.windows.com/api/machineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2
+```
+
+**Response**
+
+Here is an example of the response.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
+ "value": [
+ {
+ "id": "69dc3630-1ccc-4342-acf3-35286eec741d",
+ "type": "CollectInvestigationPackage",
+ "requestor": "Analyst@contoso.com",
+ "requestorComment": "test",
+ "status": "Succeeded",
+ "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+ "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
+ "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
+ "relatedFileInfo": null
+ },
+ {
+ "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
+ "type": "RunAntiVirusScan",
+ "requestor": "Analyst@contoso.com",
+ "requestorComment": "Check machine for viruses due to alert 3212",
+ "status": "Succeeded",
+ "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+ "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
+ "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
+ "relatedFileInfo": null
+ }
+ ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md
index c86ead0780..0983daee3c 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get MachineActions collection API
+# Get MachineActions collection API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecatedinformation](deprecate.md)]
Gets collection of actions done on machines. Get MachineAction collection API supports OData V4 queries.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..5d41431d83
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,124 @@
+---
+title: List machines API
+description: Retrieves a collection of recently seen machines.
+keywords: apis, graph api, supported apis, get, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# List machines API
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
+Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId"
+
+## Permissions
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Read.All | 'Read all machine profiles'
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/machines
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If no recent machines - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+ "value": [
+ {
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "computerDnsName": "mymachine1.contoso.com",
+ "firstSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "osPlatform": "Windows10",
+ "osVersion": null,
+ "systemProductName": null,
+ "lastIpAddress": "172.17.230.209",
+ "lastExternalIpAddress": "167.220.196.71",
+ "agentVersion": "10.5830.18209.1001",
+ "osBuild": 18209,
+ "healthStatus": "Active",
+ "isAadJoined": true,
+ "machineTags": [],
+ "rbacGroupId": 140,
+ "riskScore": "Low",
+ "aadDeviceId": null
+ },
+ {
+ "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
+ "computerDnsName": "mymachine2.contoso.com",
+ "firstSeen": "2018-07-09T13:22:45.1250071Z",
+ "lastSeen": "2018-07-09T13:22:45.1250071Z",
+ "osPlatform": "Windows10",
+ "osVersion": null,
+ "systemProductName": null,
+ "lastIpAddress": "192.168.12.225",
+ "lastExternalIpAddress": "79.183.65.82",
+ "agentVersion": "10.5820.17724.1000",
+ "osBuild": 17724,
+ "healthStatus": "Inactive",
+ "isAadJoined": true,
+ "machineTags": [],
+ "rbacGroupId": 140,
+ "riskScore": "Low",
+ "aadDeviceId": null
+ }
+ ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
index d442db809b..2aae8e0d5d 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get machines API
+# Get machines API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecated information](deprecate.md)]
Retrieves a collection of recently seen machines.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..6b90d0ff62
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,84 @@
+---
+title: Get package SAS URI API
+description: Use this API to get a URI that allows downloading an investigation package.
+keywords: apis, graph api, supported apis, get package, sas, uri
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get package SAS URI API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Get a URI that allows downloading of an [investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.CollectForensics | 'Collect forensics'
+Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri
+
+```
+
+**Response**
+
+Here is an example of the response.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.String",
+ "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
+}
+
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
index 60f0e29f88..688491a75d 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get package SAS URI API
+# Get package SAS URI API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecated information](deprecate.md)]
Get a URI that allows downloading of an investigation package.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..ccd438a908
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,92 @@
+---
+title: Get Ti Indicator by ID API
+description: Retrieves Ti Indicator entity by ID.
+keywords: apis, public api, supported apis, get, ti indicator, entity, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get TI Indicator by ID API
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+>[!Note]
+> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Retrieves a TI Indicator entity by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Ti.ReadWrite | 'Read and write TI Indicators'
+
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/tiindicators/{id}
+```
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and TI Indicator exists - 200 OK with the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the body.
+If TI Indicator with the specified id was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators/$entity",
+ "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+ "indicatorType": "FileSha1",
+ "title": "test",
+ "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
+ "createdBy": "45097602-0cfe-4cc6-925f-9f453233e62c",
+ "expirationTime": "2020-12-12T00:00:00Z",
+ "action": "AlertAndBlock",
+ "severity": "Informational",
+ "description": "test",
+ "recommendedActions": "TEST"
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..d2c398ee0f
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,109 @@
+---
+title: List TiIndicators API
+description: Use this API to create calls related to get TiIndicators collection
+keywords: apis, public api, supported apis, TiIndicators collection
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# List TiIndicators API
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+>[!Note]
+> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+ Gets collection of TI Indicators.
+ Get TI Indicators collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Ti.ReadWrite | 'Read and write TI Indicators'
+
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/tiindicators
+```
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200, Ok response code with a collection of [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities.
+
+>[!Note]
+> The response will only include TI Indicators that submitted by the calling Application.
+
+
+## Example
+
+**Request**
+
+Here is an example of a request that gets all TI Indicators
+
+```
+GET https://api.securitycenter.windows.com/api/tiindicators
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators",
+ "value": [
+ {
+ "indicator": "12.13.14.15",
+ "indicatorType": "IpAddress",
+ "title": "test",
+ "creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z",
+ "createdBy": "45097602-1234-5678-1234-9f453233e62c",
+ "expirationTime": "2020-12-12T00:00:00Z",
+ "action": "AlertAndBlock",
+ "severity": "Informational",
+ "description": "test",
+ "recommendedActions": "test"
+ },
+ {
+ "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+ "indicatorType": "FileSha1",
+ "title": "test",
+ "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
+ "createdBy": "45097602-1234-5678-1234-9f453233e62c",
+ "expirationTime": "2020-12-12T00:00:00Z",
+ "action": "AlertAndBlock",
+ "severity": "Informational",
+ "description": "test",
+ "recommendedActions": "TEST"
+ }
+ ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..ef4ed492c9
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,85 @@
+---
+title: Get user information API
+description: Retrieve a User entity by key such as user name or domain.
+keywords: apis, graph api, supported apis, get, user, user information
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get user information API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Retrieve a User entity by key (user name).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | User.Read.All | 'Read all user profiles'
+
+## HTTP request
+```
+GET /api/users/{id}/
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and user exists - 200 OK with [user](user-windows-defender-advanced-threat-protection-new.md) entity in the body. If user does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/users/user1
+Content-type: application/json
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
+ "id": "user1",
+ "firstSeen": "2018-08-02T00:00:00Z",
+ "lastSeen": "2018-08-04T00:00:00Z",
+ "mostPrevalentMachineId": null,
+ "leastPrevalentMachineId": null,
+ "logonTypes": "Network",
+ "logOnMachinesCount": 3,
+ "isDomainAdmin": false,
+ "isOnlyNetworkUser": null
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
index c4dfae50e6..86880c519e 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get user information API
+# Get user information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecated information](deprecate.md)]
Retrieve a User entity by key (user name or domain\user).
diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..86bbb39785
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,125 @@
+---
+title: Get user related alerts API
+description: Retrieves a collection of alerts related to a given user ID.
