If you enable this policy setting, IE doesn't load any websites or content in the background.
If you disable this policy setting, IE preemptively loads websites and content in the background.
If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. | -|Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.
If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. | -|Turn off phone number detection |Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing |IE11 on Windows 10 |This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.
If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.
If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.
If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. | -|Allow IE to use the SPDY/3 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.
If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.
If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.
If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced* tab of the **Internet Options** dialog box. The default is on.
**Note**
We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting. |
|Allow IE to use the HTTP2 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.
If you enable this policy setting, IE uses the HTTP2 network protocol.
If you disable this policy setting, IE won't use the HTTP2 network protocol.
If you don't configure this policy setting, users can turn this behavior on or off, using the **Internet Explorer Advanced Internet Options** settings. The default is on. | +|Allow IE to use the SPDY/3 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.
If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.
If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.
If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced* tab of the **Internet Options** dialog box. The default is on.
**Note**
We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting. |
+|Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.
If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. | +|Allow only approved domains to use the TDC ActiveX control |
If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.
If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone. | +|Allow SSL3 Fallback |Administrative Templates\Windows Components\Internet Explorer\Security Features |Internet Explorer 11 on Windows 10 |This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.
If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.
If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.
**Important:**
By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks. |
+|Allow VBScript to run in Internet Explorer|
If you enable this policy setting (default), you must also pick one of the following options from the Options box:
If you disable or don’t configure this policy setting, VBScript runs without any interaction in the specified zone.| +|Always send Do Not Track header |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 |This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.
If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.
**In Internet Explorer 9 and 10:**
If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.
**In at least IE11:**
If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.
If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced* tab of the **Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. |
|Don't run antimalware programs against ActiveX controls
(Internet, Restricted Zones) |
If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. |
|Don't run antimalware programs against ActiveX controls
(Intranet, Trusted, Local Machine Zones) |
If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. | -|Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.
**Important**
When using 64-bit processes, some ActiveX controls and toolbars might not be available. |
-|Turn off sending UTF-8 query strings for URLs |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.
If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:
If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. | -|Turn off sending URL path as UTF-8 |User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding |At least Windows Internet Explorer 7 |This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.
If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.
If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.
If you don't configure this policy setting, users can turn this behavior on or off. | -|Turn off the flip ahead with page prediction feature |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 on Windows 8 |This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.
If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.
**Note**
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. |
-|Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data |Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History |At least Windows Internet Explorer 9 |**In Internet Explorer 9 and Internet Explorer 10:**
This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.
**In IE11:**
This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.
If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.
If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.
If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. | -|Always send Do Not Track header |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 |This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.
If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.
**In Internet Explorer 9 and 10:**
If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.
**In at least IE11:**
If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.
If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced* tab of the **Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. | -|Turn off the ability to launch report site problems using a menu option |Administrative Templates\Windows Components\Internet Explorer\Browser menus |Internet Explorer 11 |This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.
If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.
If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. | -|Allow only approved domains to use the TDC ActiveX control |
If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.
If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone. | -|Turn on Site Discovery XML output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
-|Turn on Site Discovery WMI output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+|Hide the button (next to the New Tab button) that opens Microsoft Edge |User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\ |IE11 on Windows 10, Windows Insider Program |This policy setting lets you decide whether employees can see the open Microsoft Edge button, which appears next to the New Tab button.
If you enable this policy setting, the button to open Microsoft Edge from Internet Explorer will be hidden.
If you disable this policy setting, the button to open Microsoft Edge from Internet Explorer appears.
If you don't configure this policy setting, the button to open Microsoft Edge from Internet Explorer can be configured by your employees. | +|Let users turn on and use Enterprise Mode from the **Tools** menu |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.
If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.
If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. | |Limit Site Discovery output by Domain |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.
**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
|Limit Site Discovery output by Zone |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to control which zones are included in the discovery function of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all specified security zones.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all security zones.
To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:
**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
-|Allow SSL3 Fallback |Administrative Templates\Windows Components\Internet Explorer\Security Features |Internet Explorer 11 on Windows 10 |This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.
