Management tool for the Windows Store for Business
Management tool for the Micosoft Store for Business
New topics. The Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. It enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates.
The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
+-
+
- UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page. +
- ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need. +
- DomainName - fully qualified domain name if the device is domain-joined. +
For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.
+Added new CSP in Windows 10, version 1709.
Added DeviceTunnel profile in Windows 10, version 1709.
+Added DeviceTunnel and RegisterDNS settings in Windows 10, version 1709.
Added new policies.
Windows Store for Business name changed to Microsoft Store for Business.
+Added the following new policies for Windows 10, version 1709:
-
@@ -1001,6 +1015,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- DeviceGuard/LsaCfgFlags
- ExploitGuard/ExploitProtectionSettings
- Games/AllowAdvancedGamingServices +
- Handwriting/PanelDefaultModeDocked
- LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
- LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
- LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus @@ -1357,9 +1372,29 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
- Authentication/AllowAadPasswordReset +
- Handwriting/PanelDefaultModeDocked
- Search/AllowCloudSearch
- System/LimitEnhancedDiagnosticDataWindowsAnalytics
Added the following new policies for Windows 10, version 1709:
Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.
+Windows Store for Business name changed to Microsoft Store for Business.
+The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
+-
+
- UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page. +
- ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need. +
- DomainName - fully qualified domain name if the device is domain-joined. +
For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.
+Added RegisterDNS setting in Windows 10, version 1709.
-
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
new file mode 100644
index 0000000000..b2cdcd1ae0
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -0,0 +1,72 @@
+---
+title: Policy CSP - Handwriting
+description: Policy CSP - Handwriting
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 09/07/2017
+---
+
+# Policy CSP - Handwriting
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
- 0 - Disabled (default) +
- 1 - Enabled +
- Error codes and error messages, name and ID of the app, and process reporting the error
- DLL library predicted to be the source of the error -- xyz.dll
- System generated files -- app or product logs and trace files to help diagnose a crash or hang
- System settings such as registry keys
- User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
- Details and counts of abnormal shutdowns, hangs, and crashes
- Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
- Crash and Hang dumps
- The recorded state of the working memory at the point of the crash.
- Memory in use by the kernel at the point of the crash.
- Memory in use by the application at the point of the crash.
- All the physical memory used by Windows at the point of the crash.
- Class and function name within the module that failed.
- User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
- Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
- User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
- UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
- Disk footprint -- Free disk space, out of memory conditions, and disk score.
- Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
- Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
- Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
- Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
- Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
- Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
- Error codes and error messages, name and ID of the app, and process reporting the error
- DLL library predicted to be the source of the error -- xyz.dll
- System generated files -- app or product logs and trace files to help diagnose a crash or hang
- System settings such as registry keys
- User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
- Details and counts of abnormal shutdowns, hangs, and crashes
- Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
- Crash and Hang dumps
- The recorded state of the working memory at the point of the crash.
- Memory in use by the kernel at the point of the crash.
- Memory in use by the application at the point of the crash.
- All the physical memory used by Windows at the point of the crash.
- Class and function name within the module that failed.
- User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
- Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
- User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
- UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
- Disk footprint -- Free disk space, out of memory conditions, and disk score.
- Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
- Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
- Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
- Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
- Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
- Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
- Video Width, height, color pallet, encoding (compression) type, and encryption type
- Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
- URL for a specific two second chunk of content if there is an error
- Full screen viewing mode details|
+|Music & TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening or habits.
- Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
- Content type (video, audio, surround audio)
- Local media library collection statistics -- number of purchased tracks, number of playlists
- Region mismatch -- User OS Region, and Xbox Live region
- App accessing content and status and options used to open a Microsoft Store book
- Language of the book
- Time spent reading content
- Content type and size details
- File source data -- local, SD card, network device, and OneDrive
- Image & video resolution, video length, file sizes types and encoding
- Collection view or full screen viewer use and duration of view
- Kind of query issued and index type (ConstraintIndex, SystemIndex)
- Number of items requested and retrieved
- File extension of search result user interacted with
- Launched item kind, file extension, index of origin, and the App ID of the opening app.
- Name of process calling the indexer and time to service the query.
- A hash of the search scope (file, Outlook, OneNote, IE history)
- The state of the indices (fully optimized, partially optimized, being built)
- Product ID, edition ID and product URI
- Offer details -- price
- Order requested date/time
- Store client type -- web or native client
- Purchase quantity and price
- Payment type -- credit card type and PayPal
- Service subscription status and errors
- DRM and license rights details -- Groove subscription or OS volume license
- Entitlement ID, lease ID, and package ID of the install package
- Entitlement revocation
- License type (trial, offline vs online) and duration
- License usage session
- App, driver, update package, or component’s Name, ID, or Package Family Name
- Product, SKU, availability, catalog, content, and Bundle IDs
- OS component, app or driver publisher, language, version and type (Win32 or UWP)
- Install date, method, and install directory, count of install attempts
- MSI package code and product code
- Original OS version at install time
- User or administrator or mandatory installation/update
- Installation type – clean install, repair, restore, OEM, retail, upgrade, and update
- Update Readiness analysis of device hardware, OS components, apps, and drivers (progress, status, and results)
- Number of applicable updates, importance, type
- Update download size and source -- CDN or LAN peers
- Delay upgrade status and configuration
- OS uninstall and rollback status and count
- Windows Update server and service URL
- Windows Update machine ID
- Windows Insider build details
- Video Width, height, color pallet, encoding (compression) type, and encryption type
- Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
- URL for a specific two second chunk of content if there is an error
- Full screen viewing mode details
- Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
- Content type (video, audio, surround audio)
- Local media library collection statistics -- number of purchased tracks, number of playlists
- Region mismatch -- User OS Region, and Xbox Live region
- App accessing content and status and options used to open a Microsoft Store book
- Language of the book
- Time spent reading content
- Content type and size details
- File source data -- local, SD card, network device, and OneDrive
- Image & video resolution, video length, file sizes types and encoding
- Collection view or full screen viewer use and duration of view
- Text typed in address bar and search box
- Text selected for Ask Cortana search
- Service response time
- Auto-completed text if there was an auto-complete
- Navigation suggestions provided based on local history and favorites
- Browser ID
- URLs (which may include search terms)
- Page title
- Kind of query issued and index type (ConstraintIndex, SystemIndex)
- Number of items requested and retrieved
- File extension of search result user interacted with
- Launched item kind, file extension, index of origin, and the App ID of the opening app.