+keywords: apis, graph api, supported apis, get, user, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get user related alerts API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Retrieves a collection of alerts related to a given user ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Alert.Read.All | 'Read all alerts'
+Application | Alert.ReadWrite.All | 'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/users/{id}/alerts
+```
+
+**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) **
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and user exist - 200 OK. If the user do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/users/user1/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+ "value": [
+ {
+ "id": "636688558380765161_2136280442",
+ "severity": "Informational",
+ "status": "InProgress",
+ "description": "Some alert description 1",
+ "recommendedAction": "Some recommended action 1",
+ "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+ "category": "General",
+ "title": "Some alert title 1",
+ "threatFamilyName": null,
+ "detectionSource": "WindowsDefenderAtp",
+ "classification": "TruePositive",
+ "determination": null,
+ "assignedTo": "best secop ever",
+ "resolvedTime": null,
+ "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+ "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+ "actorName": null,
+ "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+ },
+ {
+ "id": "636688558380765161_2136280442",
+ "severity": "Informational",
+ "status": "InProgress",
+ "description": "Some alert description 2",
+ "recommendedAction": "Some recommended action 2",
+ "alertCreationTime": "2018-08-04T01:17:17.9516179Z",
+ "category": "General",
+ "title": "Some alert title 2",
+ "threatFamilyName": null,
+ "detectionSource": "WindowsDefenderAtp",
+ "classification": "TruePositive",
+ "determination": null,
+ "assignedTo": "best secop ever",
+ "resolvedTime": null,
+ "lastEventTime": "2018-08-03T07:02:52.0894451Z",
+ "firstEventTime": "2018-08-03T07:02:52.0894451Z",
+ "actorName": null,
+ "machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
+ }
+ ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
index aadcc3dd2b..ec40578526 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
@@ -11,16 +11,16 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
-ms.date: 12/08/2017
+ms.date: 11/15/2018
---
-# Get user related alerts API
+# Get user related alerts API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecated information](deprecate.md)]
Retrieves a collection of alerts related to a given user ID.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..9e0f217156
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,124 @@
+---
+title: Get user related machines API
+description: Retrieves a collection of machines related to a given user ID.
+keywords: apis, graph api, supported apis, get, user, user related alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get user related machines API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Retrieves a collection of machines related to a given user ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Read.All | 'Read all machine profiles'
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/users/{id}/machines
+```
+
+**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) **
+
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and user exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If user does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/users/user1/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+ "value": [
+ {
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "computerDnsName": "mymachine1.contoso.com",
+ "firstSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "osPlatform": "Windows10",
+ "osVersion": null,
+ "systemProductName": null,
+ "lastIpAddress": "172.17.230.209",
+ "lastExternalIpAddress": "167.220.196.71",
+ "agentVersion": "10.5830.18209.1001",
+ "osBuild": 18209,
+ "healthStatus": "Active",
+ "isAadJoined": true,
+ "machineTags": [],
+ "rbacGroupId": 140,
+ "riskScore": "Low",
+ "aadDeviceId": null
+ },
+ {
+ "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
+ "computerDnsName": "mymachine2.contoso.com",
+ "firstSeen": "2018-07-09T13:22:45.1250071Z",
+ "lastSeen": "2018-07-09T13:22:45.1250071Z",
+ "osPlatform": "Windows10",
+ "osVersion": null,
+ "systemProductName": null,
+ "lastIpAddress": "192.168.12.225",
+ "lastExternalIpAddress": "79.183.65.82",
+ "agentVersion": "10.5820.17724.1000",
+ "osBuild": 17724,
+ "healthStatus": "Inactive",
+ "isAadJoined": true,
+ "machineTags": [],
+ "rbacGroupId": 140,
+ "riskScore": "Low",
+ "aadDeviceId": null
+ }
+ ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
index 1b66f1961a..11f719ebd8 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Get user related machines API
+# Get user related machines API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecated information](deprecate.md)]
Retrieves a collection of machines related to a given user ID.
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png
index a4a07d3b92..4449661657 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png
new file mode 100644
index 0000000000..867fb4d976
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png
new file mode 100644
index 0000000000..51588e0bdc
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png
new file mode 100644
index 0000000000..f33aa04682
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png
new file mode 100644
index 0000000000..1f15b39220
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png
new file mode 100644
index 0000000000..b42c9ec193
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png
new file mode 100644
index 0000000000..89e20f3a67
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png
new file mode 100644
index 0000000000..1f7f423e49
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png
new file mode 100644
index 0000000000..eb866e3cce
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png
new file mode 100644
index 0000000000..05d76ec807
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png
new file mode 100644
index 0000000000..92f46bf116
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png
new file mode 100644
index 0000000000..859e4fa8a3
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png
new file mode 100644
index 0000000000..2114b14c4d
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png
new file mode 100644
index 0000000000..d5fdf37ac2
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png
new file mode 100644
index 0000000000..d060becd5b
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png
new file mode 100644
index 0000000000..62c96acf75
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png
new file mode 100644
index 0000000000..7098c8a543
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png
new file mode 100644
index 0000000000..5c340e3138
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png
new file mode 100644
index 0000000000..b94ee3a009
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png
new file mode 100644
index 0000000000..dce1698521
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png
new file mode 100644
index 0000000000..049d3ed6ee
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png
new file mode 100644
index 0000000000..054470d70e
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png
new file mode 100644
index 0000000000..00a8756c43
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png
new file mode 100644
index 0000000000..8123965c84
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png
new file mode 100644
index 0000000000..40f15eb65a
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png
new file mode 100644
index 0000000000..38e98ce07d
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png
new file mode 100644
index 0000000000..4ddb1fae83
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png
new file mode 100644
index 0000000000..a091db0189
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png
new file mode 100644
index 0000000000..be98e49216
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png
new file mode 100644
index 0000000000..47203a8151
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png
new file mode 100644
index 0000000000..1b8396b50e
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png
new file mode 100644
index 0000000000..103081f82c
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png
new file mode 100644
index 0000000000..b7c7e0926f
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png
new file mode 100644
index 0000000000..8edc069eaf
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png
new file mode 100644
index 0000000000..c813929e31
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md
new file mode 100644
index 0000000000..afb2f9bbdd
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md
@@ -0,0 +1,23 @@
+---
+title:
+description:
+keywords:
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 04/24/2018
+---
+
+# Improve request performance
+
+
+>[!NOTE]
+>For better performance, you can use server closer to your geo location:
+> - api-us.securitycenter.windows.com
+> - api-eu.securitycenter.windows.com
+> - api-uk.securitycenter.windows.com
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..066dac83dd
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,80 @@
+---
+title: Is domain seen in org API
+description: Use this API to create calls related to checking whether a domain was seen in the organization.
+keywords: apis, graph api, supported apis, domain, domain seen
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 04/24/2018
+---
+
+# Was domain seen in org
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Answers whether a domain was seen in the organization.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Url.Read.All | 'Read URLs'
+Delegated (work or school account) | URL.Read.All | 'Read URLs'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/domains/{domain}
+```
+
+## Request headers
+
+Header | Value
+:---|:---
+Authorization | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain exists - 200 OK. If domain does not exist - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/domains/example.com
+Content-type: application/json
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Domains/$entity",
+ "host": "example.com"
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
index 892fc60bd3..6dee679614 100644
--- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
@@ -14,9 +14,14 @@ ms.localizationpriority: medium
ms.date: 04/24/2018
---
-# Is domain seen in org
+# Is domain seen in org (deprecated)
Answers whether a domain was seen in the organization.
+[!include[Deprecatedinformation](deprecate.md)]
+
+
+
+
## Permissions
User needs read permissions.
diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..fc6b531fc1
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,81 @@
+---
+title: Is IP seen in org API
+description: Answers whether an IP was seen in the organization.
+keywords: apis, graph api, supported apis, is, ip, seen, org, organization
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Was IP seen in org
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Answers whether an IP was seen in the organization.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Ip.Read.All | 'Read IP address profiles'
+Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/ips/{ip}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP exists - 200 OK. If IP do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/ips/10.209.67.177
+```
+
+**Response**
+
+Here is an example of the response.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Ips/$entity",
+ "id": "10.209.67.177"
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
index d006cede0b..42887d7fa8 100644
--- a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Is IP seen in org
+# Is IP seen in org (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecatedinformation](deprecate.md)]
Answers whether an IP was seen in the organization.
diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..696d961f94
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,108 @@
+---
+title: Isolate machine API
+description: Use this API to create calls related isolating a machine.
+keywords: apis, graph api, supported apis, isolate machine
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Isolate machine API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Isolates a machine from accessing external network.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Isolate | 'Isolate machine'
+Delegated (work or school account) | Machine.Isolate | 'Isolate machine'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/isolate
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter | Type | Description
+:---|:---|:---
+Comment | String | Comment to associate with the action. **Required**.
+IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'Selective'.