If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.
If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.**Important:**
By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks. |
-|Turn off automatic download of the ActiveX VersionList |Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management |At least Windows Internet Explorer 8 |This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.
If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.
If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.
**Important:**
Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking (https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) topic. |
-|Let users turn on and use Enterprise Mode from the **Tools** menu |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.
If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.
If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. | -|Use the Enterprise Mode IE website list |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1511 |This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.
If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.
If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. |
+|Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data |Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History |At least Windows Internet Explorer 9 |**In Internet Explorer 9 and Internet Explorer 10:**
This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.
**In IE11:**
This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.
If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.
If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.
If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. | |Send all sites not included in the Enterprise Mode Site List to Microsoft Edge |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether to open all sites that aren’t specified to open in IE11 by the Enterprise Mode site list, to open in Microsoft Edge.
If you enable this policy setting, you must also enable the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode site list.
If you disable or don't configure this policy setting, all sites will open based on the currently active browser.
**Note:**
If you’ve also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. |
|Show message when opening sites in Microsoft Edge using Enterprise Mode |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.
If you enable this policy setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.
If you disable or don't configure this policy setting, the default app behavior occurs and no additional page appears. | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +|Turn off automatic download of the ActiveX VersionList |Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management |At least Windows Internet Explorer 8 |This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.
If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.
If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.
**Important:**
Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking (https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) topic. |
+|Turn off loading websites and content in the background to optimize performance |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.
If you enable this policy setting, IE doesn't load any websites or content in the background.
If you disable this policy setting, IE preemptively loads websites and content in the background.
If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. | +|Turn off phone number detection |Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing |IE11 on Windows 10 |This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.
If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.
If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.
If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. | +|Turn off sending URL path as UTF-8 |User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding |At least Windows Internet Explorer 7 |This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.
If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.
If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.
If you don't configure this policy setting, users can turn this behavior on or off. | +|Turn off sending UTF-8 query strings for URLs |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.
If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:
If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. | +|Turn off the ability to launch report site problems using a menu option |Administrative Templates\Windows Components\Internet Explorer\Browser menus |Internet Explorer 11 |This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.
If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.
If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. | +|Turn off the flip ahead with page prediction feature |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 on Windows 8 |This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.
If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.
**Note**
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. |
+|Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.
**Important**
When using 64-bit processes, some ActiveX controls and toolbars might not be available. |
+|Turn on Site Discovery WMI output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+|Turn on Site Discovery XML output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+|Use the Enterprise Mode IE website list |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1511 |This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.
If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.
If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. |
## Removed Group Policy settings
IE11 no longer supports these Group Policy settings:
diff --git a/education/windows/index.md b/education/windows/index.md
index bf4146606d..6ee2d1946a 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -1,6 +1,6 @@
---
title: Windows 10 for Education (Windows 10)
-description: Learn how to use Windows 10 in schools.
+description: Learn how to use Windows 10 in schools.
keywords: Windows 10, education
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deploy/images/ur-overview.PNG b/windows/deploy/images/ur-overview.PNG
index f1818d7073..cf9563ece5 100644
Binary files a/windows/deploy/images/ur-overview.PNG and b/windows/deploy/images/ur-overview.PNG differ
diff --git a/windows/deploy/upgrade-readiness-upgrade-overview.md b/windows/deploy/upgrade-readiness-upgrade-overview.md
index 29777cad6f..bf09694a38 100644
--- a/windows/deploy/upgrade-readiness-upgrade-overview.md
+++ b/windows/deploy/upgrade-readiness-upgrade-overview.md
@@ -17,9 +17,13 @@ The following color-coded status changes are reflected on the upgrade overview b
- No delay in processing device inventory data = "Last updated" banner is displayed in green.
- Delay processing device inventory data = "Last updated" banner is displayed in amber.
- Computers with incomplete data:
- - Less than 4% = Count is displayed in black.
+ - Less than 4% = Count is displayed in green.
- 4% - 10% = Count is displayed in amber.
- Greater than 10% = Count is displayed in red.