- Name of process calling the indexer and time to service the query.
- A hash of the search scope (file, Outlook, OneNote, IE history)
- The state of the indices (fully optimized, partially optimized, being built)
- Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
- Pen gestures (click, double click, pan, zoom, rotate)
- Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
- Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as names, email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text of speech recognition results -- result codes and recognized text
- Language and model of the recognizer, System Speech language
- App ID using speech features
- Whether user is known to be a child
- Confidence and Success/Failure of speech recognition
- Product ID, edition ID and product URI
- Offer details -- price
- Order requested date/time
- Store client type -- web or native client
- Purchase quantity and price
- Payment type -- credit card type and PayPal
- Service subscription status and errors
- DRM and license rights details -- Groove subscription or OS volume license
- Entitlement ID, lease ID, and package ID of the install package
- Entitlement revocation
- License type (trial, offline vs online) and duration
- License usage session
- Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
- Pen gestures (click, double click, pan, zoom, rotate)
- Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
- Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text input from Windows Mobile on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text of speech recognition results -- result codes and recognized text
- Language and model of the recognizer, System Speech language
- App ID using speech features
- Whether user is known to be a child
- Confidence and Success/Failure of speech recognition
+ +## Handwriting policies + + +**Handwriting/PanelDefaultModeDocked** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
 |
+  3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
Added in Windows 10. version 1709. This policy allows an enterprise to configure the default mode for the handwriting panel. + +
The handwriting panel has 2 modes - floats near the text box, or docked to the bottom of the screen. The default configuration to is floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen. + +
In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and does not require any user interaction. + +
The docked mode is especially useful in Kiosk mode where you do not expect the end-user to drag the flying-in panel out of the way. + +
-
+
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index e3a796b41d..1bf1c34365 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -471,8 +471,12 @@ This policy is accessible through the Update setting in the user interface or Gr
The following list shows the supported values: -- 16 (default) – User gets all applicable upgrades from Current Branch (CB). -- 32 – User gets upgrades from Current Branch for Business (CBB). +- 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709) +- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709) +- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709) +- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). +- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. + @@ -1253,12 +1257,12 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. -
Allows the IT admin to set a device to CBB train. +
Allows the IT admin to set a device to Semi-Annual Channel train.
The following list shows the supported values:
-- 0 (default) – User gets upgrades from Current Branch.
-- 1 – User gets upgrades from Current Branch for Business.
+- 0 (default) – User gets upgrades from Semi-Annual Channel (Targeted).
+- 1 – User gets upgrades from Semi-Annual Channel.
diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md
index ee30992445..1319338ddc 100644
--- a/windows/client-management/mdm/reclaim-seat-from-user.md
+++ b/windows/client-management/mdm/reclaim-seat-from-user.md
@@ -1,6 +1,6 @@
---
title: Reclaim seat from user
-description: The Reclaim seat from user operation returns reclaimed seats for a user in the Windows Store for Business.
+description: The Reclaim seat from user operation returns reclaimed seats for a user in the Micosoft Store for Business.
ms.assetid: E2C3C899-D0AD-469A-A319-31A420472A4C
ms.author: maricia
ms.topic: article
@@ -12,7 +12,7 @@ ms.date: 06/19/2017
# Reclaim seat from user
-The **Reclaim seat from user** operation returns reclaimed seats for a user in the Windows Store for Business.
+The **Reclaim seat from user** operation returns reclaimed seats for a user in the Micosoft Store for Business.
## Request
diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
index 5016c86ac9..d64e4e1b4d 100644
--- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
+++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
@@ -1,6 +1,6 @@
---
-title: REST API reference for Windows Store for Business
-description: REST API reference for Windows Store for Business
+title: REST API reference for Micosoft Store for Business
+description: REST API reference for Micosoft Store for Business
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference'
- 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business'
@@ -13,7 +13,7 @@ author: nickbrower
ms.date: 06/19/2017
---
-# REST API reference for Windows Store for Business
+# REST API reference for Micosoft Store for Business
Here's the list of available operations:
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 05e8da9fa3..aa98ff54c0 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 07/07/2017
+ms.date: 09/18/2017
---
# VPNv2 CSP
@@ -35,7 +35,7 @@ The XSDs for all EAP methods are shipped in the box and can be found at the foll
The following diagram shows the VPNv2 configuration service provider in tree format.
-
+
**Device or User profile**
For user profile, use **./User/Vendor/MSFT** path and for device profile, use **./Device/Vendor/MSFT** path.
@@ -303,6 +303,14 @@ A device tunnel profile must be deleted before another device tunnel profile can
Value type is bool. Supported operations include Get, Add, Replace, and Delete.
+**VPNv2/***ProfileName***/RegisterDNS**
+Allows registration of the connection's address in DNS.
+
+Valid values:
+
+- False = Do not register the connection's address in DNS (default).
+- True = Register the connection's addresses in DNS.
+
**VPNv2/***ProfileName***/DnsSuffix**
Optional. Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md
index 1312ba1a63..3208f1111a 100644
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 07/07/2017
+ms.date: 09/18/2017
---
# VPNv2 DDF file
@@ -992,6 +992,33 @@ The XML below is for Windows 10, version 1709.