+
+**IsolationType** controls the type of isolation to perform and can be one of the following:
+- Full – Full isolation
+- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) for more details)
+
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate
+Content-type: application/json
+{
+ "Comment": "Isolate machine due to alert 1234",
+ “IsolationType”: “Full”
+}
+
+```
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+ "id": "b89eb834-4578-496c-8be0-03f004061435",
+ "type": "Isolate",
+ "requestor": "Analyst@contoso.com ",
+ "requestorComment": "Isolate machine due to alert 1234",
+ "status": "InProgress",
+ "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "creationDateTimeUtc": "2017-12-04T12:12:18.9725659Z",
+ "lastUpdateTimeUtc": "2017-12-04T12:12:18.9725659Z",
+ "relatedFileInfo": null
+}
+
+```
+
+To unisolate a machine, see [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md).
diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md
index 61cfbb1c6f..c7b6c877d3 100644
--- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Isolate machine API
+# Isolate machine API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecated information](deprecate.md)]
Isolates a machine from accessing external network.
diff --git a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..8c70bf4419
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,47 @@
+---
+title: Machine resource type
+description: Retrieves top machines
+keywords: apis, supported apis, get, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 11/11/2018
+---
+
+# Machine resource type
+
+
+# Methods
+Method|Return Type |Description
+:---|:---|:---
+[List machines](get-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | List set of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the org.
+[Get machine](get-machine-by-id-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) | Get a [machine](machine-windows-defender-advanced-threat-protection-new.md) by its identity.
+[Get logged on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) | [user](user-windows-defender-advanced-threat-protection-new.md) collection | Get the set of [User](user-windows-defender-advanced-threat-protection-new.md) that logged on to the [machine](machine-windows-defender-advanced-threat-protection-new.md).
+[Get related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the set of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that were raised on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
+[Add or Remove machine tags](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) | Add or Remove tag to a specific machine.
+[Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Find machines seen with IP.
+
+# Properties
+Property | Type | Description
+:---|:---|:---
+id | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) identity.
+computerDnsName | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) fully qualified name.
+firstSeen | DateTimeOffset | First date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP.
+lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP.
+osPlatform | String | OS platform.
+osVersion | String | OS Version.
+lastIpAddress | Ip | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
+lastExternalIpAddress | Ip | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet.
+agentVersion | String | Version of WDATP agent.
+osBuild | Int | OS build number.
+healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication"
+isAadJoined | Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined.
+machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags.
+rbacGroupId | Int | Group ID.
+riskScore | String | Risk score as evaludated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
+aadDeviceId | String | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..6c225819b2
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,48 @@
+---
+title: machineAction resource type
+description: Retrieves top recent machineActions.
+keywords: apis, supported apis, get, machineaction, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# MachineAction resource type
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Method|Return Type |Description
+:---|:---|:---
+[List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | List [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities.
+[Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Get a single [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity.
+[Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Collect investigation package from a [machine](machine-windows-defender-advanced-threat-protection-new.md).
+[Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Get URI for downloading the investigation package.
+[Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Isolate [machine](machine-windows-defender-advanced-threat-protection-new.md) from network.
+[Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Release [machine](machine-windows-defender-advanced-threat-protection-new.md) from Isolation.
+[Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Restrict application execution.
+[Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Remove application execution restriction.
+[Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Run an AV scan using Windows Defender (when applicable).
+[Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)|[Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Offboard [machine](machine-windows-defender-advanced-threat-protection-new.md) from WDATP.
+
+# Properties
+Property | Type | Description
+:---|:---|:---
+id | Guid | Identity of the [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity.
+type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution"
+requestor | String | Identity of the person that executed the action.
+requestorComment | String | Comment that was written when issuing the action.
+status | Enum | Current status of the command. Possible values are: "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled".
+machineId | String | Id of the machine on which the action was executed.
+creationDateTimeUtc | DateTimeOffset | The date and time when the action was created.
+lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated.
+relatedFileInfo | Class | Contains two Properties. 1) string 'fileIdentifier' 2) Enum 'fileIdentifierType' with the possible values: "Sha1" ,"Sha256" and "Md5".
+
diff --git a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md
new file mode 100644
index 0000000000..fcbd68ecec
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md
@@ -0,0 +1,6 @@
+---
+ms.date: 08/28/2017
+author: zavidor
+---
+>[!Note]
+> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP.
diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..0200975d55
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,98 @@
+---
+title: Offboard machine API
+description: Use this API to offboard a machine from WDATP.
+keywords: apis, graph api, supported apis, collect investigation package
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Offboard machine API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Offboard machine from WDATP.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Offboard | 'Offboard machine'
+Delegated (work or school account) | Machine.Offboard | 'Offboard machine'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to 'Global Admin' AD role
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/offboard
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter | Type | Description
+:---|:---|:---
+Comment | String | Comment to associate with the action. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard
+Content-type: application/json
+{
+ "Comment": "Offboard machine by automation"
+}
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+ "id": "c9042f9b-8483-4526-87b5-35e4c2532223",
+ "type": "OffboardMachine",
+ "requestor": "Analyst@contoso.com",
+ "requestorComment": "offboard machine by automation",
+ "status": "InProgress",
+ "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z",
+ "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z",
+ "relatedFileInfo": null
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..1a2575ea36
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,115 @@
+---
+title: Submit or Update Ti Indicator API
+description: Use this API to submit or Update Ti Indicator.
+keywords: apis, graph api, supported apis, submit, ti, ti indicator, update
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Submit or Update TI Indicator API
+
+[!include[Prerelease information](prerelease.md)]
+
+>[!Note]
+> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+- Submits or Updates new [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
+
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Ti.ReadWrite | 'Read and write TI Indicators'
+
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/tiindicators
+```
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter | Type | Description
+:---|:---|:---
+indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required**
+indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
+action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
+title | String | TI indicator alert title. **Optional**
+expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional**
+severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional**
+description | String | Description of the indicator. **Optional**
+recommendedActions | String | TI indicator alert recommended actions. **Optional**
+
+
+## Response
+- If successful, this method returns 200 - OK response code and the created / updated [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the response body.
+- If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request usually indicates incorrect body and Conflict can happen if you try to submit a TI Indicator with existing indicator value but with different Indicator type or Action.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+POST https://api.securitycenter.windows.com/api/tiindicators
+Content-type: application/json
+{
+ "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+ "indicatorType": "FileSha1",
+ "title": "test",
+ "expirationTime": "2020-12-12T00:00:00Z",
+ "action": "AlertAndBlock",
+ "severity": "Informational",
+ "description": "test",
+ "recommendedActions": "TEST"
+}
+
+```
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+ "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+ "indicatorType": "FileSha1",
+ "title": "test",
+ "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
+ "createdBy": "45097602-1234-5678-1234-9f453233e62c",
+ "expirationTime": "2020-12-12T00:00:00Z",
+ "action": "AlertAndBlock",
+ "severity": "Informational",
+ "description": "test",
+ "recommendedActions": "TEST"
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
index 48c6104eb8..2af3d35376 100644
--- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
@@ -200,5 +200,10 @@ There are a couple of tabs on the report that's generated:
In general, if you know of a specific threat name, CVE, or KB, you can identify machines with unpatched vulnerabilities that might be leveraged by threats. This report also helps you determine whether machine-level mitigations are configured correctly on the machines and prioritize those that might need attention.
+## Related topic
+- [**Beta** Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md
index 8c0f6851d1..94706ede5a 100644
--- a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Request sample API
+# Request sample API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecatedinformation](deprecate.md)]
Request sample of a file from a specific machine. File will be collected from the machine and uploaded to a secure storage.
diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index cdc3c156e4..3ad2b9c1a8 100644
--- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -182,7 +182,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you
This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
-On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity.
+On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
>[!NOTE]
>You’ll be able to reconnect the machine back to the network at any time.
@@ -198,7 +198,7 @@ On Windows 10, version 1709 or later, you'll have additional control over the ne
-3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated.
+3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated (a.k.a. 'Selective Isolation').
diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..d57876fdc0
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,101 @@
+---
+title: Restrict app execution API
+description: Use this API to create calls related to restricting an application from executing.