+- Computers with outdated KB:
+ - Less than 10% = Count is displayed in green.
+ - 10% - 30% = Count is displayed in amber.
+ - Greater than 30% = Count is displayed in red.
- User changes:
- Pending user changes = User changes count displays "Data refresh pending" in amber.
- No pending user changes = User changes count displays "Up to date" in green.
@@ -28,6 +32,8 @@ The following color-coded status changes are reflected on the upgrade overview b
- If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber.
- If the current value is a deprecated OS version, the version is displayed in red.
+Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for information on required KBs.
+
In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 82fea36b85..f46902d45e 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -168,6 +168,7 @@
##### [Choose the Right BitLocker Countermeasure](choose-the-right-bitlocker-countermeasure.md)
#### [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
### [Encrypted Hard Drive](encrypted-hard-drive.md)
+### [Enterprise Certificate Pinning](enterprise-certificate-pinning.md)
### [Security auditing](security-auditing-overview.md)
#### [Basic security audit policies](basic-security-audit-policies.md)
##### [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md)
@@ -572,7 +573,7 @@
###### [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)
###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
-###### [Interactive logon: Don\'t display last signed-in](interactive-logon-do-not-display-last-user-name.md)
+###### [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)
###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)
###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)
@@ -768,10 +769,12 @@
######## [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
######## [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
######## [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
-#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
-##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+#### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+##### [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+##### [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+##### [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
#### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..e242add755
--- /dev/null
+++ b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,73 @@
+---
+title: Windows Defender ATP alert API fields
+description: Understand how the alert API fields map to the values in the Windows Defender ATP portal.
+keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Windows Defender ATP alert API fields
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
+
+
+# Alert API fields and portal mapping
+Field numbers match the numbers in the images below.
+
+Portal label | SIEM field name | Description
+:---|:---|:---
+1 | LinkToWDATP | Link back to the alert page in Windows Defender ATP
+2 | Alert ID | Alert ID visible in the link: `https://securitycenter.windows.com/alert/
ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title.
**Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM.
+11 | UserName | The user context relevant to the activity on the machine which triggered the alert. NOTE: Not yet populated.
+12 | FileName | File name
+13 | FileHash | Sha1 of file observed
+14 | FilePath | File path
+15 | IpAddress | IP of the IOC (when relevant)
+16 | URL | URL of the IOC (when relevant)
+17 | FullId | (Internal only)
Unique ID for each combination of IOC and Alert ID. Provides the ability to apply dedup logic in the SIEM.
+18 | AlertPart | (Internal only)
Alerts which contain multiple IOCs will be split into several messages, each message contains one IOC and a running counter. The counter provides the ability to reconstruct the alerts in the SIEM.
+19 | LastProccesedTimeUtc | (Internal only)
Time the alert was last processed in Windows Defender ATP.
+20 | Source| Alert detection source (Windows Defender AV, Windows Defender ATP, and Device Guard)
+21 | ThreatCategory| Windows Defender AV threat category
+22 | ThreatFamily | Windows Defender AV family name
+23 | RemediationAction | Windows Defender AV threat category |
+24 | WasExecutingWhileDetected | Indicates if a file was running while being detected.
+25| RemediationIsSuccess | Indicates if an alert was successfully remediated.
+26 | Sha1 | Sha1 of file observed in alert timeline and in file side pane (when available)
+27 | Md5 | Md5 of file observed (when available)
+28 | Sha256 | Sha256 of file observed (when available)
+29 | ThreatName | Windows Defender AV threat name
+
+>[!NOTE]
+> Fields #21-29 are related to Windows Defender Antivirus alerts.
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
index d7147d12a9..7f3ba226aa 100644
--- a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
@@ -22,7 +22,7 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal.
+You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can pull alerts from Windows Defender ATP portal.
1. Login to the [Azure management portal](https://ms.portal.azure.com).
@@ -78,12 +78,12 @@ You need to add an application in your Azure Active Directory (AAD) tenant then
23. Save the application changes.
-After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be consumed by your SIEM.
+After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be pulled by your SIEM.