+
|
-| Device performance and reliability data | Information about the device and software performance such as:
+|Device health and crash data | Information about the device and software health such as:
|
+|Device performance and reliability data | Information about the device and software performance such as:
|
+|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.
|
+|On-device file query | Information about local search activity on the device such as:
|
+|Purchasing| Information about purchases made on the device such as:
|
+|Entitlements | Information about entitlements on the device such as:
|
## Software Setup and Inventory data
@@ -78,25 +85,13 @@ This type of data includes software installation and update information on the d
| Installed Applications and Install History | Information about apps, drivers, update packages, or OS components installed on the device such as:
|
| Device update information | Information about Windows Update such as:
-## Content Consumption data
+## Browsing History data
-This type of data includes diagnostic details about Microsoft applications that provide media consumption functionality (such as Groove Music), and is not intended to capture user viewing, listening or reading habits.
-
-| Category Name | Examples |
-| - | - |
-| Movies | Information about movie consumption functionality on the device such as:
|
-| Music & TV | Information about music and TV consumption on the device such as:
|
-| Reading | Information about reading consumption functionality on the device such as:
|
-| Photos App | Information about photos usage on the device such as:
-
-## Browsing, Search and Query data
-
-This type of data includes details about web browsing, search and query activity in the Microsoft browsers and Cortana, and local file searches on the device.
+This type of data includes details about web browsing in the Microsoft browsers.
| Category Name | Description and Examples |
| - | - |
| Microsoft browser data | Information about Address bar and search box performance on the device such as:
|
-| On-device file query | Information about local search activity on the device such as:
|
## Inking Typing and Speech Utterance data
@@ -105,13 +100,4 @@ This type of data gathers details about the voice, inking, and typing input feat
| Category Name | Description and Examples |
| - | - |
-| Voice, inking, and typing | Information about voice, inking and typing features such as:
|
-
-## Licensing and Purchase data
-
-This type of data includes diagnostic details about the purchase and entitlement activity on the device.
-
-| Category Name | Data Examples |
-| - | - |
-| Purchase history | Information about purchases made on the device such as:
|
-| Entitlements | Information about entitlements on the device such as:
|
\ No newline at end of file
+| Voice, inking, and typing | Information about voice, inking and typing features such as:
|
\ No newline at end of file
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index b070057f1d..3d057730dc 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -222,8 +222,6 @@
#### [Windows Insider Program for Business using Azure Active Directory](update/waas-windows-insider-for-business-aad.md)
#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
#### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md)
-##### [Keep your current Windows 10 edition](update/olympia/enrollment-keep-current-edition.md)
-##### [Upgrade your Windows 10 edition from Pro to Enterprise](update/olympia/enrollment-upgrade-to-enterprise.md)
### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
## Windows Analytics
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index e11c92867c..95255b68f9 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -79,7 +79,7 @@ For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
### Microsoft Deployment Toolkit (MDT)
-MDT build 884 is available, including support for:
+MDT build 8443 is available, including support for:
- Deployment and upgrade of Windows 10, version 1607 (including Enterprise LTSB and Education editions) and Windows Server 2016.
- The Windows ADK for Windows 10, version 1607.
- Integration with Configuration Manager version 1606.
diff --git a/windows/deployment/update/olympia/enrollment-keep-current-edition.md b/windows/deployment/update/olympia/enrollment-keep-current-edition.md
deleted file mode 100644
index b0016c44ee..0000000000
--- a/windows/deployment/update/olympia/enrollment-keep-current-edition.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Keep your current Windows 10 edition
-description: Olympia Corp enrollment - Keep your current Windows 10 edition
-ms.author: nibr
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: nickbrower
-ms.date: 09/01/2017
----
-
-# Olympia Corp enrollment
-
-## Keep your current Windows 10 edition
-
-1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
-
- 
-
-2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
-
-3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
-
- 
-
-4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
-
- > [!NOTE]
- > Passwords should contain 8-16 characters, including at least one special character or number.
-
- 
-
-5. Read the **Terms and Conditions**. Click **Accept** to participate in the program.
-
-6. If this is the first time you are logging in, please fill in the additional information to help you retrieve your account details.
-
-7. Create a PIN for signing into your Olympia corporate account.
-
-8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
-
- > [!NOTE]
- > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
-
-9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
diff --git a/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md b/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md
deleted file mode 100644
index 6643971428..0000000000
--- a/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Upgrade your Windows 10 edition from Pro to Enterprise
-description: Olympia Corp enrollment - Upgrade your Windows 10 edition from Pro to Enterprise
-ms.author: nibr
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: nickbrower
-ms.date: 09/01/2017
----
-
-# Olympia Corp enrollment
-
-## Upgrade your Windows 10 edition from Pro to Enterprise
-
-1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
-
- 
-
-2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
-
-3. Click **Connect**, then click **Join this device to Azure Active Directory**.
-
- 
-
-4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
-
- 
-
-5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
-
- > [!NOTE]
- > Passwords should contain 8-16 characters, including at least one special character or number.
-
- 
-
-6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
-
-7. If this is the first time you are signing in, please fill in the additional information to help you retrieve your account details.
-
-8. Create a PIN for signing into your Olympia corporate account.
-
-9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
-
-10. Restart your PC.
-
-11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your PC will upgrade to Windows 10 Enterprise*.
-
-12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
-
- > [!NOTE]
- > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
-
-13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
-
-\* Please note that your Windows 10 Enterprise license will not be renewed if your PC is not connected to Olympia.