+keywords: apis, graph api, supported apis, collect investigation package
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Restrict app execution API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information)
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.RestrictExecution | 'Restrict code execution'
+Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/restrictCodeExecution
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter | Type | Description
+:---|:---|:---
+Comment | String | Comment to associate with the action. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution
+Content-type: application/json
+{
+ "Comment": "Restrict code execution due to alert 1234"
+}
+
+```
+**Response**
+
+Here is an example of the response.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+ "id": "78d408d1-384c-4c19-8b57-ba39e378011a",
+ "type": "RestrictCodeExecution",
+ "requestor": "Analyst@contoso.com ",
+ "requestorComment": "Restrict code execution due to alert 1234",
+ "status": "InProgress",
+ "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z",
+ "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z",
+ "relatedFileInfo": null
+}
+
+```
+
+To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md).
+
diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
index 3eb57786f8..1722b1f921 100644
--- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,12 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Restrict app execution API
+# Restrict app execution API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecatedinformation](deprecate.md)]
Restrict execution of set of predefined applications.
diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md
new file mode 100644
index 0000000000..8decfce57c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md
@@ -0,0 +1,151 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Advanced hunting API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease information](prerelease.md)]
+
+
+
+This API allows you to run programmatic queries that you are used to running from [Windows Defender ATP Portal](https://securitycenter.windows.com/hunting).
+
+
+## Limitations
+This API is a beta version only and is currently restricted to the following actions:
+1. You can only run a query on data from the last 30 days
+2. The results will include a maximum of 10,000 rows
+3. The number of executions is limited (up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day)
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | AdvancedQuery.Read.All | 'Run advanced queries'
+Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have 'Global Admin' AD role (note: will be updated soon to 'View Data')
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/advancedqueries/run
+```
+
+## Request headers
+
+Header | Value
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content-Type | application/json
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter | Type | Description
+:---|:---|:---
+Query | Text | The query to run. **Required**.
+
+## Response
+If successful, this method returns 200 OK, and _QueryResponse_ object in the response body.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+>[!NOTE]
+>For better performance, you can use server closer to your geo location:
+> - api-us.securitycenter.windows.com
+> - api-eu.securitycenter.windows.com
+> - api-uk.securitycenter.windows.com
+
+```
+POST https://api.securitycenter.windows.com/api/advancedqueries/run
+Content-type: application/json
+{
+ "Query":"ProcessCreationEvents
+| where InitiatingProcessFileName =~ \"powershell.exe\"
+| where ProcessCommandLine contains \"appdata\"
+| project EventTime, FileName, InitiatingProcessFileName
+| limit 2"
+}
+```
+
+Response
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json
+{
+ "Schema": [{
+ "Name": "EventTime",
+ "Type": "DateTime"
+ },
+ {
+ "Name": "FileName",
+ "Type": "String"
+ },
+ {
+ "Name": "InitiatingProcessFileName",
+ "Type": "String"
+ }],
+ "Results": [{
+ "EventTime": "2018-07-09T07:16:26.8017265",
+ "FileName": "csc.exe",
+ "InitiatingProcessFileName": "powershell.exe"
+ },
+ {
+ "EventTime": "2018-07-08T19:00:02.7798905",
+ "FileName": "gpresult.exe",
+ "InitiatingProcessFileName": "powershell.exe"
+ }]
+}
+
+
+```
+
+## Troubleshoot issues
+
+- Error: (403) Forbidden
+
+
+ If you get this error when calling Windows Defender ATP API, your token might not include the necessary permission.
+
+ Check [app permissions](exposed-apis-create-app-webapp.md#validate-the-token) or [delegated permissions](exposed-apis-create-app-nativeapp.md#validate-the-token) included in your token.
+
+ If the 'roles' section in the token does not include the necessary permission:
+
+ - The necessary permission to your app might not have been granted. For more information, see [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app) or,
+ - The app was not authorized in the tenant, see [Application consent](exposed-apis-create-app-webapp.md#application-consent).
+
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting from Portal](advanced-hunting-windows-defender-advanced-threat-protection.md)
+- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
+- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md
new file mode 100644
index 0000000000..d5e16fbf5a
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md
@@ -0,0 +1,88 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/24/2018
+---
+
+# Schedule Advanced Hunting using Microsoft Flow
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Schedule advanced query.
+
+## Before you begin
+You first need to [create an app](apis-intro.md).
+
+## Use case
+
+A common scenario is scheduling an advanced query and using the results for follow up actions and processing.
+In this section we share sample for this purpose using [Microsoft Flow](https://flow.microsoft.com/) (or [Logic Apps](https://azure.microsoft.com/en-us/services/logic-apps/)).
+
+## Define a flow to run query and parse results
+
+Use the following basic flow as an example.
+
+1. Define the trigger – Recurrence by time.
+
+2. Add an action: Select HTTP.
+
+ 
+
+ - Set method to be POST
+ - Uri is https://api.securitycenter.windows.com/api/advancedqueries/run or one of the region specific locations
+ - US: https://api-us.securitycenter.windows.com/api/advancedqueries/run
+ - Europe: https://api-eu.securitycenter.windows.com/api/advancedqueries/run
+ - United Kingdom: https://api-uk.securitycenter.windows.com/api/advancedqueries/run
+ - Add the Header: Content-Type application/json
+ - In the body write your query surrounded by single quotation mark (')
+ - In the Advanced options select Authentication to be Active Directory OAuth
+ - Set the Tenant with proper AAD Tenant Id
+ - Audience is https://api.securitycenter.windows.com
+ - Client ID is your application ID
+ - Credential Type should be Secret
+ - Secret is the application secret generated in the Azure Active directory.
+
+ 
+
+3. You can use the "Parse JSON" action to get the schema of data – just "use sample payload to generate schema" and copy an output from of the expected result.
+
+ 
+
+## Expand the flow to use the query results
+
+The following section shows how to use the parsed results to insert them in SQL database.
+
+This is an example only, you can use other actions supported by Microsoft Flow.
+
+- Add an 'Apply to each' action
+- Select the Results json (which was an output of the last parse action)
+- Add an 'Insert row' action – you will need to supply the connection details
+- Select the table you want to update and define the mapping between the WD-ATP output to the SQL. Note it is possible to manipulate the data inside the flow. In the example I changed the type of the EventTime.
+
+
+
+The output in the SQL DB is getting updates and can be used for correlation with other data sources. You can now read from your table:
+
+
+
+## Full flow definition
+
+You can find below the full definition
+
+
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting API](run-advanced-query-api.md)
+- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md
new file mode 100644
index 0000000000..ce6ccb012c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md
@@ -0,0 +1,134 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 30/07/2018
+---
+
+# Create custom reports using Power BI (app authentication)
+
+Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
+
+In this section we share Power BI query sample to run a query using **application token**.
+
+If you want to use **user token** instead please refer to [this](run-advanced-query-sample-power-bi-user-token.md) tutorial.
+
+>**Prerequisite**: You first need to [create an app](exposed-apis-create-app-webapp.md).