## Obtain a refresh token using an events URL
Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM. This section provides information on how you can use an events URL to obtain the required refresh token.
>[!NOTE]
->For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md).
+>For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md).
### Before you begin
Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
@@ -111,6 +111,6 @@ You'll use these values to obtain a refresh token.
After configuring your AAD application and generating a refresh token, you can proceed to configure your SIEM tool.
## Related topics
-- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
index c4ebb2bd23..fba8ebda15 100644
--- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
-title: Configure HP ArcSight to consume Windows Defender ATP alerts
-description: Configure HP ArcSight to receive and consume alerts from the Windows Defender ATP portal.
+title: Configure HP ArcSight to pull Windows Defender ATP alerts
+description: Configure HP ArcSight to receive and pull alerts from the Windows Defender ATP portal.
keywords: configure hp arcsight, security information and events management tools, arcsight
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high
---
-# Configure HP ArcSight to consume Windows Defender ATP alerts
+# Configure HP ArcSight to pull Windows Defender ATP alerts
**Applies to:**
@@ -21,86 +21,163 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-You'll need to configure HP ArcSight so that it can consume Windows Defender ATP alerts.
+You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender ATP alerts.
## Before you begin
+Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse alerts from your Azure Active Directory (AAD) application.
-- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page:
- - OAuth 2 Token refresh URL
- - OAuth 2 Client ID
- - OAuth 2 Client secret
-- Download the [WDATP-connector.properties](http://download.microsoft.com/download/3/9/C/39C703C2-487C-4C3E-AFD8-14C2253C2F12/WDATP-connector.properties) file and update the following values:
+This section guides you in getting the necessary information to set and use the required configuration files correctly.
- - **client_ID**: OAuth 2 Client ID
- - **client_secret**: OAuth 2 Client secret
- - **auth_url**: ```https://login.microsoftonline.com/
-
-
-6. Select **Next**, then **Save**.
+5. Select Type: **ArcSight FlexConnector REST** and click **Next**.
-7. Run the connector. You can choose to run in Service mode or Application mode.
+6. Type the following information in the parameter details form. All other values in the form are optional and can be left blank.
-8. In the HP ArcSight console, create a **Windows Defender ATP** channel with intervals and properties suitable to your enterprise needs. Windows Defender ATP alerts will appear as discrete events, with “Microsoft” as the vendor and “Windows Defender ATP” as the device name.
+
-
- Field
- Value
-
-
- Configuration File
- Type in the name of the client property file. It must match the client property file.
- Events URL
- Depending on the location of your datacenter, select either the EU or the US URL: **For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
- **For US:** https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
-
-
- Authentication Type
- OAuth 2
- OAuth 2 Client Properties file
- Select *wdatp-connector.properties*.
-
-
-
- Refresh Token
- You can use the Windows Defender ATP events URL or the restutil tool to get obtain a refresh token.
-
For more information on getting your refresh token using the events URL, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token). **To get your refresh token using the restutil tool:** a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\
+
+
+7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.
+If the `redirect_uri` is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https. If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
+
+8. Continue with the connector setup by returning to the HP ArcSight Connector Setup window.
+
+9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
+
+10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
+
+11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
+
+11. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
+
+12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
+
+13. Select **Install as a service** and click **Next**.
+
+14. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
+
+13. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
+
+14. Finish the installation by selecting **Exit** and **Next**.
+
+## Install and configure the HP ArcSight console
+1. Follow the installation wizard through the following tasks:
+ - Introduction
+ - License Agreement
+ - Special Notice
+ - Choose ArcSight installation directory
+ - Choose Shortcut Folder
+ - Pre-Installation Summary
+
+2. Click **Install**. After the installation completes, the ArcSight Console Configuration Wizard opens.
+
+3. Type localhost in **Manager Host Name** and 8443 in **Manager Port** then click **Next**.
+
+4. Select **Use direct connection**, then click **Next**.
+
+5. Select **Password Based Authentication**, then click **Next**.
+
+6. Select **This is a single user installation. (Recommended)**, then click **Next**.