-
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
index 17b87bd7b0..fddd959017 100644
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 09/01/2017
+ms.date: 09/14/2017
---
# Olympia Corp enrollment guidelines
@@ -17,6 +17,87 @@ As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Ent
Choose one of the following two enrollment options:
-1. [Keep your current Windows 10 edition](./enrollment-keep-current-edition.md)
+1. [Keep your current Windows 10 edition](#enrollment-keep-current-edition)
+
+2. [Upgrade your Windows 10 edition from Pro to Enterprise](#enrollment-upgrade-to-enterprise)
+
+
+
+## Keep your current Windows 10 edition
+
+1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
+
+ 
+
+2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
+
+3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
+
+ 
+
+4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
+
+ > [!NOTE]
+ > Passwords should contain 8-16 characters, including at least one special character or number.
+
+ 
+
+5. Read the **Terms and Conditions**. Click **Accept** to participate in the program.
+
+6. If this is the first time you are logging in, please fill in the additional information to help you retrieve your account details.
+
+7. Create a PIN for signing into your Olympia corporate account.
+
+8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
+
+ > [!NOTE]
+ > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
+
+9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
+
+
+
+## Upgrade your Windows 10 edition from Pro to Enterprise
+
+1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
+
+ 
+
+2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
+
+3. Click **Connect**, then click **Join this device to Azure Active Directory**.
+
+ 
+
+4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
+
+ 
+
+5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
+
+ > [!NOTE]
+ > Passwords should contain 8-16 characters, including at least one special character or number.
+
+ 
+
+6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
+
+7. If this is the first time you are signing in, please fill in the additional information to help you retrieve your account details.
+
+8. Create a PIN for signing into your Olympia corporate account.
+
+9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
+
+10. Restart your PC.
+
+11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your PC will upgrade to Windows 10 Enterprise*.
+
+12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
+
+ > [!NOTE]
+ > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
+
+13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
+
+\* Please note that your Windows 10 Enterprise license will not be renewed if your PC is not connected to Olympia.
-2. [Upgrade your Windows 10 edition from Pro to Enterprise](./enrollment-upgrade-to-enterprise.md)
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 5e3c80f9c4..8e3da008da 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -25,14 +25,18 @@ Update Compliance has the following requirements:
2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
-Service | Endpoint
---- | ---
-Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com
settings-win.data.microsoft.com
-Windows Error Reporting | watson.telemetry.microsoft.com
-Online Crash Analysis | oca.telemetry.microsoft.com
+ Service | Endpoint
+ --- | ---
+ Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com
settings-win.data.microsoft.com
+ Windows Error Reporting | watson.telemetry.microsoft.com
+ Online Crash Analysis | oca.telemetry.microsoft.com
- 4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
+ 4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Troublehsoot Windows Defender Antivirus reporting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md) topic for help on ensuring the configuration is correct.
+
+ For endpoints running Windows 10, version 1607 or earlier, [Windows telemetry must also be set to **Enhanced**](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization#enhanced-level).
+
+ See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
## Add Update Compliance to Microsoft Operations Management Suite
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index 9daa1a5103..a49a7adb06 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -147,7 +147,10 @@ Devices are evaluated by OS Version (e.g., 1607) and the count of how many are C
You'll notice some new tiles in the Overview blade which provide a summary of Windows Defender AV-related issues, highlighted in the following screenshot.
-
+
+
+>[!IMPORTANT]
+>If your devices are not showing up in the Windows Defender AV assessment section, check the [Troublshoot Windows Defender Antivirus reporting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting) topic for help.
The **AV Signature** chart shows the number of devices that either have up-to-date [protection updates (also known as signatures or definitions)](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus), while the **Windows Defender AV Status** tile indicates the percentage of all assessed devices that are not updated and do not have real-time protection enabled. The Windows Defender Antivirus Assessment section provides more information that lets you investigate potential issues.
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index 2b77126ecf..be0f75a719 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -21,7 +21,7 @@ ms.date: 07/27/2017
Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager.
-Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize the peer-to-peer functionality of Delivery Optimization, machines need to have access to the internet.
+Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This means that in order to utilize the peer-to-peer functionality of Delivery Optimization, machines need to have access to the internet.
For more details, see [Download mode](#download-mode).
diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
index 29a27310e4..90fabf7307 100644
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -84,9 +84,9 @@ To enable data sharing, whitelist the following endpoints. Note that you may nee
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
-| `https://v10.vortex-win.data.microsoft.com/collect/v1`
`https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. |
-| `https://settings.data.microsoft.com/qos` | Enables the compatibility update KB to send data to Microsoft. |
-| `https://go.microsoft.com/fwlink/?LinkID=544713`
`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. |
+| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for Windows 10 computers. User computers send data to Microsoft through this endpoint.
+| `https://Vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for operating systems older than Windows 10
+| `https://settings.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. |
Note: The compatibility update KB runs under the computer’s system account.
diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md
index 12589a4f94..7213b01b6c 100644
--- a/windows/deployment/usmt/usmt-common-issues.md
+++ b/windows/deployment/usmt/usmt-common-issues.md
@@ -229,7 +229,7 @@ There are three typical causes for this issue.
**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured.
-**Cause:** A code change in the Start Menu with Windows 10 version 1607 is incompatible with this USMT function.
+**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function.
**Resolution:** The following workaround is available:
@@ -245,6 +245,8 @@ There are three typical causes for this issue.
Import-StartLayout –LayoutPath "C:\Layout\user1.xml" –MountPath %systemdrive%
```
+This workaround changes the Default user's Start layout. The workaround does not scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout.
+
## Offline Migration Problems
diff --git a/windows/deployment/windows-10-auto-pilot.md b/windows/deployment/windows-10-auto-pilot.md
index 4bcaef04a8..7f6cdc5a1c 100644
--- a/windows/deployment/windows-10-auto-pilot.md
+++ b/windows/deployment/windows-10-auto-pilot.md
@@ -18,7 +18,7 @@ ms.date: 06/30/2017
- Windows 10
-Windows AutoPilot is a collection of technologies used to setup and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover devices.