+
+## Run a query
+
+- Open Microsoft Power BI
+
+- Click **Get Data** > **Blank Query**
+
+ 
+
+- Click **Advanced Editor**
+
+ 
+
+- Copy the below and paste it in the editor, after you update the values of TenantId, AppId, AppSecret, Query
+
+ ```
+ let
+
+ TenantId = "00000000-0000-0000-0000-000000000000", // Paste your own tenant ID here
+ AppId = "11111111-1111-1111-1111-111111111111", // Paste your own app ID here
+ AppSecret = "22222222-2222-2222-2222-222222222222", // Paste your own app secret here
+ Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", // Paste your own query here
+
+ ResourceAppIdUrl = "https://api.securitycenter.windows.com",
+ OAuthUrl = Text.Combine({"https://login.windows.net/", TenantId, "/oauth2/token"}, ""),
+
+ Resource = Text.Combine({"resource", Uri.EscapeDataString(ResourceAppIdUrl)}, "="),
+ ClientId = Text.Combine({"client_id", AppId}, "="),
+ ClientSecret = Text.Combine({"client_secret", Uri.EscapeDataString(AppSecret)}, "="),
+ GrantType = Text.Combine({"grant_type", "client_credentials"}, "="),
+
+ Body = Text.Combine({Resource, ClientId, ClientSecret, GrantType}, "&"),
+
+ AuthResponse= Json.Document(Web.Contents(OAuthUrl, [Content=Text.ToBinary(Body)])),
+ AccessToken= AuthResponse[access_token],
+ Bearer = Text.Combine({"Bearer", AccessToken}, " "),
+
+ AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run",
+
+ Response = Json.Document(Web.Contents(
+ AdvancedHuntingUrl,
+ [
+ Headers = [#"Content-Type"="application/json", #"Accept"="application/json", #"Authorization"=Bearer],
+ Content=Json.FromValue([#"Query"=Query])
+ ]
+ )),
+
+ TypeMap = #table(
+ { "Type", "PowerBiType" },
+ {
+ { "Double", Double.Type },
+ { "Int64", Int64.Type },
+ { "Int32", Int32.Type },
+ { "Int16", Int16.Type },
+ { "UInt64", Number.Type },
+ { "UInt32", Number.Type },
+ { "UInt16", Number.Type },
+ { "Byte", Byte.Type },
+ { "Single", Single.Type },
+ { "Decimal", Decimal.Type },
+ { "TimeSpan", Duration.Type },
+ { "DateTime", DateTimeZone.Type },
+ { "String", Text.Type },
+ { "Boolean", Logical.Type },
+ { "SByte", Logical.Type },
+ { "Guid", Text.Type }
+ }),
+
+ Schema = Table.FromRecords(Response[Schema]),
+ TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
+ Results = Response[Results],
+ Rows = Table.FromRecords(Results, Schema[Name]),
+ Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
+
+ in Table
+
+ ```
+
+- Click **Done**
+
+ 
+
+- Click **Edit Credentials**
+
+ 
+
+- Select **Anonymous** and click **Connect**
+
+ 
+
+- Repeat the previous step for the second URL
+
+- Click **Continue**
+
+ 
+
+- Select the privacy level you want and click **Save**
+
+ 
+
+- View the results of your query
+
+ 
+
+## Related topic
+- [Create custom Power BI reports with user authentication](run-advanced-query-sample-power-bi-user-token.md)
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting API](run-advanced-query-api.md)
+- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
+- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md
new file mode 100644
index 0000000000..b065578d98
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md
@@ -0,0 +1,115 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 30/07/2018
+---
+
+# Create custom reports using Power BI (user authentication)
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
+
+In this section we share Power BI query sample to run a query using **user token**.
+
+If you want to use **application token** instead please refer to [this](run-advanced-query-sample-power-bi-app-token.md) tutorial.
+
+## Before you begin
+You first need to [create an app](exposed-apis-create-app-nativeapp.md).
+
+## Run a query
+
+- Open Microsoft Power BI
+
+- Click **Get Data** > **Blank Query**
+
+ 
+
+- Click **Advanced Editor**
+
+ 
+
+- Copy the below and paste it in the editor, after you update the values of Query
+
+ ```
+ let
+
+ Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId",
+
+ FormattedQuery= Uri.EscapeDataString(Query),
+
+ AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries?key=" & FormattedQuery,
+
+ Response = Json.Document(Web.Contents(AdvancedHuntingUrl)),
+
+ TypeMap = #table(
+ { "Type", "PowerBiType" },
+ {
+ { "Double", Double.Type },
+ { "Int64", Int64.Type },
+ { "Int32", Int32.Type },
+ { "Int16", Int16.Type },
+ { "UInt64", Number.Type },
+ { "UInt32", Number.Type },
+ { "UInt16", Number.Type },
+ { "Byte", Byte.Type },
+ { "Single", Single.Type },
+ { "Decimal", Decimal.Type },
+ { "TimeSpan", Duration.Type },
+ { "DateTime", DateTimeZone.Type },
+ { "String", Text.Type },
+ { "Boolean", Logical.Type },
+ { "SByte", Logical.Type },
+ { "Guid", Text.Type }
+ }),
+
+ Schema = Table.FromRecords(Response[Schema]),
+ TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
+ Results = Response[Results],
+ Rows = Table.FromRecords(Results, Schema[Name]),
+ Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
+
+ in Table
+
+ ```
+
+- Click **Done**
+
+ 
+
+- Click **Edit Credentials**
+
+ 
+
+- Select **Organizational account** > **Sign in**
+
+ 
+
+- Enter your credentials and wait to be signed in
+
+- Click **Connect**
+
+ 
+
+- View the results of your query
+
+ 
+
+## Related topic
+- [Create custom Power BI reports with app authentication](run-advanced-query-sample-power-bi-app-token.md)
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting API](run-advanced-query-api.md)
+- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
+- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md
new file mode 100644
index 0000000000..76fa741ab6
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md
@@ -0,0 +1,119 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/24/2018
+---
+
+# Advanced Hunting using PowerShell
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md).
+
+In this section we share PowerShell samples to retrieve a token and use it to run a query.
+
+## Before you begin
+You first need to [create an app](apis-intro.md).
+
+## Preparation instructions
+
+- Open a PowerShell window.
+- If your policy does not allow you to run the PowerShell commands, you can run the below command:
+```
+Set-ExecutionPolicy -ExecutionPolicy Bypass
+```
+
+>For more details, see [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
+
+## Get token
+
+- Run the following:
+
+```
+$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
+$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
+$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
+
+$resourceAppIdUri = 'https://api.securitycenter.windows.com'
+$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
+$body = [Ordered] @{
+ resource = "$resourceAppIdUri"
+ client_id = "$appId"
+ client_secret = "$appSecret"
+ grant_type = 'client_credentials'
+}
+$response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop
+$aadToken = $response.access_token
+
+```
+
+where
+- $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
+- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)
+- $appSecret: Secret of your AAD app
+
+## Run query
+
+Run the following query:
+
+```
+$query = 'RegistryEvents | limit 10' # Paste your own query here
+
+$url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
+$headers = @{
+ 'Content-Type' = 'application/json'
+ Accept = 'application/json'
+ Authorization = "Bearer $aadToken"
+}
+$body = ConvertTo-Json -InputObject @{ 'Query' = $query }
+$webResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body -ErrorAction Stop
+$response = $webResponse | ConvertFrom-Json
+$results = $response.Results
+$schema = $response.Schema
+```
+
+- $results contains the results of your query
+- $schema contains the schema of the results of your query
+
+### Complex queries
+
+If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command:
+
+```
+$query = [IO.File]::ReadAllText("C:\myQuery.txt"); # Replace with the path to your file
+```
+
+## Work with query results
+
+You can now use the query results.
+
+To output the results of the query in CSV format in file file1.csv do the below:
+
+```
+$results | ConvertTo-Csv -NoTypeInformation | Set-Content file1.csv
+```
+
+To output the results of the query in JSON format in file file1.json do the below:
+
+```
+$results | ConvertTo-Json | Set-Content file1.json
+```
+
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting API](run-advanced-query-api.md)
+- [Advanced Hunting using Python](run-advanced-query-sample-python.md)
+- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md
new file mode 100644
index 0000000000..71784d6ccd
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md
@@ -0,0 +1,146 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 30/07/2018
+---
+
+# Advanced Hunting using Python
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Run advanced queries using Python, see [Advanced Hunting API](run-advanced-query-api.md).
+
+In this section we share Python samples to retrieve a token and use it to run a query.
+
+>**Prerequisite**: You first need to [create an app](apis-intro.md).