+
+7. Click **Done** to quit the installer.
+
+8. Login to the HP ArcSight console.
+
+9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**.
+
+10. Set **Device Product = Windows Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
+
+You can now run queries in the HP ArcSight console.
+
+Windows Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
+
+
+## Troubleshooting HP ArcSight connection
+**Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`.
+
+**Symptom:** You get the following error message:
+
+`Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token`
+
+**Solution:**
+1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?".
+2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value:
+`reauthenticate=true`.
+
+3. Restart the connector by running the following command: `arcsight.bat connectors`.
+
+ A browser window appears. Allow it to run, it should disappear, and the connector should now be running.
+
+ > [!NOTE]
+ > Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear.
## Related topics
-- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
index 35dead1efe..ba1f5cc851 100644
--- a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
-title: Consume alerts and create custom indicators in Windows Defender Advanced Threat Protection
-description: Learn how to configure supported security information and events management tools to receive and consume alerts and create custom indicators using REST API.
+title: Pull alerts to your SIEM tools from Windows Defender Advanced Threat Protection
+description: Learn how to use REST API and configure supported security information and events management tools to receive and pull alerts.
keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high
---
-# Consume alerts and create custom indicators
+# Pull alerts to your SIEM tools
**Applies to:**
@@ -21,8 +21,10 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-## Consume alerts using supported security information and events management (SIEM) tools
-Windows Defender ATP supports (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+## Pull alerts using supported security information and events management (SIEM) tools
+Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
Windows Defender ATP currently supports the following SIEM tools:
@@ -32,20 +34,26 @@ Windows Defender ATP currently supports the following SIEM tools:
To use either of these supported SIEM tools you'll need to:
-- [Configure an Azure Active Directory application for SIEM integration in your tenant](configure-aad-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- Configure the supported SIEM tool:
- - [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- - [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+ - [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+ - [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
-## Create custom threat indicators in Windows Defender ATP
-You can also create custom threat indicators using the available REST API so that you can create specific alerts that are applicable to your organization.
+For more information on the list of fields exposed in the alerts API see, [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md).
+
+
+## Pull Windows Defender ATP alerts using REST API
+Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API.
+
+For more information, see [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md).
-For more information, see [Create custom threat indicators (TI) using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md).
## In this section
Topic | Description
:---|:---
-[Configure an Azure Active Directory application](configure-aad-windows-defender-advanced-threat-protection.md)| Learn about configuring an Azure Active Directory application to integrate with supported security information and events management (SIEM) tools.
- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to consume Windows Defender ATP alerts.
- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to consume Windows Defender ATP alerts.
+[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
+[Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
+[Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
+[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
+[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API.
diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
index 8dc36252d3..18fa8ef5d5 100644
--- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
-title: Configure Splunk to consume Windows Defender ATP alerts
-description: Configure Splunk to receive and consume alerts from the Windows Defender ATP portal.
+title: Configure Splunk to pull Windows Defender ATP alerts
+description: Configure Splunk to receive and pull alerts from the Windows Defender ATP portal.
keywords: configure splunk, security information and events management tools, splunk
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high
---
-# Configure Splunk to consume Windows Defender ATP alerts
+# Configure Splunk to pull Windows Defender ATP alerts
**Applies to:**
@@ -21,16 +21,19 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-You'll need to configure Splunk so that it can consume Windows Defender ATP alerts.
+You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.
## Before you begin
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk.
-- Obtain your refresh token. For more information, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token).
-- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page:
- - OAuth 2 Token refresh URL
- - OAuth 2 Client ID
- - OAuth 2 Client secret
+- Make sure you have enabled the **SIEM integration** feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+
+- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values:
+ - OAuth 2 Token refresh URL
+ - OAuth 2 Client ID
+ - OAuth 2 Client secret
+
+- Have the refresh token that you generated from the SIEM integration feature ready.
## Configure Splunk
@@ -56,8 +59,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
+
+ Field
+ Value
+
+
+ Configuration File
+ Type in the name of the client property file. The name must match the file provided in the .zip that you downloaded.