+Windows AutoPilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover devices.
This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
## Benefits of Windows AutoPilot
diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md
index c767d18075..9f6b5c02a8 100644
--- a/windows/deployment/windows-10-enterprise-subscription-activation.md
+++ b/windows/deployment/windows-10-enterprise-subscription-activation.md
@@ -102,7 +102,7 @@ changepk.exe /ProductKey %ProductKey%
### Obtaining an Azure AD licence
Enterprise Agreement/Software Assurance (EA/SA):
-- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment).
+- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/en-us/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea).
- The license administrator can assign seats to Azure AD users with the same process that is used for O365.
- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
index 9f7bef9162..8b11311fb6 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
@@ -36,6 +36,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- bginfo.exe[1]
- cdb.exe
- csi.exe
+- dbghost.exe
+- dbgsvc.exe
- dnx.exe
- fsi.exe
- fsiAnyCpu.exe
@@ -106,11 +108,14 @@ Microsoft recommends that you block the following Microsoft-signed applications
-
+> [!div class="mx-tableFixed"]
+| Portal label | SIEM field name | ArcSight field | Example value | Description |
+|------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 1 | AlertTitle | name | A dll was unexpectedly loaded into a high integrity process without a UAC prompt | Value available for every alert. |
+| 2 | Severity | deviceSeverity | Medium | Value available for every alert. |
+| 3 | Category | deviceEventCategory | Privilege Escalation | Value available for every alert. |
+| 4 | Source | sourceServiceName | WindowsDefenderATP | Windows Defender Antivirus or Windows Defender ATP. Value available for every alert. |
+| 5 | MachineName | sourceHostName | liz-bean | Value available for every alert. |
+| 6 | FileName | fileName | Robocopy.exe | Available for alerts associated with a file or process. |
+| 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for alerts associated with a file or process. |
+| 8 | UserDomain | sourceNtDomain | contoso | The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts. |
+| 9 | UserName | sourceUserName | liz-bean | The user context running the activity, available for Windows Defender ATP behavioral based alerts. |
+| 10 | Sha1 | fileHash | 5b4b3985339529be3151d331395f667e1d5b7f35 | Available for alerts associated with a file or process. |
+| 11 | Md5 | deviceCustomString5 | 55394b85cb5edddff551f6f3faa9d8eb | Available for Windows Defender AV alerts. |
+| 12 | Sha256 | deviceCustomString6 | 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5 | Available for Windows Defender AV alerts. |
+| 13 | ThreatName | eviceCustomString1 | Trojan:Win32/Skeeyah.A!bit | Available for Windows Defender AV alerts. |
+| 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
+| 15 | Url | requestUrl | down.esales360.cn | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
+| 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
+| 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
+| 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every alert. |
+| 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every alert. |
+| 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the activity relevant to the alert occurred. Value available for every alert. |
+| 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every alert. |
+| 22 | Actor | deviceCustomString4 | | Available for alerts related to a known actor group. |
+| 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every alert. |
+| | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. |
+| | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
+| | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
+| Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved. |
+| | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
+| | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Windows Defender ATP'. |
+| | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.
@@ -278,7 +77,7 @@ Field numbers match the numbers in the images below.
-
+
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
index 8d28359a61..8a90f8cb96 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
@@ -33,6 +33,9 @@ Windows Defender ATP supports non-persistent VDI session onboarding. There might
You can onboard VDI machines using a single entry or multiple entries for each machine. The following steps will guide you through onboarding VDI machines and will highlight steps for single and multiple entries.
+>[!WARNING]
+> For environments where there are low resource configurations, the VDI boot proceedure might slow the Windows Defender ATP sensor onboarding.
+
1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
diff --git a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
index 4200e50e85..f1ff28638b 100644
--- a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -29,14 +29,14 @@ ms.date: 09/05/2017
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints.
-For example, if endpoints are not appearing in the **Machines list** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
+For example, if endpoints are not appearing in the **Machines list**, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
> [!NOTE]
> It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
**Open Event Viewer and find the Windows Defender ATP service event log:**
-1. Click **Start**, type **Event Viewer**, and press **Enter**.
+1. Click **Start** on the Windows menu, type **Event Viewer**, and press **Enter**.
2. In the log list, under **Log Summary**, scroll until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to
open the log.
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-region-control-panel.png b/windows/threat-protection/windows-defender-atp/images/atp-region-control-panel.png
new file mode 100644
index 0000000000..58d25e0f9d
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-region-control-panel.png differ
diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index f437a524b9..4581751734 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -93,18 +93,8 @@ Use the search bar to look for specific timeline events. Harness the power of us
- Behaviors mode: displays "detections" and selected events of interest
- Verbose mode: displays all raw events without aggregation or filtering
-- **Event type** - Click the drop-down button to filter by the following levels:
- - Windows Defender ATP alerts
- - Windows Defender AV alerts
- - Response actions
- - AppGuard related events
- - Windows Defender Device Guard events
- - Process events
- - Network events
- - File events
- - Registry events
- - Load DLL events
- - Other events
-
- Portal label
- SIEM field name
- ArcSight field
- Example value
- Description
-
-
-
- 1
- AlertTitle
- name
- A dll was unexpectedly loaded into a high integrity process without a UAC prompt
- Value available for every alert.
-
-
-
- 2
- Severity
- deviceSeverity
- Medium
- Value available for every alert.
-
-
-
- 3
- Category
- deviceEventCategory
- Privilege Escalation
- Value available for every alert.
-
-
-
- 4
- Source
- sourceServiceName
- WindowsDefenderATP
- Windows Defender Antivirus or Windows Defender ATP. Value available for every alert.
-
-
-
- 5
- MachineName
- sourceHostName
- liz-bean
- Value available for every alert.