+
+## Get token
+
+- Run the following:
+
+```
+
+import json
+import urllib.request
+import urllib.parse
+
+tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
+appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
+appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
+
+url = "https://login.windows.net/%s/oauth2/token" % (tenantId)
+
+resourceAppIdUri = 'https://api.securitycenter.windows.com'
+
+body = {
+ 'resource' : resourceAppIdUri,
+ 'client_id' : appId,
+ 'client_secret' : appSecret,
+ 'grant_type' : 'client_credentials'
+}
+
+data = urllib.parse.urlencode(body).encode("utf-8")
+
+req = urllib.request.Request(url, data)
+response = urllib.request.urlopen(req)
+jsonResponse = json.loads(response.read())
+aadToken = jsonResponse["access_token"]
+
+```
+
+where
+- tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
+- appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)
+- appSecret: Secret of your AAD app
+
+## Run query
+
+ Run the following query:
+
+```
+query = 'RegistryEvents | limit 10' # Paste your own query here
+
+url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
+headers = {
+ 'Content-Type' : 'application/json',
+ 'Accept' : 'application/json',
+ 'Authorization' : "Bearer " + aadToken
+}
+
+data = json.dumps({ 'Query' : query }).encode("utf-8")
+
+req = urllib.request.Request(url, data, headers)
+response = urllib.request.urlopen(req)
+jsonResponse = json.loads(response.read())
+schema = jsonResponse["Schema"]
+results = jsonResponse["Results"]
+
+```
+
+- schema contains the schema of the results of your query
+- results contains the results of your query
+
+### Complex queries
+
+If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command:
+
+```
+queryFile = open("D:\\Temp\\myQuery.txt", 'r') # Replace with the path to your file
+query = queryFile.read()
+queryFile.close()
+```
+
+## Work with query results
+
+You can now use the query results.
+
+To iterate over the results do the below:
+
+```
+for result in results:
+ print(result) # Prints the whole result
+ print(result["EventTime"]) # Prints only the property 'EventTime' from the result
+
+
+```
+
+
+To output the results of the query in CSV format in file file1.csv do the below:
+
+```
+import csv
+
+outputFile = open("D:\\Temp\\file1.csv", 'w')
+output = csv.writer(outputFile)
+output.writerow(results[0].keys())
+for result in results:
+ output.writerow(result.values())
+
+outputFile.close()
+```
+
+To output the results of the query in JSON format in file file1.json do the below:
+
+```
+outputFile = open("D:\\Temp\\file1.json", 'w')
+json.dump(results, outputFile)
+outputFile.close()
+```
+
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting API](run-advanced-query-api.md)
+- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
+- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..c9ae44eb2b
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,107 @@
+---
+title: Run antivirus scan API
+description: Use this API to create calls related to running an antivirus scan on a machine.
+keywords: apis, graph api, supported apis, remove machine from isolation
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Run antivirus scan API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Initiate Windows Defender Antivirus scan on a machine.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Scan | 'Scan machine'
+Delegated (work or school account) | Machine.Scan | 'Scan machine'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/runAntiVirusScan
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter | Type | Description
+:---|:---|:---
+Comment | String | Comment to associate with the action. **Required**.
+ScanType| String | Defines the type of the Scan. **Required**.
+
+**ScanType** controls the type of scan to perform and can be one of the following:
+
+- **Quick** – Perform quick scan on the machine
+- **Full** – Perform full scan on the machine
+
+
+
+## Response
+If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan
+Content-type: application/json
+{
+ "Comment": "Check machine for viruses due to alert 3212",
+ “ScanType”: “Full”
+}
+```
+
+**Response**
+
+Here is an example of the response.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+ "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
+ "type": "RunAntiVirusScan",
+ "requestor": "Analyst@contoso.com",
+ "requestorComment": "Check machine for viruses due to alert 3212",
+ "status": "InProgress",
+ "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
+ "lastUpdateTimeUtc": "2018-12-04T12:18:27.1293487Z",
+ "relatedFileInfo": null
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
index 73333ff005..40d0e7da3f 100644
--- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,12 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Run antivirus scan API
+# Run antivirus scan API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecated information](deprecate.md)]
Initiate Windows Defender Antivirus scan on the machine.
diff --git a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
index 06af6fc6af..078ced8e48 100644
--- a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,12 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Stop and quarantine file API
+# Stop and quarantine file API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecated information](deprecate.md)]
Stop execution of a file on a machine and ensure it’s not executed again on that machine.
diff --git a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
index e5bb46bc1d..aff0ccd147 100644
--- a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
@@ -14,15 +14,14 @@ ms.localizationpriority: medium
ms.date: 09/03/2018
---
-# Supported Windows Defender ATP query APIs
+# Supported Windows Defender ATP query APIs (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+[!include[Deprecatedinformation](deprecate.md)]
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink)
-
Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
## In this section
@@ -38,5 +37,4 @@ User | Run API calls such as get alert related user information, user informatio
KbInfo | Run API call that gets list of Windows KB's information
CveKbMap | Run API call that gets mapping of CVE's to corresponding KB's
MachineSecurityStates | Run API call that gets list of machines with their security properties and versions
-MachineGroups | Run API call that gets list of machine group definitions
-
+MachineGroups | Run API call that gets list of machine group definitions
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..d8693cd298
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,45 @@
+---
+title: TiIndicator resource type
+description: TiIndicator entity description.
+keywords: apis, supported apis, get, TiIndicator, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# TI(threat intelligence) Indicator resource type
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Method|Return Type |Description
+:---|:---|:---
+[List TI Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities.
+[Get TI Indicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Gets the requested [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
+[Submit TI Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
+[Delete TI Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | No Content | Deletes [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
+
+
+# Properties
+Property | Type | Description
+:---|:---|:---
+indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
+indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url"
+title | String | Ti indicator alert title.
+creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created.
+createdBy | String | Identity of the user/application that submitted the indicator.
+expirationTime | DateTimeOffset | The expiration time of the indicator
+action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed"
+severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High"
+description | String | Description of the indicator.
+recommendedActions | String | TI indicator alert recommended actions.
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md
index fffb9ad229..ad824d3ab2 100644
--- a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Unblock file API
+# Unblock file API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecatedinformation](deprecate.md)]
Allow a file to be executed in the organization, using Windows Defender Antivirus.
diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..0b654aa63c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,105 @@
+---
+title: Release machine from isolation API
+description: Use this API to create calls related to release a machine from isolation.
+keywords: apis, graph api, supported apis, remove machine from isolation
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Release machine from isolation API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Undo isolation of a machine.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Isolate | 'Isolate machine'
+Delegated (work or school account) | Machine.Isolate | 'Isolate machine'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/unisolate
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter | Type | Description
+:---|:---|:---
+Comment | String | Comment to associate with the action. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate
+Content-type: application/json
+{
+ "Comment": "Unisolate machine since it was clean and validated"
+}
+
+```
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+ "id": "09a0f91e-a2eb-409d-af33-5577fe9bd558",
+ "type": "Unisolate",
+ "requestor": "Analyst@contoso.com ",
+ "requestorComment": "Unisolate machine since it was clean and validated ",
+ "status": "InProgress",
+ "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "creationDateTimeUtc": "2018-12-04T12:13:15.0104931Z",
+ "lastUpdateTimeUtc": "2018-12-04T12:13:15.0104931Z",
+ "relatedFileInfo": null
+}
+
+```
+
+To isolate a machine, see [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md).
+
diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md
index 560416bc51..8898ab6189 100644
--- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Release machine from isolation API
+# Release machine from isolation API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecatedinformation](deprecate.md)]
Undo isolation of a machine.
diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..8ca7430854
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,100 @@
+---
+title: Remove app restriction API
+description: Use this API to create calls related to removing a restriction from applications from executing.
+keywords: apis, graph api, supported apis, remove machine from isolation
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Remove app restriction API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Enable execution of any application on the machine.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.RestrictExecution | 'Restrict code execution'
+Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution
+```
+
+## Request headers
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter | Type | Description
+:---|:---|:---
+Comment | String | Comment to associate with the action. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution
+Content-type: application/json
+{
+ "Comment": "Unrestrict code execution since machine was cleaned and validated"
+}
+
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+ "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
+ "type": "UnrestrictCodeExecution",
+ "requestor": "Analyst@contoso.com",
+ "requestorComment": "Unrestrict code execution since machine was cleaned and validated ",
+ "status": "InProgress",
+ "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z",
+ "lastUpdateTimeUtc": "2018-12-04T12:15:40.6052029Z",
+ "relatedFileInfo": null
+}
+
+```
+
+To restrict code execution on a machine, see [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md
index 10def5a55d..e011fa5800 100644
--- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
ms.date: 12/08/2017
---
-# Remove app restriction API
+# Remove app restriction API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
+[!include[Deprecatedinformation](deprecate.md)]
Unrestrict execution of set of predefined applications.
diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..1ce73605cf
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,108 @@
+---
+title: Get alert information by ID API
+description: Retrieves an alert by its ID.