+ For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file.
+ Events URL
+ Depending on the location of your datacenter, select either the EU or the US URL: **For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
+ **For US:** https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
+
+
+ Authentication Type
+ OAuth 2
+ OAuth 2 Client Properties file
+ Browse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded.
+
+
+
+ Refresh Token
+ You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM integration preferences setup** page or using the restutil tool.
+
For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). **Get your refresh token using the restutil tool:** a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. b. Type: `arcsight restutil token -config` from the bin directory. A Web browser window will open. c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. d. A refresh token is shown in the command prompt. e. Copy and paste it into the **Refresh Token** field.
+
Endpoint URL
- Depending on the location of your datacenter, select either the EU or the US URL: **For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts **For US:** https://wdatp-alertexporter-us.windows.com/api/alerts
-
+ Depending on the location of your datacenter, select either the EU or the US URL: **For EU**: `https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts`**For US:**` https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts`
HTTP Method
@@ -66,16 +68,24 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
Authentication Type
oauth2
+
+ OAuth 2 Access token
+ Use the value that you generated when you enabled the SIEM integration feature. NOTE: The access token expires after an hour.
+
+
+ OAuth 2 Refresh Token
+ Use the value that you generated when you enabled the **SIEM integration** feature.
+
OAuth 2 Token Refresh URL
- Value taken from AAD application
+ Use the value from the details file you saved when you enabled the **SIEM integration** feature.
OAuth 2 Client ID
- Value taken from AAD application
+ Use the value from the details file you saved when you enabled the **SIEM integration** feature.
OAuth 2 Client Secret
- Value taken from AAD application
+ Use the value from the details file you saved when you enabled the **SIEM integration** feature.
Response type
@@ -102,11 +112,26 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
-You can use the following query as an example in Splunk:
-```source="rest://windows atp alerts"|spath|table*```
+## View alerts using Splunk solution explorer
+Use the solution explorer to view alerts in Splunk.
+
+1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**.
+
+2. Select **New**.
+
+3. Enter the following details:
+ - Destination app: Select Search & Reporting (search)
+ - Search name: Enter a name for the query
+ - Search: Enter a query, for example:
+ `source="rest://windows atp alerts"|spath|table*`
+
+ Other values are optional and can be left with the default values.
+4. Click **Save**. The query is saved in the list of searches.
+
+5. Find the query you saved in the list and click **Run**. The results are displayed based on your query.
## Related topics
-- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
-- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..5746ab6157
--- /dev/null
+++ b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,51 @@
+---
+title: Enable SIEM integration in Windows Defender Advanced Threat Protection
+description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution.
+keywords: enable siem connector, siem, connector, security information and events
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Enable SIEM integration in Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
+
+1. In the navigation pane, select **Preferences setup** > **SIEM integration**.
+
+ 
+
+2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant.
+
+ >[!WARNING]
+ >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
+ >For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
+
+3. Choose the SIEM type you use in your organization.
+ >[!NOTE]
+ >If you select HP ArcSight, you'll need to save these two configuration files:
+ > - WDATP-connector.jsonparser.properties
+ > - WDATP-connector.properties
+ > If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**.
+
+4. Copy the individual values or select **Save details to file** to download a file that contains all the values.
+
+5. Select **Generate tokens** to get an access and refresh token.
+
+You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal.
+
+## Related topics
+- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/enterprise-certificate-pinning.md b/windows/keep-secure/enterprise-certificate-pinning.md
new file mode 100644
index 0000000000..b6b15f7df9
--- /dev/null
+++ b/windows/keep-secure/enterprise-certificate-pinning.md
@@ -0,0 +1,450 @@
+---
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.author: mstephens
+author: MikeStephens-MS
+description: Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name.
+manager: alanth
+ms.date: 2016-12-27
+ms.prod: w10
+ms.technology: security
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+---
+
+# Enterprise Certificate Pinning
+
+**Applies to**
+- Windows 10
+
+Enterprise certificate pinning is a Windows feature for remembering, or “pinning,” a root issuing certificate authority or end entity certificate to a given domain name.
+Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.
+
+>[!NOTE]
+> External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning. Web administrators should configure their web servers to use HTTP public key pinning (HPKP) and encourage users to use web browsers that support HPKP.
+
+Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site’s server authentication certificate chain matches a restricted set of certificates.
+These restrictions are encapsulated in a Pin Rules Certificate Trust List (CTL) that is configured and deployed to Windows 10 computers.
+Any site certificate triggering a name mismatch causes Windows to write an event to the CAPI2 event log and prevents the user from navigating to the web site using Microsoft Edge or Internet Explorer.
+
+## Deployment
+
+To deploy enterprise certificate pinning, you need to:
+
+- Create a well-formatted certificate pinning rule XML file
+- Create a pin rules certificate trust list file from the XML file
+- Apply the pin rules certificate trust list file to a reference administrative computer
+- Deploy the registry configuration on the reference computer using Group Policy Management Console (GPMC), which is included in the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/download/details.aspx?id=45520).
+
+### Create a Pin Rules XML file
+
+The XML-based pin rules file consists of a sequence of PinRule elements.
+Each PinRule element contains a sequence of one or more Site elements and a sequence of zero or more Certificate elements.
+
+```code
+
**For EU**: `https://wdatp-alertexporter-eu.windows.com/api/alerts` **For US**: `https://wdatp-alertexporter-us.windows.com/api/alerts`
+
+### Request header
+Header | Type | Description|
+:--|:--|:--
+Authorization | string | Required. The Azure AD access token in the form **Bearer** <*token*>. |
+
+### Request parameters
+
+Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization.
+
+Name | Value| Description
+:---|:---|:---
+DateTime?sinceTimeUtc | string | Defines the time alerts are retrieved from based from `LastProccesedTimeUtc` time to current time.
**NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
+int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.
**NOTE**: When not specified, all alerts available in the time range will be retrieved.
+
+### Request example
+The following example demonstrates how to retrieve all the alerts in your organization.
+
+```syntax
+GET https://wdatp-alertexporter-eu.windows.com/api/alerts
+Authorization: Bearer
Added the Turn off Windows Mail application Group Policy to the Mail synchronization section. |
-| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
+| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Added instructions for replacing markup characters with escape characters in Start layout XML |
| [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | New |
| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | New |
-| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
-
+| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
+
## December 2015
@@ -198,5 +198,3 @@ The topics in this library have been updated for Windows 10, version 1607 (also
[Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
-
-
diff --git a/windows/manage/waas-optimize-windows-10-updates.md b/windows/manage/waas-optimize-windows-10-updates.md
index e8a17a2b8b..681a39ca98 100644
--- a/windows/manage/waas-optimize-windows-10-updates.md
+++ b/windows/manage/waas-optimize-windows-10-updates.md
@@ -13,24 +13,24 @@ localizationpriority: high
**Applies to**
-- Windows 10
+- Windows 10
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10.
-Two methods of peer-to-peer content distribution are available in Windows 10.
+Two methods of peer-to-peer content distribution are available in Windows 10.
-- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests.
+- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests.
- Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
+ Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
-- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
+- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
>[!NOTE]
>Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
- Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
+ Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
@@ -50,7 +50,7 @@ Windows 10 update downloads can be large because every package contains all prev
### How Microsoft supports Express
- **Express on WSUS Standalone**
-
+
Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).
- **Express on devices directly connected to Windows Update**
- **Enterprise devices managed using [Windows Update for Business](waas-manage-updates-wufb.md)** also get the benefit of Express update delivery support without any change in configuration.
@@ -96,7 +96,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
@@ -104,5 +104,3 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage device restarts after updates](waas-restart.md)
-
-
diff --git a/windows/manage/windows-store-for-business-overview.md b/windows/manage/windows-store-for-business-overview.md
index 59c4b92895..81941f86f8 100644
--- a/windows/manage/windows-store-for-business-overview.md
+++ b/windows/manage/windows-store-for-business-overview.md
@@ -254,6 +254,7 @@ Store for Business is currently available in these markets.
+