-
-
-
- 6
- FileName
- fileName
- Robocopy.exe
- Available for alerts associated with a file or process.
-
-
-
- 7
- FilePath
- filePath
- C:\Windows\System32\Robocopy.exe
- Available for alerts associated with a file or process. \
-
-
-
- 8
- UserDomain
- sourceNtDomain
- contoso
- The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts.
-
-
-
- 9
- UserName
- sourceUserName
- liz-bean
- The user context running the activity, available for Windows Defender ATP behavioral based alerts.
-
-
-
- 10
- Sha1
- fileHash
- 5b4b3985339529be3151d331395f667e1d5b7f35
- Available for alerts associated with a file or process.
-
-
-
- 11
- Md5
- deviceCustomString5
- 55394b85cb5edddff551f6f3faa9d8eb
- Available for Windows Defender AV alerts.
-
-
-
- 12
- Sha256
- deviceCustomString6
- 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5
- Available for Windows Defender AV alerts.
-
-
-
- 13
- ThreatName
- eviceCustomString1
- Trojan:Win32/Skeeyah.A!bit
- Available for Windows Defender AV alerts.
-
-
-
- 14
- IpAddress
- sourceAddress
- 218.90.204.141
- Available for alerts associated to network events. For example, 'Communication to a malicious network destination'.
-
-
-
- 15
- Url
- requestUrl
- down.esales360.cn
- Availabe for alerts associated to network events. For example, 'Communication to a malicious network destination'.
-
-
-
- 16
- RemediationIsSuccess
- deviceCustomNumber2
- TRUE
- Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.
-
-
-
- 17
- WasExecutingWhileDetected
- deviceCustomNumber1
- FALSE
- Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.
-
-
-
- 18
- AlertId
- externalId
- 636210704265059241_673569822
- Value available for every alert.
-
-
-
- 19
- LinkToWDATP
- flexString1
- `https://securitycenter.windows.com/alert/636210704265059241_673569822`
- Value available for every alert.
-
-
-
- 20
- AlertTime
- deviceReceiptTime
- 2017-05-07T01:56:59.3191352Z
- The time the activity relevant to the alert occurred. Value available for every alert.
-
-
-
- 21
- MachineDomain
- sourceDnsDomain
- contoso.com
- Domain name not relevant for AAD joined machines. Value available for every alert.
-
-
-
- 22
- Actor
- deviceCustomString4
-
- Available for alerts related to a known actor group.
-
-
-
- 21+5
- ComputerDnsName
- No mapping
- liz-bean.contoso.com
- The machine fully qualified domain name. Value available for every alert.
-
-
-
-
- LogOnUsers
- sourceUserId
- contoso\liz-bean; contoso\jay-hardee
- The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available.
-
-
-
- Internal field
- LastProcessedTimeUtc
- No mapping
- 2017-05-07T01:56:58.9936648Z
- Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved.
-
-
-
-
- Not part of the schema
- deviceVendor
-
- Static value in the ArcSight mapping - 'Microsoft'.
-
-
-
-
- Not part of the schema
- deviceProduct
-
- Static value in the ArcSight mapping - 'Windows Defender ATP'.
-
-
-
-
- Not part of the schema
- deviceVersion
-
- Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.
-
-
+- **Event type** - Click the drop-down button to filter by events such as Windows - Windows Defender ATP alerts, Windows Defender Application Guard events, registry events, file events, and others.
+
Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed.
- **User account** – Click the drop-down button to filter the machine timeline by the following user associated events:
diff --git a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
index 4fa77ae8f4..ca3569887b 100644
--- a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -37,7 +37,7 @@ Use the Machines list in these main scenarios:
## Sort, filter, and download the list of machines from the Machines list
You can sort the **Machines list** by clicking on any column header to sort the view in ascending or descending order.
-Filter the **Machines list** by time period, **OS Platform**, **Health**, **Security state**, **Malware category alerts**, or **Groups** to focus on certain sets of machines, according to the desired criteria.
+Filter the **Machines list** by **Time**, **OS Platform**, **Health**, **Security state**, **Malware category alerts**, **Groups**, or **Tags** to focus on certain sets of machines, according to the desired criteria.
You can also download the entire list in CSV format using the **Export to CSV** feature.
@@ -60,25 +60,29 @@ You can use the following filters to limit the list of machines displayed during
- Mac OS
- Other
-**Health**
-- All
-- Well configure
-- Requires attention - Depending on the Windows Defender security controls configured in your enterprise, you'll see various available filters.
-
**Sensor health state**
Filter the list to view specific machines grouped together by the following machine health states:
- **Active** – Machines that are actively reporting sensor data to the service.
- **Misconfigured** – Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to:
- - Impaired communications
- No sensor data
+ - Impaired communications
For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
- **Inactive** – Machines that have completely stopped sending signals for more than 7 days.
-**Malware category**
+**Security state**
+Filter the list to view specific machines that are well configured or require attention based on the Windows Defender security controls that are enabled in your organization.
+
+
+- **Well configured** - Machines have the Windows Defender security controls well configured.
+- **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization.
+
+For more information, see [View the Security Analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md).
+
+**Malware category alerts**
Filter the list to view specific machines grouped together by the following malware categories:
- **Ransomware** – Ransomware use common methods to encrypt files using keys that are known only to attackers. As a result, victims are unable to access the contents of the encrypted files. Most ransomware display or drop a ransom note—an image or an HTML file that contains information about how to obtain the attacker-supplied decryption tool for a fee.
- **Credential theft** – Spying tools, whether commercially available or solely used for unauthorized purposes, include general purpose spyware, monitoring software, hacking programs, and password stealers.
@@ -88,6 +92,8 @@ Filter the list to view specific machines grouped together by the following malw
- **General malware** – Malware are malicious programs that perform unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft. Some malware can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyberattacks.