+keywords: apis, graph api, supported apis, get, alert, information, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Update alert
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prereleaseinformation](prerelease.md)]
+Update the properties of an alert entity.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Alerts.ReadWrite.All | 'Read and write all alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+PATCH /api/alerts/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | String | application/json. **Required**.
+
+
+## Request body
+In the request body, supply the values for the relevant fields that should be updated.Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't change.
+
+Property | Type | Description
+:---|:---|:---
+status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
+assignedTo | String | Owner of the alert
+classification | String | Specifies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
+determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
+
+
+## Response
+If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body with the updated properties. If alert with the specified id was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+PATCH https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
+Content-Type: application/json
+{
+ "assignedTo": "Our designated secop"
+}
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity",
+ "id": "636688558380765161_2136280442",
+ "severity": "Medium",
+ "status": "InProgress",
+ "description": "An anomalous memory operation appears to be tampering with a process associated with the Windows Defender EDR sensor.",
+ "recommendedAction": "A. Validate the alert.\n1. Examine the process involved in the memory operation to determine whether the process and the observed activities are normal. \n2. Check for other suspicious activities in the machine timeline.\n3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.\n4. Submit relevant files for deep analysis and review file behaviors. \n5. Identify unusual system activity with system owners. \n\nB. Scope the incident. Find related machines, network addresses, and files in the incident graph. \n\nC. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.\n\nD. Contact your incident response team, or contact Microsoft support for investigation and remediation services.",
+ "alertCreationTime": "2018-08-07T10:18:04.2665329Z",
+ "category": "Installation",
+ "title": "Possible sensor tampering in memory",
+ "threatFamilyName": null,
+ "detectionSource": "WindowsDefenderAtp",
+ "classification": null,
+ "determination": null,
+ "assignedTo": "Our designated secop",
+ "resolvedTime": null,
+ "lastEventTime": "2018-08-07T10:14:35.470671Z",
+ "firstEventTime": "2018-08-07T10:14:35.470671Z",
+ "actorName": null,
+ "machineId": "a2250e1cd215af1ea2818ef8d01a564f67542857"
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/use-apis.md b/windows/security/threat-protection/windows-defender-atp/use-apis.md
new file mode 100644
index 0000000000..0232e57b31
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/use-apis.md
@@ -0,0 +1,26 @@
+---
+title: Use the Windows Defender Advanced Threat Protection APIs
+description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 10/23/2017
+---
+
+# Use the Windows Defender ATP exposed APIs
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+## In this section
+Topic | Description
+:---|:---
+Create your app | Learn how to create an application to get programmatical access to Windows Defender ATP on behalf of a user or without a user.
+Supported Windows Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
+How to use APIs - Samples | Learn how to use Advanced hunting APIs and multiple APIs such as PowerShell.
diff --git a/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..509ded9db9
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,23 @@
+---
+title: File resource type
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# User resource type
+
+Method|Return Type |Description
+:---|:---|:---
+[List User related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List all the alerts that are associated with a [user](user-windows-defender-advanced-threat-protection-new.md).
+[List User related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | List all the machines that were logged on by a [user](user-windows-defender-advanced-threat-protection-new.md).
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index 6d9b834f75..743cb4b2da 100644
--- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -22,7 +22,7 @@ ms.date: 11/07/2018
Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
-indows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
+Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 360b2a59c8..a3272ab6e6 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 10/15/2018
+ms.date: 11/19/2018
---
# Reduce attack surfaces with attack surface reduction rules
@@ -53,18 +53,9 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
-The rules apply to the following Office apps:
-
-- Microsoft Word
-- Microsoft Excel
-- Microsoft PowerPoint
-- Microsoft OneNote
-
-The rules do not apply to any other Office apps.
-
### Rule: Block executable content from email client and webmail
This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
@@ -80,6 +71,9 @@ This rule blocks the following file types from being run or launched from an ema
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
+>[!NOTE]
+>This does not include Outlook. For Outlook, please see [Block Office communication applications from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#rule-block-office-communication-applications-from-creating-child-processes).
+
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
### Rule: Block Office applications from creating executable content
@@ -90,7 +84,7 @@ Extensions will be blocked from being used by Office apps. Typically these exten
### Rule: Block Office applications from injecting code into other processes
-Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes.
+Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to inject code into other processes.
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
@@ -116,7 +110,7 @@ This rule prevents scripts that appear to be obfuscated from running.
Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
-This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs.
+This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote.
### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
@@ -158,9 +152,9 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
-### Rule: Block Office communication applications from creating child processes
+### Rule: Block Office communication application from creating child processes
-Office communication apps will not be allowed to create child processes. This includes Outlook.
+Outlook will not be allowed to create child processes.
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index 7591a39db0..2ad55e0a66 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 10/02/2018
+ms.date: 11/16/2018
---
# Customize exploit protection
@@ -53,19 +53,19 @@ Validate exception chains (SEHOP) | Ensures the integrity of an exception chain
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
+Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
+Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
+Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
+Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
>[!IMPORTANT]
>If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index 675f449f0b..8e84a3872c 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -34,13 +34,13 @@ You can manually add the rules by using the GUIDs in the following table:
Rule description | GUID
-|-
-Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
-Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
-Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
-Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
-Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+Block executable content from email client and webmail | be9ba2d9-53ea-4cdc-84e5-9B1eeee46550
+Block all Office applications from creating child processes | d4f940ab-401b-4efc-aadc-ad5f3c50688a
+Block Office applications from creating executable content | 3b576869-a4eC-4529-8536-b80a7769e899
+Block Office applications from injecting code into other processes | 75668c1f-73b5-4Cf0-bb93-3ecf5cb7cc84
+Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d
+Block execution of potentially obfuscated scripts | 5beb7efe-fd9A-4556-801d-275e5ffc04cc
+Block Win32 API calls from Office macro | 92e97fa1-2edf-4476-bdd6-9dd0B4dddc7b
Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
index 98835fdcfd..325b6119b3 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: justinha
author: brianlic-msft
-ms.date: 08/08/2018
+ms.date: 11/15/2018
---
# Enable virtualization-based protection of code integrity
@@ -42,7 +42,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
3. Double-click **Turn on Virtualization Based Security**.
-4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be enabled remotely or select **Enabled without UEFI lock**.
+4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
index a143ed81a3..290fbdaae4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 10/02/2018
+ms.date: 11/16/2018
---
# Evaluate attack surface reduction rules
@@ -22,164 +22,14 @@ ms.date: 10/02/2018
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
-This topic helps you evaluate attack surface reduction rules. It explains how to demo ASR rules using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
-
->[!NOTE]
->This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it.
->For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md).
+This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-## Use the demo tool to see how attack surface reduction rules work
-
-Use the **ExploitGuard ASR test tool** app to see how attack surface reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
-
-The tool is part of the Windows Defender Exploit Guard evaluation package:
-- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
-
-This tool has a simple user interface that lets you choose a rule, configure it in blocking, audit, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule.
-
-When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken.
-
-
-
-Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running.
-
->[!IMPORTANT]
->The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md).
-
-**Run a rule using the demo tool:**
-
-1. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard ASR test tool* to a location on your PC that is easy to access (such as your desktop).
-
-2. Run the tool by double-clicking the version that matches your operating system - either 64-bit (x64) or 32-bit (x86). If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**.
-
-
- >[!IMPORTANT]
- >Make sure you use the version of the tool that is appropriate for the machine you are using. Use the x86 version for 32-bit versions of Windows 10, or use the x64 version for 64-bit versions of Windows 10.
-
-3. Select the rule from the drop-down menu.
-
-4. Select the mode, **Disabled**, **Block**, or **Audit**.
- 1. Optionally, click **Show Advanced Options** and choose a specific scenario (or all scenarios sequentially by selecting **All Scenarios**), enter a delay, or click **Leave Dirty**.