- **PUA** – Unwanted software is a category of applications that install and perform undesirable activity without adequate user consent. These applications are not necessarily malicious, but their behaviors often negatively impact the computing experience, even appearing to invade user privacy. Many of these applications display advertising, modify browser settings, and install bundled software.
+## Groups and tags
+You can filter the list based on the grouping and tagging that you've added to individual machines. For more information, see [Manage machine group and tags](respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags).
## Export machine list to CSV
You can download a full list of all the machines in your organization, in CSV format. Click the **Export to CSV** button to download the entire list as a CSV file.
@@ -99,13 +105,11 @@ Exporting the list in CSV format displays the data in an unfiltered manner. The
You can sort the **Machines list** by the following columns:
- **Machine name** - Name or GUID of the machine
-- **Domain** - Domain where the machine is joined in
-- **OS Platform** - Indicates the OS of the machine
- **Health State** – Indicates if the machine is misconfigured or is not sending sensor data
- **Last seen** - Date and time when the machine last reported sensor data
- **Internal IP** - Local internal Internet Protocol (IP) address of the machine
- **Active Alerts** - Number of alerts reported by the machine by severity
-- **Active malware detections** - Number of active malware detections reported by the machine
+- **Active malware alerts** - Number of active malware detections reported by the machine
> [!NOTE]
> The **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) as the active real-time protection antimalware product.
diff --git a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
index 9e98297388..5d510f2eb6 100644
--- a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
@@ -30,7 +30,7 @@ Enterprise security teams can use the Windows Defender ATP portal to monitor and
You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to:
- View, sort, and triage alerts from your endpoints
- Search for more information on observed indicators such as files and IP Addresses
-- Change Windows Defender ATP settings, including time zone and licensing information.
+- Change Windows Defender ATP settings, including time zone and review licensing information.
## Windows Defender ATP portal
When you open the portal, you’ll see the main areas of the application:
@@ -54,7 +54,7 @@ Area | Description
**Alerts queue** | Enables you to view separate queues of new, in progress, resolved alerts, alerts assigned to you, and suppression rules.
**Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
-**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features.
+**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, enable or turn off advanced features, and build Power BI reports.
**Endpoint management** | Allows you to download the onboarding configuration package. It provides access to endpoint offboarding.
(3) Main portal| Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
diff --git a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
index aed38dc020..67b2520eea 100644
--- a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: Check the Windows Defender ATP service health
description: Check Windows Defender ATP service health, see if the service is experiencing issues and review previous issues that have been resolved.
-keywords: dashboard, service, issues, service health, current issues, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time
+keywords: dashboard, service, issues, service health, current status, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -33,11 +33,11 @@ You can view details on the service health by clicking the tile from the **Secur
The **Service health** details page has the following tabs:
-- **Current issues**
+- **Current status**
- **Status history**
-## Current issues
-The **Current issues** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue:
+## Current status
+The **Current status** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue:
- Date and time for when the issue was detected
- A short description of the issue
diff --git a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
index 0d217af685..aee67ec43e 100644
--- a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: Windows Defender Advanced Threat Protection settings
-description: Use the menu to configure the time zone, suppression rules, and view license information.
-keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license, suppression rules
+description: Use the menu to configure the time zone and view license information.
+keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -25,7 +25,7 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
-Use the **Settings** menu  to configure the time zone, suppression rules, and view license information.
+Use the **Settings** menu  to configure the time zone and view license information.
## Time zone settings
The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks.
@@ -39,7 +39,7 @@ Your current time zone setting is shown in the Windows Defender ATP menu. You ca
### UTC time zone
Windows Defender ATP uses UTC time by default.
-Setting the Windows Defender ATP time zone to UTC will display all system timestamps (alerts, events, and others) in UTC for all users. Choosing this setting means that all users will see the same timestamps in Windows Defender ATP, regardless of their regional settings. This can help security analysts working in different locations across the globe to use the same time stamps while investigating events.
+Setting the Windows Defender ATP time zone to UTC will display all system timestamps (alerts, events, and others) in UTC for all users. This can help security analysts working in different locations across the globe to use the same time stamps while investigating events.
### Local time zone
You can choose to have Windows Defender ATP use local time zone settings. All alerts and events will be displayed using your local time zone.
@@ -55,10 +55,36 @@ To set the time zone:
1. Click the **Settings** menu .
2. Select the **Timezone UTC** indicator.
-3. Select **Timezone Local** or **-8:00**.
+3. Select **Timezone UTC** or your local time zone, for example -7:00.
-## Suppression rules
-The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. For more information see, [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
+### Regional settings
+To apply different date formats for Windows Defender ATP, use regional settings for IE and Edge. If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser.
+
+
+**Internet Explorer (IE) and Microsoft Edge (Edge)**
+
+IE and Edge use the **Region** settings configured in the **Clocks, Language, and Region** option in the Control panel.
+
+
+#### Known issues with regional formats
+
+**Date and time formats**
+There are some known issues with the time and date formats.
+
+The following date formats are supported:
+- MM/dd/yyyy
+- dd/MM/yyyy
+
+The following date and time formats are currently not supported:
+- Date format yyyy-MM-dd
+- Date format dd-MMM-yy
+- Date format dd/MM/yy
+- Date format MM/dd/yy
+- Date format with yy. Will only show yyyy.
+- Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour format is supported.
+
+**Decimal symbol used in numbers**
+Decimal symbol used is always a dot, even if a comma is selected in the **Numbers** format settings in **Region** settings. For example, 15,5K is displayed as 15.5K.
## License
Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP.
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
index 00ddbd8987..de337b11fd 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -50,6 +50,24 @@ If onboarding endpoints successfully completes but Windows Defender ATP does not
For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy).
+#### Known issues with regional formats
+
+**Date and time formats**
+There are some known issues with the time and date formats.
+
+The following date formats are supported:
+- MM/dd/yyyy
+- dd/MM/yyyy
+
+The following date and time formats are currently not supported:
+- Date format yyyy/MM/dd
+- Date format dd/MM/yy
+- Date format with yy. Will only show yyyy.
+- Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour format is supported.
+
+**Use of comma to indicate thousand**
+Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5K is displayed as 15.5K.
+
### Related topic
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index 4f308f2bea..e208f89717 100644
--- a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -101,7 +101,7 @@ Topic | Description
[Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) | Understand the security status of your organization, including the status of machines, alerts, and investigations using the Windows Defender ATP reporting feature that integrates with Power BI.
[Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) | Check the sensor health state on endpoints to verify that they are providing sensor data and communicating with the Windows Defender ATP service.
[Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Use the Preferences setup menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
-[Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) | Configure time zone settings, suppression rules, and view license information.
+[Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) | Configure time zone settings and view license information.
[Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md) | Verify that the service health is running properly or if there are current issues.
[Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.
[Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required.
diff --git a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index 00470f7842..804c2d9152 100644
--- a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -1,6 +1,6 @@
---
title: Windows Defender Security Center
-description: The Windows Defender Security Center brings together common Windows security features into one place
+description: The Windows Defender Security Center app brings together common Windows security features into one place
keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -22,17 +22,17 @@ ms.date: 08/25/2017
**Applies to**
-- Windows 10, version 1703
+- Windows 10, version 1709
-In Windows 10, version 1703 we introduced the new Windows Defender Security Center, which brings together common Windows security features into one, easy-to-use app.
+In Windows 10, version 1703 we introduced the new Windows Defender Security Center app, which brings together common Windows security features into one easy-to-use app.
-
+
@@ -41,60 +41,71 @@ Many settings that were previously part of the individual features and main Wind
The app includes the settings and status for the following security features:
-- Virus & threat protection, including settings for Windows Defender Antivirus
+- Virus & threat protection, including settings for Windows Defender Antivirus and Controlled folder access
- Device performance & health, which includes information about drivers, storage space, and general Windows Update issues
- Firewall & network protection, including Windows Firewall
-- App & browser control, covering Windows Defender SmartScreen settings
+- App & browser control, covering Windows Defender SmartScreen settings and Exploit protection mitigations
- Family options, which include a number of parental controls along with tips and information for keeping kids safe online
-The Windows Defender Security Center uses the [Windows Security Center service](https://technet.microsoft.com/en-us/library/bb457154.aspx#EDAA) to provide the status and information on 3rd party antivirus and firewall products that are installed on the device.
+The Windows Defender Security Center app uses the [Security Center service](https://technet.microsoft.com/en-us/library/bb457154.aspx#EDAA) to provide the status and information on third-party antivirus and firewall products that are installed on the device.
-> [!IMPORTANT]
-> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a 3rd party antivirus or firewall product is installed and kept up to date.
+
+>[!IMPORTANT]
+>Windows Defender AV and the Windows Defender Security Center app use similarly named services for specific purposes.
+>
+>The Windows Defender Security Center app uses the Windows Defender Security Center Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/en-us/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Firewall, and other security protection.
+>
+>These services do not affect the state of Windows Defender AV. Disabling or modifying these services will not disable Windows Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product.
+>
+>Windows Defender AV will be [disabled automatically when a third-party antivirus product is installed and kept up to date](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+>
+>Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
> [!WARNING]
-> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
->It may also prevent Windows Defender AV from enabling itself if you have an old or outdated 3rd party antivirus, or if you uninstall any 3rd party antivirus products you may have previously installed.
->This will significantly lower the protection of your device and could lead to malware infection.
+> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+>
+>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
+>
+>This will significantly lower the protection of your device and could lead to malware infection.
-## Open the Windows Defender Security Center
+
+
+## Open the Windows Defender Security Center app
- Right-click the icon in the notification area on the taskbar and click **Open**.
- 
+ 
- Search the Start menu for **Windows Defender Security Center**.
- 
+ 
> [!NOTE]
> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Defender Security Center. Review the settings for each feature in its appropriate library. Links for both home user and enterprise or commercial audiences are listed below.
-## How the Windows Defender Security Center works with Windows security features
+## How the Windows Defender Security Center app works with Windows security features
-
-
-The Windows Defender Security Center operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
+The Windows Defender Security Center app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
It acts as a collector or single place to see the status and perform some configuration for each of the features.
-Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Defender Security Center. The Windows Defender Security Center itself will still run and show status for the other security features.
+Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Defender Security Center app. The Windows Defender Security Center app itself will still run and show status for the other security features.
> [!IMPORTANT]
-> Individually disabling any of the services will not disable the other services or the Windows Defender Security Center itself.
+> Individually disabling any of the services will not disable the other services or the Windows Defender Security Center app.
-For example, [using a 3rd party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus). However, the Windows Defender Security Center will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Firewall.
+For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus). However, the Windows Defender Security Center app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Firewall.
-The presence of the 3rd party antivirus will be indicated under the **Virus & threat protection** section in the Windows Defender Security Center.
+The presence of the third-party antivirus will be indicated under the **Virus & threat protection** section in the Windows Defender Security Center app.
## More information
-See the following links for more information on the features in the Windows Defender Security Center:
+See the following links for more information on the features in the Windows Defender Security Center app:
- Windows Defender Antivirus
- IT administrators and IT pros can get configuration guidance from the [Windows Defender Antivirus in the Windows Defender Security Center topic](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) and the [Windows Defender Antivirus documentation library](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
- Home users can learn more at the [Virus & threat protection in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012987/windows-10-virus-threat-protection-windows-defender-security-center)