-
-5. Click **RunScenario**.
-
-The scenario will run, and an output will appear describing the steps taken.
-
-You can right-click on the output window and click **Open Event Viewer** to see the relevant event in Windows Event Viewer.
-
->[!TIP]
->You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules.
-
-
-Choosing the **Mode** will change how the rule functions:
-
-Mode option | Description
--|-
-Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled attack surface reduction rules at all.
-Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled attack surface reduction rules.
-Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how attack surface reduction rules will work but without impacting how you use the computer.
-
-Block mode will cause a notification to appear on the user's desktop:
-
-
-
-You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk.
-
-For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
-
-The following sections describe what each rule does and what the scenarios entail for each rule.
-
-### Rule: Block executable content from email client and webmail
-
-This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail.
-
-The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule:
-
-Scenario name | File type | Program
-- | - | -
-Random | A scenario will be randomly chosen from this list | Microsoft Outlook or web mail
-Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook
-Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook
-Mail Client Script Archive | Script archive files | Microsoft Outlook
-WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail
-WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file) | Web mail
-WebMail Script Archive | Script archive files | Web mail
-
-
-### Rule: Block Office applications from creating child processes
-
->[!NOTE]
->There is only one scenario to test for this rule.
-
-Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
-
-### Rule: Block Office applications from creating executable content
-
-This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware technique.
-
-The following scenarios can be individually chosen:
-
-- Random
- - A scenario will be randomly chosen from this list
-- Extension Block
- - Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
-
-### Rule: Block Office applications from injecting into other processes
-
->[!NOTE]
->There is only one scenario to test for this rule.
-
-Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
-
-### Rule: Impede JavaScript and VBScript to launch executables
-
-JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
-
-- Random
- - A scenario will be randomly chosen from this list
-- JScript
- - JavaScript will not be allowed to launch executable files
-- VBScript
- - VBScript will not be allowed to launch executable files
-
-### Rule: Block execution of potentially obfuscated scripts
-
-Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running.
-
-- Random
- - A scenario will be randomly chosen from this list
-- AntiMalwareScanInterface
- - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
-- OnAccess
- - Potentially obfuscated scripts will be blocked when an attempt is made to access them
-
-
-## Review Attack surface reduction events in Windows Event Viewer
-
-You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
-
-1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
-
-2. On the left panel, under **Actions**, click **Import custom view...**
-
-3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
-
-4. Click **OK**.
-
-5. This will create a custom view that filters to only show the following events related to Attack surface reduction:
-
-Event ID | Description
--|-
-5007 | Event when settings are changed
-1122 | Event when rule fires in Audit-mode
-1121 | Event when rule fires in Block-mode
-
## Use audit mode to measure impact
-You can also enable the Attack surface reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
+You can enable attack surface reduction rules in audit mode. This lets you see a record of what apps would have been blocked if you had enabled attack surface reduction rules.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
@@ -189,17 +39,17 @@ To enable audit mode, use the following PowerShell cmdlet:
Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
```
-This enables all Attack surface reduction rules in audit mode.
+This enables all attack surface reduction rules in audit mode.
>[!TIP]
->If you want to fully audit how Attack surface reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md).
+>If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md).
## Customize attack surface reduction rules
During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
-See the [Customize Exploit protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
+See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
## Related topics
- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
index f30804cbd0..3357f3a4fc 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 10/02/2018
+ms.date: 11/16/2018
---
# Evaluate controlled folder access
@@ -24,70 +24,11 @@ ms.date: 10/02/2018
It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
-This topic helps you evaluate controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
-
->[!NOTE]
->This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
->For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled folder access topic](controlled-folders-exploit-guard.md).
+This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-## Use the demo tool to see how controlled folder access works
-
-Use the **ExploitGuard CFA File Creator** tool to see how controlled folder access can prevent a suspicious app from creating files in protected folders.
-
-The tool is part of the Windows Defender Exploit Guard evaluation package:
-- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
-
-This tool can be run locally on an individual machine to see the typical behavior of controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
-
-You can enable controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
-
-1. Type **powershell** in the Start menu.
-
-2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
-
-3. Enter the following in the PowerShell window to enable Controlled folder access:
- ```PowerShell
- Set-MpPreference -EnableControlledFolderAccess Enabled
- ```
-
-4. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard CFA File Creator.exe* to a location on your PC that is easy to access (such as your desktop).
-
-5. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**.
-
-6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
-
- 
-
-7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example:
-
- 
-
-## Review controlled folder access events in Windows Event Viewer
-
-You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
-
-1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
-
-2. On the left panel, under **Actions**, click **Import custom view...**
-
-3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
-
-4. Click **OK**.
-
-5. This will create a custom view that filters to only show the following events related to Controlled folder access:
-
-Event ID | Description
--|-
-5007 | Event when settings are changed
-1124 | Audited controlled folder access event
-1123 | Blocked controlled folder access event
-1127 | Blocked controlled folder access sector write block event
-1128 | Audited controlled folder access sector write block event
-
-
## Use audit mode to measure impact
You can enable the controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
index 1d7efe7b59..ec8690b50d 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 11/16/2018
---
# Evaluate exploit protection
@@ -26,75 +26,9 @@ Many of the features that are part of the [Enhanced Mitigation Experience Toolki
This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md).
->[!NOTE]
->This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
->For instructions about how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see [Exploit protection](exploit-protection-exploit-guard.md).
-
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-## Enable and validate an exploit protection mitigation
-
-For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app.
-
-First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Security app:
-
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
-
-2. Enter the following cmdlet:
-
- ```PowerShell
- Set-ProcessMitigation -Name iexplore.exe -Enable DisallowChildProcessCreation
- ```
-
-3. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**.
-
-4. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
-
-5. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
-
-6. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
-
-Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user:
-
-1. Type **run** in the Start menu and press **Enter** to open the run dialog box.
-
-2. Type **iexplore.exe** and press **Enter** or click **OK** to attempt to open Internet Explorer.
-
-3. Internet Explorer should briefly open and then immediately shut down again, indicating that the mitigation was applied and prevented Internet Explorer from opening a child process (its own process).
-
-Lastly, we can disable the mitigation so that Internet Explorer works properly again:
-
-1. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**.
-
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
-
-3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
-
-4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply**
-
-5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected.
-
-## Review exploit protection events in Windows Event Viewer
-
-You can now review the events that exploit protection sent to the Windows Event Viewer to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
-
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
-
-2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
-
-3. On the left panel, under **Actions**, click **Import custom view...**
-
-4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
-
-4. Click **OK**.
-
-5. This will create a custom view that filters to only show the events related to exploit protection.
-
-6. The specific event to look for in this demo is event ID 4, which should have the following or similar information:
-
- Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'.
-
## Use audit mode to measure impact
You can enable exploit protection in audit mode. You can enable audit mode for individual mitigations.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
index 995cbaeb50..9c5516c1de 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 08/09/2018
+ms.date: 11/16/2018
---
# Evaluate network protection
@@ -39,7 +39,7 @@ This topic helps you evaluate Network protection by enabling the feature and gui
Set-MpPreference -EnableNetworkProtection Enabled
```
-You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace `Enabled` with either `AuditMode` or `Disabled`.
+You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace "Enabled" with either "AuditMode" or "Disabled".
### Visit a (fake) malicious domain
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index 1eb3ac9b72..640fe4cc29 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -33,9 +33,9 @@ The following tables provide more information about the hardware, firmware, and
|--------------------------------|----------------------------------------------------|-------------------|
| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | |
| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwareuefisecureboot) | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
-| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwareuefisecureboot) | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: **HVCI compatible drivers** | See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://docs.microsoft.com/windows-hardware/design/compatibility/filter#filterdriverdeviceguarddrivercompatibility).| [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
+| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
@@ -58,7 +58,7 @@ The following tables describe additional hardware and firmware qualifications, a
| Protections for Improved Security | Description | Security benefits |
|---------------------------------------------|----------------------------------------------------|-----|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwarecsuefisecurebootconnectedstandby)
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies).
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
| Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |