diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md
index fd4eac6e4d..bf899e6c8e 100644
--- a/windows/client-management/mdm/supl-ddf-file.md
+++ b/windows/client-management/mdm/supl-ddf-file.md
@@ -23,7 +23,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
The XML below is for Windows 10, version 1809.
-``` syntax
+```xml
Supported operations are Get and Add.
Sample syncml:
-
+
+```
./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d
-
+```
**ApprovedUpdates/*Approved Update Guid*/ApprovedTime**
Specifies the time the update gets approved.
@@ -166,7 +167,7 @@ If the conditions are not true, the device will not Roll Back the Latest Quality
**Rollback/FeatureUpdate**
Added in Windows 10, version 1803. Roll Back Latest Feature Update, if the machine meets the following conditions:
-- Condition 1: Device must be Windows Update for Business Connnected
+- Condition 1: Device must be Windows Update for Business Connected
- Condition 2: Device must be in Paused State
- Condition 3: Device must have the Latest Feature Update Installed on the device (Current State)
- Condition 4: Machine should be within the uninstall period
diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md
index ea12784169..731adeeb60 100644
--- a/windows/client-management/mdm/update-ddf-file.md
+++ b/windows/client-management/mdm/update-ddf-file.md
@@ -20,7 +20,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
The XML below is for Windows 10, version 1803.
-``` syntax
+```xml
Roll Back Latest Feature Update, if the machine meets the following conditions:
- Condition 1: Device must be WUfB Connnected
+ Condition 1: Device must be WUfB Connected
Condition 2: Device must be in Paused State
Condition 3: Device must have the Latest Feature Update Installed on the device (Current State)
Condition 4: Machine should be within the uninstall period
@@ -615,7 +615,7 @@ The XML below is for Windows 10, version 1803.
- Returns the result of last RollBack QualityUpdate opearation.
+ Returns the result of last RollBack QualityUpdate operation.
@@ -637,7 +637,7 @@ The XML below is for Windows 10, version 1803.
- Returns the result of last RollBack FeatureUpdate opearation.
+ Returns the result of last RollBack FeatureUpdate operation.
diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md
index 3e277d92c5..b3e8aef28c 100644
--- a/windows/client-management/mdm/vpn-ddf-file.md
+++ b/windows/client-management/mdm/vpn-ddf-file.md
@@ -17,7 +17,7 @@ ms.date: 06/26/2017
This topic shows the OMA DM device description framework (DDF) for the **VPN** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-``` syntax
+```xml
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index 8b233ba1e3..7db7e01ffb 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -25,7 +25,7 @@ Programming considerations:
- Because the Windows 10 Mobile emulator does not support Wi-Fi, you cannot test the Wi-Fi configuration with an emulator. You can still provision a Wi-Fi network using the WiFi CSP, then check it in the Wi-Fi settings page, but you cannot test the network connectivity in the emulator.
- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it is stored on the device.
- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported.
-- The *name\_goes\_here* must match *name\_goes\_here*.
+- The \*name\_goes\_here*\\ must match \\ *name\_goes\_here*\\.
- For the WiFi CSP, you cannot use the Replace command unless the node already exists.
- Using Proxyis only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) will result in failure.
@@ -43,10 +43,10 @@ Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is
Supported operation is Get.
-****
+**\**
Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. The SSID is added when the WlanXML node is added. When the SSID node is deleted, then all the subnodes are also deleted.
-SSID is the name of network you are connecting to, while Profile name is the name of the Profile which contains the WiFi settings information. If the Profile name is not set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, ./Vendor/MSFT/WiFi/Profile/<*MUST BE NAME OF PROFILE AS PER WIFI XML*>/WlanXml.
+SSID is the name of network you are connecting to, while Profile name is the name of the Profile which contains the WiFi settings information. If the Profile name is not set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, \./Vendor/MSFT/WiFi/Profile/<*MUST BE NAME OF PROFILE AS PER WIFI XML*>/WlanXml\.
The supported operations are Add, Get, Delete, and Replace.
diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md
index dffd9c60c8..2c51e50a62 100644
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@@ -21,7 +21,7 @@ This topic shows the OMA DM device description framework (DDF) for the **WiFi**
The XML below is for Windows 10, version 1809.
-``` syntax
+```xml
Copy *.* D:\BootBackup
Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL
```
- For example: if we assign the ,System Drive> (WinRE drive) the letter R and the is the letter D, this command would be the following:
+ For example: if we assign the `` (WinRE drive) the letter R and the `` is the letter D, this command would be the following:
```cmd
Bcdboot D:\windows /s R: /f ALL
diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
index 7022b0feb4..2d7183fc7b 100644
--- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md
+++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
@@ -156,7 +156,7 @@ Netsh trace stop
Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md) or Message Analyzer and filter the trace for
-- Ipv4.address== and ipv4.address== and tcp.port==135 or just tcp.port==135 should help.
+- `Ipv4.address==` and `ipv4.address==` and `tcp.port==135` or just `tcp.port==135` should help.
- Look for the “EPM” Protocol Under the “Protocol” column.
@@ -166,7 +166,7 @@ Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md)
- Check if we are connecting successfully to this Dynamic port successfully.
-- The filter should be something like this: tcp.port== and ipv4.address==
+- The filter should be something like this: `tcp.port==` and `ipv4.address==`
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 53cd1f9039..2fd51caeeb 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -45,10 +45,8 @@ You can deploy the resulting .xml file to devices using one of the following met
- [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-
## Customize the Start screen on your test computer
-
To prepare a Start layout for export, you simply customize the Start layout on a test computer.
**To prepare a test computer**
@@ -57,7 +55,6 @@ To prepare a Start layout for export, you simply customize the Start layout on a
2. Create a new user account that you will use to customize the Start layout.
-
**To customize Start**
1. Sign in to your test computer with the user account that you created.
@@ -81,10 +78,8 @@ To prepare a Start layout for export, you simply customize the Start layout on a
>
>In earlier versions of Windows 10, no tile would be pinned.
-
## Export the Start layout
-
When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file. Start layout is located by default at C:\Users\username\AppData\Local\Microsoft\Windows\Shell\
>[!IMPORTANT]
@@ -176,9 +171,9 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed
**To configure a partial Start screen layout**
-1. [Customize the Start layout](#bmk-customize-start).
+1. [Customize the Start layout](#customize-the-start-screen-on-your-test-computer).
-2. [Export the Start layout](#bmk-exportstartscreenlayout).
+2. [Export the Start layout](#export-the-start-layout).
3. Open the layout .xml file. There is a `` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows:
``` syntax
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index f01c3b9f44..bda947c233 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -30,7 +30,7 @@ In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can us
>[!NOTE]
>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions.
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions (also works for taskbar customization).
>[!WARNING]
>When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index e2e249e9d1..1ca640e263 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -31,11 +31,9 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
- "uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "jdecker",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index 5d0f225bd4..327042ee5c 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -94,7 +94,7 @@ You can use XML and a [custom OMA-URI setting](#custom-oma-uri-setting) to confi
The following XML sample works for **Shell Launcher v1**:
-```
+```xml
@@ -112,7 +112,7 @@ The following XML sample works for **Shell Launcher v1**:
For **Shell Launcher v2**, you can use UWP app type for `Shell` by specifying the v2 namespace, and use `v2:AppType` to specify the type, as shown in the following example. If `v2:AppType` is not specified, it implies the shell is Win32 app.
-```
+```xml
@@ -150,7 +150,7 @@ For scripts for Shell Launcher v2, see [Shell Launcher v2 Bridge WMI sample scri
For Shell Launcher v1, modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
-```
+```powershell
# Check if shell launcher license is enabled
function Check-ShellLauncherLicenseEnabled
{
@@ -293,7 +293,7 @@ Value|Description
2|Shut down the device
3|Do nothing
-These action can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to see how these codes with Shell Launcher WMI.
+These action can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](https://docs.microsoft.com/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to see how these codes with Shell Launcher WMI.
To configure these action with Shell Launcher CSP, use below syntax in the shell launcher configuration xml. You can specify at most 4 custom actions mapping to 4 exit codes, and one default action for all other exit codes. When app exits and if the exit code is not found in the custom action mapping, or there is no default action defined, it will be no-op, i.e. nothing happens. So it's recommeded to at least define DefaultAction. [Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
``` xml
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index 89c720dbc9..fec62e33fd 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -31,7 +31,7 @@ A single-app kiosk uses the Assigned Access feature to run a single app above th
>[!IMPORTANT]
>[User account control (UAC)](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
>
->Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
+>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. Apps that run in kiosk mode cannot use copy and paste.
You have several options for configuring your single-app kiosk.
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index bc31032e3e..a8d16003c6 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -18,16 +18,13 @@ ms.topic: article
# Set up a multi-app kiosk
-
**Applies to**
-- Windows 10 Pro, Enterprise, and Education
+- Windows 10 Pro, Enterprise, and Education
+A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.
-A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.
-
-The following table lists changes to multi-app kiosk in recent updates.
-
+The following table lists changes to multi-app kiosk in recent updates.
| New features and improvements | In update |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -39,21 +36,21 @@ The following table lists changes to multi-app kiosk in recent updates.
You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
-
>[!TIP]
>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
-## Configure a kiosk in Microsoft Intune
+## Configure a kiosk in Microsoft Intune
To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/kiosk-settings). For explanations of the specific settings, see [Windows 10 and later device settings to run as a kiosk in Intune](https://docs.microsoft.com/intune/kiosk-settings-windows).
-
+
## Configure a kiosk using a provisioning package
Process:
+
1. [Create XML file](#create-xml-file)
2. [Add XML file to provisioning package](#add-xml)
3. [Apply provisioning package to device](#apply-ppkg)
@@ -70,19 +67,19 @@ If you don't want to use a provisioning package, you can deploy the configuratio
- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later
>[!NOTE]
->For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
+>For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
### Create XML file
-Let's start by looking at the basic structure of the XML file.
+Let's start by looking at the basic structure of the XML file.
-- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.
+- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.
-- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**.
+- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**.
- Multiple config sections can be associated to the same profile.
-- A profile has no effect if it’s not associated to a config section.
+- A profile has no effect if it’s not associated to a config section.
@@ -90,7 +87,7 @@ You can start your file by pasting the following XML (or any other examples in t
```xml
-
@@ -98,7 +95,7 @@ You can start your file by pasting the following XML (or any other examples in t
-
+
@@ -119,11 +116,11 @@ There are two types of profiles that you can specify in the XML:
- **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen.
- **Kiosk profile**: New in Windows 10, version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode.
-A lockdown profile section in the XML has the following entries:
+A lockdown profile section in the XML has the following entries:
-- [**Id**](#id)
+- [**Id**](#id)
-- [**AllowedApps**](#allowedapps)
+- [**AllowedApps**](#allowedapps)
- [**FileExplorerNamespaceRestrictions**](#fileexplorernamespacerestrictions)
@@ -133,15 +130,13 @@ A lockdown profile section in the XML has the following entries:
A kiosk profile in the XML has the following entries:
-- [**Id**](#id)
+- [**Id**](#id)
- [**KioskModeApp**](#kioskmodeapp)
-
-
##### Id
-The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
+The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
```xml
@@ -151,30 +146,28 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
##### AllowedApps
-**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. In Windows 10, version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
+**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. In Windows 10, version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
-
-
-- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout).
+- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout).
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
-- If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both "C:\Program Files\internet explorer\iexplore.exe" and “C:\Program Files (x86)\Internet Explorer\iexplore.exe”.
+- If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both "C:\Program Files\internet explorer\iexplore.exe" and “C:\Program Files (x86)\Internet Explorer\iexplore.exe”.
- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
-When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
+When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
-1. Default rule is to allow all users to launch the signed package apps.
-2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list.
+1. Default rule is to allow all users to launch the signed package apps.
+2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list.
>[!NOTE]
>You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.
>
- >Multi-app kiosk mode doesn’t block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
+ >Multi-app kiosk mode doesn’t block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
Here are the predefined assigned access AppLocker rules for **desktop apps**:
-1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
-2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration.
-3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list.
+1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
+2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration.
+3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list.
The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in.
@@ -194,10 +187,13 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula
##### FileExplorerNamespaceRestrictions
-Starting in Windows 10, version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported.
+Starting in Windows 10, version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This can also be set using Microsoft Intune.
The following example shows how to allow user access to the Downloads folder in the common file dialog box.
+>[!TIP]
+> To grant access to the Downloads folder through File Explorer, add "Explorer.exe" to the list of allowed apps, and pin a file explorer shortcut to the kiosk start menu.
+
```xml
-
+
```
##### StartLayout
-After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
+After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
The easiest way to create a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md).
A few things to note here:
-- The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration.
-- Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout.
+- The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration.
+- Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout.
- There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the `` tag in a layout modification XML as part of the assigned access configuration.
-- The following example uses DesktopApplicationLinkPath to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files).
+- The following example uses DesktopApplicationLinkPath to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files).
This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start.
@@ -264,14 +260,13 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint,
```
>[!NOTE]
->If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen.
-
+>If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen.
##### Taskbar
-Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
+Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
The following example exposes the taskbar to the end user:
@@ -286,9 +281,9 @@ The following example hides the taskbar:
```
>[!NOTE]
->This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
+>This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
-##### KioskModeApp
+##### KioskModeApp
**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML.
@@ -299,27 +294,25 @@ The following example hides the taskbar:
>[!IMPORTANT]
>The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Directory account could potentially compromise confidential information.
-
#### Configs
-Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.
+Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.
-The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in.
+The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in.
You can assign:
- [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only)
- [An individual account, which can be local, domain, or Azure Active Directory (Azure AD)](#config-for-individual-accounts)
-- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version 1803 only)
+- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
>[!NOTE]
->Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
+>Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
##### Config for AutoLogon Account
When you use `` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart.
-
The following example shows how to specify an account to sign in automatically.
```xml
@@ -328,7 +321,7 @@ The following example shows how to specify an account to sign in automatically.
-
+
```
In Windows 10, version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World".
@@ -344,13 +337,12 @@ In Windows 10, version 1809, you can configure the display name that will be sho
On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).)
-
>[!IMPORTANT]
>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).
##### Config for individual accounts
-Individual accounts are specified using ``.
+Individual accounts are specified using ``.
- Local account can be entered as `machinename\account` or `.\account` or just `account`.
- Domain account should be entered as `domain\account`.
@@ -359,58 +351,56 @@ Individual accounts are specified using ``.
>[!WARNING]
>Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
-
Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
>[!NOTE]
>For both domain and Azure AD accounts, it’s not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
-
```xml
MultiAppKioskUser
-
+
```
-
-
##### Config for group accounts
-Group accounts are specified using ``. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A will not have the kiosk experience.
+Group accounts are specified using ``. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A will not have the kiosk experience.
- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group will not have the kiosk settings applied.
```xml
-
-
-
-
+
+
+
+
```
+
- Domain group: Both security and distribution groups are supported. Specify the group type as ActiveDirectoryGroup. Use the domain name as the prefix in the name attribute.
```xml
-
-
-
-
+
+
+
+
```
- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign in.
```xml
-
-
-
-
+
+
+
+
```
>[!NOTE]
- >If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
+ >If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
+
### Add XML file to provisioning package
Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](kiosk-xml.md#xsd-for-assignedaccess-configuration-xml).
@@ -436,7 +426,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
-8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
+8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
9. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
@@ -448,9 +438,9 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
13. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+ - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
14. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
@@ -466,12 +456,13 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
18. Copy the provisioning package to the root directory of a USB drive.
+
### Apply provisioning package to device
Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
@@ -501,46 +492,28 @@ Provisioning packages can be applied to a device during the first-run experience
-
-
#### After setup, from a USB drive, network folder, or SharePoint site
1. Sign in with an admin account.
2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
>[!NOTE]
->if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
+>if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
-
-
-
-### Use MDM to deploy the multi-app configuration
+### Use MDM to deploy the multi-app configuration
+Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML.
-Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML.
-
-If your device is enrolled with a MDM server which supports applying the assigned access configuration, you can use it to apply the setting remotely.
+If your device is enrolled with a MDM server which supports applying the assigned access configuration, you can use it to apply the setting remotely.
The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`.
-
-
-
-
-
-
-
-
-
-
-
## Considerations for Windows Mixed Reality immersive headsets
-
-With the advent of [mixed reality devices (video link)](https://www.youtube.com/watch?v=u0jqNioU2Lo), you might want to create a kiosk that can run mixed reality apps.
+With the advent of [mixed reality devices (video link)](https://www.youtube.com/watch?v=u0jqNioU2Lo), you might want to create a kiosk that can run mixed reality apps.
To create a multi-app kiosk that can run mixed reality apps, you must include the following apps in the [AllowedApps list](#allowedapps):
@@ -558,14 +531,12 @@ After the admin has completed setup, the kiosk account can sign in and repeat th
There is a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](https://developer.microsoft.com/windows/mixed-reality/navigating_the_windows_mixed_reality_home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they will see only a blank display in the device, and will not have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
-
## Policies set by multi-app kiosk configuration
It is not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience.
When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device.
-
### Group Policy
The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users.
@@ -602,11 +573,8 @@ Prevent access to drives from My Computer | Enabled - Restrict all drivers
>[!NOTE]
>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
-
-
### MDM policy
-
Some of the MDM policies based on the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide).
Setting | Value | System-wide
@@ -630,13 +598,14 @@ Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No
[WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes
+
## Provision .lnk files using Windows Configuration Designer
First, create your desktop app's shortcut file by installing the app on a test device, using the default installation location. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `.lnk`
-Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install.
+Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install.
-```
+```PowerShell
msiexec /I ".msi" /qn /norestart
copy .lnk "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\.lnk"
```
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
index cbfd69c344..a906cf7e68 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
@@ -91,7 +91,7 @@ Universal apps that you can distribute in the provisioning package can be line-o
6. In the **Available customizations** pane, click the **LicenseProductId** that you just added.
-7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed **.**ms-windows-store-license**, and select the license file.
+7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed *\*.**ms-windows-store-license**, and select the license file.
[Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index 0529a3a1fb..b6d2e80dc0 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -27,7 +27,7 @@ In Windows 10, version 1703, you can install multiple Universal Windows Platform
When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv).
>[!IMPORTANT]
->If you plan to use Intune to manage your devices, we recommend using Intune to install Office 365 ProPlus 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Desktop Cilent, and Visio Pro for Office 365 ProPlus). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Office 365 ProPlus 2016 apps using Microsoft Intune.](https://docs.microsoft.com/intune/apps-add-office365)
+>If you plan to use Intune to manage your devices, we recommend using Intune to install Office 365 ProPlus 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Desktop Client, and Visio Pro for Office 365 ProPlus). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Office 365 ProPlus 2016 apps using Microsoft Intune.](https://docs.microsoft.com/intune/apps-add-office365)
## Settings for UWP apps
@@ -103,7 +103,7 @@ Universal apps that you can distribute in the provisioning package can be line-o
6. In the **Available customizations** pane, click the **LicenseProductId** that you just added.
-7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed **.**ms-windows-store-license**, and select the license file.
+7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed *\*.**ms-windows-store-license**, and select the license file.
[Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps)
diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md
index 782997dd02..62e14f6e7a 100644
--- a/windows/configuration/provisioning-packages/provisioning-command-line.md
+++ b/windows/configuration/provisioning-packages/provisioning-command-line.md
@@ -44,7 +44,7 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath:
| /CustomizationXML | No | Specifies the path to a Windows provisioning XML file that contains the customization assets and settings. For more information, see Windows provisioning answer file. |
| /PackagePath | Yes | Specifies the path and the package name where the built provisioning package will be saved. |
| /StoreFile | NoSee Important note. | For partners using a settings store other than the default store(s) used by Windows Configuration Designer, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows Configuration Designer.**Important** If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. |
-| /Variables | No | Specifies a semicolon separated and macro pair. The format for the argument must be =. |
+| /Variables | No | Specifies a semicolon separated `` and `` macro pair. The format for the argument must be `=`. |
| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer auto-generates the decryption password and includes this information in the output.Precede with + for encryption or - for no encryption. The default is no encryption. |
| Overwrite | No | Denotes whether to overwrite an existing provisioning package.Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). |
| /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. |
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 2d3e412440..61ab4d40ae 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -189,7 +189,7 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
## Guidance for accounts on shared PCs
* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
-* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
+* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
* On a Windows PC joined to Azure Active Directory:
* By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
* With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index 5c93aacf5e..fd49af9302 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -64,7 +64,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
## Export Start layout and assets
-1. Follow the instructions in [Customize and export Start layout](customize-and-export-start-layout.md#bkmkcustomizestartscreen) to customize the Start screen on your test computer.
+1. Follow the instructions in [Customize and export Start layout](customize-and-export-start-layout.md#customize-the-start-screen-on-your-test-computer) to customize the Start screen on your test computer.
2. Open Windows PowerShell as an administrator and enter the following command:
```
diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md
index 68f04ffda2..299ba40be7 100644
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@@ -643,7 +643,7 @@ This element defines the settings for a single application or a suite of applica
Here is the SettingsLocationTemplate.xsd file showing its elements, child elements, attributes, and parameters:
-``` syntax
+```xml
; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Mobile Safari/537.36 Edge/12.10166`
-- is automatically replaced with the OEM name. This is the same as the PhoneManufacturer setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo.
-- is replaced with the device name or phone name. This is the same as the PhoneModelName setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo.
+- `` is automatically replaced with the OEM name. This is the same as the PhoneManufacturer setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo.
+- `` is replaced with the device name or phone name. This is the same as the PhoneModelName setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo.
**Limitations and restrictions:**
diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md
index df739bb51d..9dd957088d 100644
--- a/windows/configuration/wcd/wcd-messaging.md
+++ b/windows/configuration/wcd/wcd-messaging.md
@@ -338,7 +338,7 @@ By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber
| ADDR | Specify the absolute MMSC URL. The possible values to configure the ADDR parameter are:- A Uniform Resource Identifier (URI)- An IPv4 address represented in decimal format with dots as delimiters- A fully qualified Internet domain name |
| APPID | Set to `w4`. |
| MS | (optional) Specify the maximum size of MMS, in KB. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. |
-| NAME | (optional) Enter user–readable application identity. This parameter is also used to define part of the registry path for the APPLICATION parameters. The possible values to configure the **NAME** parameter are:- Character string containing the name- no value specifiedIf no value is specified, the registry location will default to . If **NAME** is greater than 40 characters, it will be truncated to 40 characters. |
+| NAME | (optional) Enter user–readable application identity. This parameter is also used to define part of the registry path for the APPLICATION parameters. The possible values to configure the **NAME** parameter are:- Character string containing the name- no value specifiedIf no value is specified, the registry location will default to ``. If **NAME** is greater than 40 characters, it will be truncated to 40 characters. |
| TONAPID | Specify the network access point identification name (NAPID) defined in the provisioning file. This parameter takes a string value. It is only possible to refer to network access points defined within the same provisioning file (except if the INTERNET attribute is set in the NAPDEF characteristic). For more information about the NAPDEF characteristic, see [NAPDEF configuration service provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/napdef-csp). |
| TOPROXY | Specify one logical proxy with a matching PROXY-ID. It is only possible to refer to proxies defined within the same provisioning file. Only one proxy can be listed. The TO-PROXY value must be set to the value of the PROXY ID in PXLOGICAL that defines the MMS specific-proxy. |
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index be459e9731..5ccfcbb449 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -117,7 +117,7 @@ This section describes the **Policies** settings that you can configure in [prov
| [AllowWebContentOnNewTabPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | Specify whether a New tab page opens with the default content or a blank page. | X | X | X | | X |
[AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | X | X | | | |
| [ClearBrowsingDataOnExit](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | X | | | | |
-| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 addtional search engines for MDM-enrolled devices. | X | X | X | | X |
+| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 additional search engines for MDM-enrolled devices. | X | X | X | | X |
| [ConfigureFavoritesBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | Specify whether the Favorites bar is shown or hidden on all pages. | X | | | | |
| [ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it is selected. You should also configure the [SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | X | | | | |
| [ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | X | | | | |
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index e0d4c6ae49..dc75df4d5f 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -1,5 +1,4 @@
# [Deploy and update Windows 10](https://docs.microsoft.com/windows/deployment)
-## [Architectural planning posters for Windows 10](windows-10-architecture-posters.md)
## [Deploy Windows 10 with Microsoft 365](deploy-m365.md)
## [What's new in Windows 10 deployment](deploy-whats-new.md)
## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
@@ -218,37 +217,43 @@
## Update Windows 10
### [Update Windows 10 in enterprise deployments](update/index.md)
-### [Windows as a service](update/windows-as-a-service.md)
+### Windows as a service
+#### [Windows as a service - introduction](update/windows-as-a-service.md)
#### [Quick guide to Windows as a service](update/waas-quick-start.md)
-##### [Servicing stack updates](update/servicing-stack-updates.md)
+#### [Servicing stack updates](update/servicing-stack-updates.md)
#### [Overview of Windows as a service](update/waas-overview.md)
### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)
### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md)
-### [Get started with Windows Update](update/windows-update-overview.md)
+### Get started
+#### [Get started with Windows Update](update/windows-update-overview.md)
#### [How Windows Update works](update/how-windows-update-works.md)
#### [Windows Update log files](update/windows-update-logs.md)
#### [How to troubleshoot Windows Update](update/windows-update-troubleshooting.md)
#### [Common Windows Update errors](update/windows-update-errors.md)
#### [Windows Update error code reference](update/windows-update-error-reference.md)
#### [Other Windows Update resources](update/windows-update-resources.md)
-### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md)
+### Optimize delivery
+#### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md)
#### [Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md)
#### [Set up Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization-setup.md)
#### [Delivery Optimization reference](update/waas-delivery-optimization-reference.md)
#### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)
#### [Whitepaper: Windows Updates using forward and reverse differentials](update/PSFxWhitepaper.md)
-### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md)
+### Best practices
+#### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md)
#### [Deploy feature updates during maintenance windows](update/feature-update-maintenance-window.md)
#### [Deploy feature updates for user-initiated installations](update/feature-update-user-install.md)
#### [Conclusion](update/feature-update-conclusion.md)
### [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md)
-### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md)
+### Use Windows Update for Business
+#### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md)
#### [Configure Windows Update for Business](update/waas-configure-wufb.md)
#### [Integrate Windows Update for Business with management solutions](update/waas-integrate-wufb.md)
#### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md)
#### [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
-### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md)
+### Use Windows Server Update Services
+#### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md)
#### [Enable FoD and language pack updates in Windows Update](update/fod-and-lang-packs.md)
### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md)
### [Manage device restarts after updates](update/waas-restart.md)
@@ -256,15 +261,18 @@
### [Determine the source of Windows updates](update/windows-update-sources.md)
## Windows Analytics
-## [Windows Analytics overview](update/windows-analytics-overview.md)
+### [Windows Analytics overview](update/windows-analytics-overview.md)
### [Windows Analytics in the Azure Portal](update/windows-analytics-azure-portal.md)
### [Windows Analytics and privacy](update/windows-analytics-privacy.md)
-### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
+### Upgrade Readiness
+#### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
-#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
+#### Get started
+##### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
-#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
+#### Use Upgrade Readiness
+##### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
@@ -272,7 +280,8 @@
##### [Step 4: Monitor deployment](upgrade/upgrade-readiness-monitor-deployment.md)
##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
##### [Targeting a new operating system version](upgrade/upgrade-readiness-target-new-OS.md)
-### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
+### Monitor Windows Updates
+#### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
#### [Get started with Update Compliance](update/update-compliance-get-started.md)
#### [Use Update Compliance](update/update-compliance-using.md)
##### [Need Attention! report](update/update-compliance-need-attention.md)
@@ -281,7 +290,8 @@
##### [Windows Defender AV Status report](update/update-compliance-wd-av-status.md)
##### [Delivery Optimization in Update Compliance](update/update-compliance-delivery-optimization.md)
##### [Update Compliance Perspectives](update/update-compliance-perspectives.md)
-### [Device Health](update/device-health-monitor.md)
+### Device Health
+#### [Device Health overview](update/device-health-monitor.md)
#### [Get started with Device Health](update/device-health-get-started.md)
#### [Using Device Health](update/device-health-using.md)
### [Enrolling devices in Windows Analytics](update/windows-analytics-get-started.md)
diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md
index d39bede8cc..dfeaba4ae4 100644
--- a/windows/deployment/add-store-apps-to-image.md
+++ b/windows/deployment/add-store-apps-to-image.md
@@ -58,7 +58,7 @@ On a test machine:
1. **Install the Microsoft Store for Business application you previously added** to your image.
2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**.
3. Open Windows PowerShell with administrator privileges.
-4. Use `Export-StartLayout -path .xml` where ** is the path and name of the xml file your will later import into your Windows Image.
+4. Use `Export-StartLayout -path .xml` where *\\* is the path and name of the xml file your will later import into your Windows Image.
5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image.
Now, on the machine where your image file is accessible:
diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json
index af5362ff55..2abea6edac 100644
--- a/windows/deployment/docfx.json
+++ b/windows/deployment/docfx.json
@@ -32,7 +32,6 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
- "uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md
index 96987d01b7..72d8385c62 100644
--- a/windows/deployment/update/device-health-using.md
+++ b/windows/deployment/update/device-health-using.md
@@ -188,7 +188,7 @@ To work around this, click the **App Reliability** tab above the results to see
#### Clicking "See all…" from the App Reliability Events blade followed by clicking an app from the expanded list results in raw records instead of the App Reliability view
To work around this, replace all of the text in the Log Search query box with the following:
-*DHAppReliability | where AppFileDisplayName == ""*
+*DHAppReliability | where AppFileDisplayName == "\"*
For example:
diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md
index 453f81384b..df669aaff6 100644
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ b/windows/deployment/update/feature-update-maintenance-window.md
@@ -27,8 +27,8 @@ Use the following information to deploy feature updates during a maintenance win
1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**.
2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s).
3. On the **Home** tab, in the **Properties** group, choose **Properties**.
-4. In the **Maintenance Windows** tab of the Properties dialog box, choose the New icon.
-5. Complete the Schedule dialog.
+4. In the **Maintenance Windows** tab of the `` Properties dialog box, choose the New icon.
+5. Complete the `` Schedule dialog.
6. Select from the Apply this schedule to drop-down list.
7. Choose **OK** and then close the **\ Properties** dialog box.
diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md
index 2298c263fd..962f5cdcfd 100644
--- a/windows/deployment/update/update-compliance-wd-av-status.md
+++ b/windows/deployment/update/update-compliance-wd-av-status.md
@@ -36,3 +36,7 @@ Here are some important terms to consider when using the Windows Defender AV Sta
## Windows Defender data latency
Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days.
+
+## Related topics
+
+- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites)
diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md
index ed7ea85a50..e8bd2af8db 100644
--- a/windows/deployment/update/windows-analytics-get-started.md
+++ b/windows/deployment/update/windows-analytics-get-started.md
@@ -75,6 +75,12 @@ To enable data sharing, configure your proxy server to whitelist the following e
> [!IMPORTANT]
> For privacy and data integrity, Windows checks for a Microsoft SSL certificate when communicating with the diagnostic data endpoints. SSL interception and inspection aren't possible. To use Desktop Analytics, exclude these endpoints from SSL inspection.
+>[!NOTE]
+>Microsoft has a strong commitment to providing the tools and resources that put you in control of your privacy. As a result, Microsoft doesn't collect the following data from devices located in European countries (EEA and Switzerland):
+>- Windows diagnostic data from Windows 8.1 devices
+>- App usage data for Windows 7 devices
+
+
### Configuring endpoint access with SSL inspection
To ensure privacy and data integrity Windows checks for a Microsoft SSL certificate when communicating with the diagnostic data endpoints. Accordingly SSL interception and inspection is not possible. To use Windows Analytics services you should exclude the above endpoints from SSL inspection.
@@ -97,6 +103,7 @@ The compatibility update scans your devices and enables application usage tracki
| Windows 7 SP1 | The compatibility update is included in monthly quality updates for Windows 7. We recommend installing the latest [Windows Monthly Rollup](http://www.catalog.update.microsoft.com/Search.aspx?q=security%20monthly%20quality%20rollup%20for%20windows%207) before attempting to enroll devices into Windows Analytics. |
### Connected User Experiences and Telemetry service
+
With Windows diagnostic data enabled, the Connected User Experience and Telemetry service (DiagTrack) collects system, application, and driver data. Microsoft analyzes this data, and shares it back to you through Windows Analytics. For the best experience, install these updates depending upon the operating system version.
- For Windows 10, install the latest Windows 10 cumulative update.
@@ -166,20 +173,23 @@ When you run the deployment script, it initiates a full scan. The daily schedule
Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see [Upgrade Readiness deployment script](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-deployment-script). For information on how to deploy PowerShell scripts by using Windows Intune, see [Manage PowerShell scripts in Intune for Windows 10 devices](https://docs.microsoft.com/intune/intune-management-extension).
### Distributing policies at scale
+
There are a number of policies that can be centrally managed to control Windows Analytics device configuration. All of these policies have *preference* registry key equivalents that can be set by using the deployment script. Policy settings override preference settings if both are set.
>[!NOTE]
->You can only set the diagnostic data level to Enhanced by using policy. For example, this is necessary for using Device Health.
+>You can only set the diagnostic data level to Enhanced by using policy. For example, this is necessary to use Device Health.
-These policies are under Microsoft\Windows\DataCollection:
+These policies are defined by values under **Microsoft\Windows\DataCollection**. All are REG_DWORD policies (except CommercialId which is REG_SZ).
-| Policy | Value |
+>[!IMPORTANT]
+>Configuring these keys independently without using the enrollment script is not recommended. There is additional validation that occurs when you use the enrollment script.
+
+| Policy | Value |
|-----------------------|------------------|
-| CommercialId | In order for your devices to show up in Windows Analytics, they must be configured with your organization’s Commercial ID. |
-| AllowTelemetry (in Windows 10) | 1 (Basic), 2 (Enhanced) or 3 (Full) diagnostic data. Windows Analytics will work with basic diagnostic data, but more features are available when you use the Enhanced level (for example, Device Health requires Enhanced diagnostic data and Upgrade Readiness only collects app usage and site discovery data on Windows 10 devices with Enhanced diagnostic data). For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). |
-| LimitEnhancedDiagnosticDataWindowsAnalytics (in Windows 10) | Only applies when AllowTelemetry=2. Limits the Enhanced diagnostic data events sent to Microsoft to just those needed by Windows Analytics. For more information, see [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields).|
-| AllowDeviceNameInTelemetry (in Windows 10) | In Windows 10, version 1803, a separate opt-in is required to enable devices to continue to send the device name. Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates. |
-| CommercialDataOptIn (in Windows 7 and Windows 8) | 1 is required for Upgrade Readiness, which is the only solution that runs on Windows 7 or Windows 8. |
-
+| CommercialId | In order for your devices to show up in Windows Analytics, they must be configured with your organization’s Commercial ID. |
+| AllowTelemetry | **In Windows 10**: 1 (Basic), 2 (Enhanced) or 3 (Full) diagnostic data. Windows Analytics will work with basic diagnostic data, but more features are available when you use the Enhanced level (for example, Device Health requires Enhanced diagnostic data and Upgrade Readiness only collects app usage and site discovery data on Windows 10 devices with Enhanced diagnostic data). For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). |
+| LimitEnhancedDiagnosticDataWindowsAnalytics | **In Windows 10**: Only applies when AllowTelemetry=2. Limits the Enhanced diagnostic data events sent to Microsoft to just those needed by Windows Analytics. For more information, see [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields).|
+| AllowDeviceNameInTelemetry | **In Windows 10, version 1803**: A separate opt-in is required to enable devices to continue to send the device name. Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates. |
+| CommercialDataOptIn | **In Windows 7 and Windows 8**: 1 is required for Upgrade Readiness, which is the only solution that runs on Windows 7 or Windows 8. |
You can set these values by using Group Policy (in Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds) or by using Mobile Device Management (in Provider/*Provider ID*/CommercialID). (If you are using Microsoft Intune, use `MS DM Server` as the provider ID.) For more information about deployment using MDM, see the [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp) topic in MDM documentation.
@@ -201,3 +211,4 @@ Note that it is possible to intiate a full inventory scan on a device by calling
- CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun ent
For details on how to run these and how to check results, see the deployment script.
+
diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md
index 54c06b6319..7d473f04c2 100644
--- a/windows/deployment/update/windows-update-errors.md
+++ b/windows/deployment/update/windows-update-errors.md
@@ -26,8 +26,8 @@ The following table provides information about common errors you might run into
| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2
To do this, type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak |
| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS. |
| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.
If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). |
-| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com
Additionally , you can take a network trace and see what is timing out. |
-| 0x80072EFD
0x80072EFE
0x80D02002 | TIME OUT ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. |
+| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com
Additionally , you can take a network trace and see what is timing out. \ |
+| 0x80072EFD
0x80072EFE
0x80D02002 | TIME OUT ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ |
| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. |
| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the WU Service is shutting down. | This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. |
| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Please login to the system to initiate the installation and allow the system to be rebooted. |
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index fdcd498da9..2344d36ef8 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -142,7 +142,7 @@ Therefore, Windows Setup failed because it was not able to migrate the corrupt f
27:00, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped
27:00, Info [0x0803e5] MIG Not unmapping HKCU; it is not mapped
27:00, Info SP ExecuteProgress: Elapsed events:1 of 4, Percent: 12
-27:00, Info [0x0802c6] MIG Processing GATHER for migration unit: \UpgradeFramework (CMXEAgent)
+27:00, Info [0x0802c6] MIG Processing GATHER for migration unit: <System>\UpgradeFramework (CMXEAgent)
27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
27:08, Error MIG Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
27:08, Info SP ExecuteProgress: Elapsed events:2 of 4, Percent: 25
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index a938d6cf16..8c44441ec6 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -404,9 +404,9 @@ Refer to https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-cod
### XML log sample
-```
+```xml
-
+
1.5.0.0
FindSPFatalError
A4028172-1B09-48F8-AD3B-86CDD7D55852
@@ -449,7 +449,7 @@ Error: 0x00000057
LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5/2/2019 to structure[gle=0x00000057]
LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5/2/2019 to structure[gle=0x00000057]
-Refer to "https://docs.microsoft.com/en-us/windows/desktop/Debug/system-error-codes" for error information.
+Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" for error information.
Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel
```
diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
index 83db3a42b1..9e087abb3e 100644
--- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@@ -179,5 +179,5 @@ Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Mi
>
> Then run the Enterprise Config script (RunConfig.bat) again.
>
-> If the script still fails, then send mail to uasupport@microsoft.com including log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well.
+> If the script still fails, then send mail to uasupport@microsoft.com including log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well.
diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
index a75f7d866b..3cfb3be1df 100644
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -26,7 +26,7 @@ You can use Upgrade Readiness to plan and manage your upgrade project end-to-end
Before you begin, consider reviewing the following helpful information:
- [Upgrade Readiness requirements](upgrade-readiness-requirements.md): Provides detailed requirements to use Upgrade Readiness.
- - [Upgrade Readiness blog](https://aka.ms/blog/WindowsAnalytics): Contains announcements of new features and provides helpful tips for using Upgrade Readiness.
+ - [Upgrade Readiness blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/bg-p/WindowsAnalyticsBlog): Contains announcements of new features and provides helpful tips for using Upgrade Readiness.
>If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md
index c1fea98e25..8e536f61c9 100644
--- a/windows/deployment/usmt/usmt-configxml-file.md
+++ b/windows/deployment/usmt/usmt-configxml-file.md
@@ -383,7 +383,7 @@ Syntax: ``` `
Refer to the following sample Config.xml file for additional details about items you can choose to exclude from a migration.
-``` syntax
+```xml
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index a0fa56bd65..39269803a9 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -134,7 +134,7 @@ The following is a custom .xml file named CustomFile.xml that migrates My Videos
-``` syntax
+```xml
diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
index 581f97e79a..0c2253be96 100644
--- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md
+++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
@@ -90,7 +90,7 @@ To preserve the functionality of existing applications or scripts that require t
The space requirements report provides two elements, <**storeSize**> and <**temporarySpace**>. The <**temporarySpace**> value shows the disk space, in bytes, that USMT uses to operate during the migration—this does not include the minimum 250 MB needed to support USMT. The <**storeSize**> value shows the disk space, in bytes, required to host the migration store contents on both the source and destination computers. The following example shows a report generated using **/p:***<path to a file>*.
-``` syntax
+```xml
diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md
index 34f4626318..fad90a25bf 100644
--- a/windows/deployment/usmt/usmt-log-files.md
+++ b/windows/deployment/usmt/usmt-log-files.md
@@ -272,7 +272,7 @@ The directory of **C:\\data\\New Folder** contains:
To migrate these files you author the following migration XML:
-``` syntax
+```xml
@@ -368,7 +368,7 @@ The **C:\\Data\\New Folder\\** contains:
You author the following migration XML:
-``` syntax
+```xml
@@ -422,7 +422,7 @@ However, upon testing the migration you notice that all the text files are still
Upon reviewing the diagnostic log, you confirm that the files are still migrating, and that it is a problem with the authored migration XML rule. You author an update to the migration XML script as follows:
-``` syntax
+```xml
diff --git a/windows/deployment/windows-10-architecture-posters.md b/windows/deployment/windows-10-architecture-posters.md
deleted file mode 100644
index f0245f7e83..0000000000
--- a/windows/deployment/windows-10-architecture-posters.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-title: Deploy Windows 10 - architectural posters
-description: Provides architural planning posters for Windows 10 in the enterprise
-ms.prod: w10
-ms.author: greg-lindsay
-author: greg-lindsay
-ms.date: 09/28/2017
-ms.reviewer:
-manager: laurawi
-ms.tgt_pltfrm: na
-ms.topic: article
-ms.localizationpriority: medium
----
-# Architectural planning posters for Windows 10
-
-You can download the following posters for architectural information about deploying Windows 10 in the enterprise.
-
-- [Deploy Windows 10 - Clean installation](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf)
- Learn about the options and steps for a new installation of Windows 10.
-- [Deploy Windows 10 - In-place upgrade](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf)
- Learn about the steps to upgrade from a previous version of Windows.
-- [Deploy Windows 10 - Windows Autopilot](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf)
- Learn how you can set up and pre-configure Windows 10 devices.
-- [Deploy Windows 10 - Windows servicing](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/WindowsServicing.pdf)
- Learn how to keep Windows up to date.
-- [Deploy Windows 10 - Protection solutions](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf)
- Learn about the two tiers of protection available for Windows 10 devices.
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 303b19e350..1473adef20 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -306,7 +306,7 @@ This section contains several procedures to support Zero Touch installation with
WDSUTIL /Set-Server /AnswerClients:None
```
-1. Deterime the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1:
+1. Determine the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1:
```
(Get-NetAdapter "Ethernet").MacAddress
@@ -793,7 +793,7 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce
## Replace a client with Windows 10 using Configuration Manager
->Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoto.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter.
+>Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter.
@@ -840,7 +840,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
Checkpoint-VM -Name PC1 -SnapshotName BeginState
```
-3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarcy Configuration** and click on **Discovery Methods**.
+3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and click on **Discovery Methods**.
4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times.
6. When a popup dialog box asks if you want to run full discovery, click **Yes**.
@@ -930,7 +930,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**.
-5. Use the following settings in the Deploy Sofware wizard:
+5. Use the following settings in the Deploy Software wizard:
- General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
- Deployment Settings > Purpose: **Available**
- Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
@@ -1052,8 +1052,8 @@ In the Configuration Manager console, in the Software Library workspace under Op
1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**.
2. Right-click the computer account for PC1, point to **Client Notification**, click **Download Computer Policy**, and click **OK** in the popup dialog box.
-3. On PC1, in the notification area, click **New sofware is available** and then click **Open Sofware Center**.
-4. In the Sofware Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example:
+3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**.
+4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example:
diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md
index 59296c932d..935565887e 100644
--- a/windows/deployment/windows-autopilot/autopilot-faq.md
+++ b/windows/deployment/windows-autopilot/autopilot-faq.md
@@ -140,9 +140,10 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
|Where is the Windows Autopilot data stored? |Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the AAD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot.|
|Why is Windows Autopilot data stored in the US and not in a sovereign cloud?|It is not customer data that we store, but business data which enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service any time, and, in that event, the business data is removed by Microsoft.|
|How many ways are there to register a device for Windows Autopilot|There are six ways to register a device, depending on who is doing the registering:
1. OEM Direct API (only available to TVOs)
2. MPC via the MPC API (must be a CSP)
3. MPC via manual upload of CSV file in the UI (must be a CSP)
4. MSfB via CSV file upload
5. Intune via CSV file upload
6. Microsoft 365 Business portal via CSV file upload|
-|How many ways are there to create an Windows Autopilot profile?|There are four ways to create & assign an Windows Autopilot profile:
1. Through MPC (must be a CSP)
2. Through MSfB
3. Through Intune (or another MDM)
4. Microsoft 365 Business portal
Microsoft recommends creation and assignment of profiles through Intune. |
-| What are some common causes of registration failures? |
1. Bad or missing Hardware hash entries can lead to faulty registration attempts
2. Hidden special characters in CSV files.
To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.|
-| Is Autopilot supported in all regions/countries? |
Autopilot only supports customers using public Azure. Public Azure does not include the three entities listed below:
- Azure Germany
- Azure China
- Azure Government
So, if a customer is set up in global Azure, there are no region restrictions. For example, if Contoso uses global Azure but has employees working in China, the Contoso employees working in China would be able to use Autopilot to deploy devices. If Contoso uses Azure China, the Contoso employees would not be able to use Autopilot.|
+|How many ways are there to create a Windows Autopilot profile?|There are four ways to create & assign an Windows Autopilot profile:
1. Through MPC (must be a CSP)
2. Through MSfB
3. Through Intune (or another MDM)
4. Microsoft 365 Business portal
Microsoft recommends creation and assignment of profiles through Intune. |
+| What are some common causes of registration failures? |1. Bad or missing Hardware hash entries can lead to faulty registration attempts
2. Hidden special characters in CSV files.
To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.|
+| Is Autopilot supported on IoT devices? | Autopilot is not supported on IoT Core devices, and there are currently no plans to add this support. Autopilot is supported on Windows 10 IoT Enterprise SAC devices. Autopilot is supported on Windows 10 Enterprise LTSC 2019 and above; it is not supported on earlier versions of LTSC.|
+| Is Autopilot supported in all regions/countries? | Autopilot only supports customers using public Azure. Public Azure does not include the three entities listed below:
- Azure Germany
- Azure China
- Azure Government
So, if a customer is set up in global Azure, there are no region restrictions. For example, if Contoso uses global Azure but has employees working in China, the Contoso employees working in China would be able to use Autopilot to deploy devices. If Contoso uses Azure China, the Contoso employees would not be able to use Autopilot.|
## Glossary
diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md
index dd731fbc59..c08469ea87 100644
--- a/windows/deployment/windows-autopilot/enrollment-status.md
+++ b/windows/deployment/windows-autopilot/enrollment-status.md
@@ -30,22 +30,6 @@ The ESP will track the installation of applications, security policies, certific
-## Installation progress tracking
-
-The Enrollment Status Page tracks a subset of the available MDM CSP policies that are delivered to the device as part of the complete device configuration process. The specific types of policies that are tracked include:
-
-- Certain types of app installations.
- - Enterprise modern apps (Appx/MSIX) installed by the [Enterprise Modern App Managment CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisemodernappmanagement-csp).
- - Enterprise desktop apps (single-file MSIs) installed by the [Enterprise Desktop App Management CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisedesktopappmanagement-csp).
-
-- Certain device configuration policies. The following types of policies and installations are not tracked:
-
-- Intune Management Extensions PowerShell scripts
-- Office 365 ProPlus installations**
-- System Center Configuration Manager apps, packages, and task sequences
-
-**The ability to track Office 365 ProPlus installations was added with Windows 10, version 1809.
-
## More information
For more information on configuring the Enrollment Status Page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).
diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
index c177340864..3d3883c068 100644
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@@ -62,7 +62,7 @@ See the following examples.
#### Install required modules
- ```
+ ```powershell
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module AzureAD -Force
Install-Module WindowsAutopilotIntune -Force
@@ -71,7 +71,7 @@ See the following examples.
3. Enter the following lines and provide Intune administrative credentials
- In the following command, replace the example user principal name for Azure authentication (admin@M365x373186.onmicrosoft.com) with your user account. Be sure that the user account you specify has sufficient administrative rights.
- ```
+ ```powershell
Connect-AutopilotIntune -user admin@M365x373186.onmicrosoft.com
```
The password for your account will be requested using a standard Azure AD form. Type your password and then click **Sign in**.
@@ -87,7 +87,7 @@ See the following examples.
#### Retrieve profiles in Autopilot for existing devices JSON format
- ```
+ ```powershell
Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
```
@@ -126,7 +126,7 @@ See the following examples.
5. The Autopilot profile must be saved as a JSON file in ASCII or ANSI format. Windows PowerShell defaults to Unicode format, so if you attempt to redirect output of the commands to a file, you must also specify the file format. For example, to save the file in ASCII format using Windows PowerShell, you can create a directory (ex: c:\Autopilot) and save the profile as shown below: (use the horizontal scroll bar at the bottom if needed to view the entire command string)
- ```
+ ```powershell
Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII
```
**IMPORTANT**: The file name must be named **AutopilotConfigurationFile.json** in addition to being encoded as ASCII/ANSI.
@@ -302,7 +302,7 @@ The Task Sequence will download content, reboot, format the drives and install W
>[!NOTE]
->If joining devices to Active Directory (Hybrid Azure AD Join), it is necessary to create a Domain Join device configuration profile that is targeted to "All Devices" (since there is no Azure Active Directory device object for the computer to do group-based targeting). See [User-driven mode for hybrid Azure Active Directory join](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/user-driven#user-driven-mode-for-hybrid-azure-active-directory-join) for more information.
+>If joining devices to Active Directory (Hybrid Azure AD Join), it is necessary to create a Domain Join device configuration profile that is targeted to "All Devices" (since there is no Azure Active Directory device object for the computer to do group-based targeting). See [User-driven mode for hybrid Azure Active Directory join](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven#user-driven-mode-for-hybrid-azure-active-directory-join) for more information.
### Register the device for Windows Autopilot
diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md
index 4495c6c055..3e55879db7 100644
--- a/windows/deployment/windows-autopilot/known-issues.md
+++ b/windows/deployment/windows-autopilot/known-issues.md
@@ -24,13 +24,15 @@ ms.topic: article
| Issue | More information
+ | | White glove gives a red screen and the Microsoft-Windows-User Device Registration/Admin event log displays HResult error code 0x801C03F3 | This can happen if Azure AD can’t find an AAD device object for the device that you are trying to deploy. This will occur if you manually delete the object. To fix it, remove the device from AAD, Intune, and Autopilot, then re-register it with Autopilot, which will recreate the AAD device object.
+
To obtain troubleshooting logs use: Mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\autopilot.cab
|
| White glove gives a red screen | White glove is not supported on a VM.
|
| Error importing Windows Autopilot devices from a .csv file | Ensure that you have not edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid.
|
| Windows Autopilot for existing devices does not follow the Autopilot OOBE experience. | Ensure that the JSON profile file is saved in ANSI/ASCII format, not Unicode or UTF-8.
|
| Something went wrong is displayed page during OOBE. | The client is likely unable to access all the required AAD/MSA-related URLs. For more information, see Networking requirements.
|
-
## Related topics
+[Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10)
[Troubleshooting Windows Autopilot](troubleshooting.md)
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md
index 48841e967b..ee06f80d04 100644
--- a/windows/deployment/windows-autopilot/self-deploying.md
+++ b/windows/deployment/windows-autopilot/self-deploying.md
@@ -37,8 +37,8 @@ Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage
Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. The devices must also support TPM device attestation. (All newly-manufactured Windows devices should meet these requirements.)
->[!NOTE]
->If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported).. Also note that Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.
+>[!IMPORTANT]
+>If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported).. Also note that Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. Since Windows 10 Enterprise 2019 LTSC is based on Windows 10 version 1809, self-deploying mode is also not supported on Windows 10 Enterprise 2019 LTSC.
In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details.
diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md
index 52b66ab257..dda5ad6943 100644
--- a/windows/deployment/windows-autopilot/troubleshooting.md
+++ b/windows/deployment/windows-autopilot/troubleshooting.md
@@ -26,20 +26,20 @@ Windows Autopilot is designed to simplify all parts of the Windows device lifecy
Regardless of whether performing user-driven or self-deploying device deployments, the troubleshooting process is the mostly the same. It is useful to understand the flow for a specific device:
-- Network connection established. This can be a wireless (Wi-fi) or wired (Ethernet) connection.
-- Windows Autopilot profile downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place.
-- User authentication. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated.
-- Azure Active Directory join. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials.
-- Automatic MDM enrollment. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (e.g. Microsoft Intune).
-- Settings are applied. If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in.
+- Network connection established. This can be a wireless (Wi-fi) or wired (Ethernet) connection.
+- Windows Autopilot profile downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place.
+- User authentication. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated.
+- Azure Active Directory join. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials.
+- Automatic MDM enrollment. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (e.g. Microsoft Intune).
+- Settings are applied. If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in.
For troubleshooting, key activities to perform are:
-- Configuration. Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements.md)?
-- Network connectivity. Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements.md)?
-- Autopilot OOBE behavior. Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected?
-- Azure AD join issues. Was the device able to join Azure Active Directory?
-- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)?
+- Configuration. Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements.md)?
+- Network connectivity. Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements.md)?
+- Autopilot OOBE behavior. Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected?
+- Azure AD join issues. Was the device able to join Azure Active Directory?
+- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)?
## Troubleshooting Autopilot OOBE issues
@@ -109,8 +109,13 @@ When a profile is downloaded depends on the version of Windows 10 that is runnin
| 1803 | The profile is downloaded as soon as possible. If wired, it is downloaded at the start of OOBE. If wireless, it is downloaded after the network connection page. |
| 1809 | The profile is downloaded as soon as possible (same as 1803), and again after each reboot. |
-If you need to reboot a computer during OOBE:
+If you need to reboot a computer during OOBE:
- Press Shift-F10 to open a command prompt.
- Enter **shutdown /r /t 0** to restart immediately, or **shutdown /s /t 0** to shutdown immediately.
-For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options).
\ No newline at end of file
+For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options).
+
+## Related topics
+
+[Windows Autopilot - known issues](known-issues.md)
+[Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10)
diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md
index d0a2891d0c..642497fe48 100644
--- a/windows/deployment/windows-autopilot/white-glove.md
+++ b/windows/deployment/windows-autopilot/white-glove.md
@@ -38,6 +38,9 @@ In addition to [Windows Autopilot requirements](windows-autopilot-requirements.m
- Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported. The white glove provisioning process leverages Windows Autopilot self-deploying capabilities, hence the TPM 2.0 requirements.
- Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device.
+>[!IMPORTANT]
+>Because the OEM or vendor performs the white glove process, this doesn’t require access to an end-user's on-prem domain infrastructure. This is unlike a typical hybrid Azure AD-joined scenario because rebooting the device is postponed. The device is resealed prior to the time when connectivity to a domain controller is expected, and the domain network is contacted when the device is unboxed on-prem by the end-user.
+
## Preparation
Devices slated for WG provisioning are registered for Autopilot via the normal registration process.
diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json
index 7c76654379..0dbfe2d2e9 100644
--- a/windows/device-security/docfx.json
+++ b/windows/device-security/docfx.json
@@ -31,11 +31,9 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
- "uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "justinha",
"ms.date": "04/05/2017",
"_op_documentIdPathDepotMapping": {
"./": {
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index 31963629cf..78a9eb10fb 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -34,11 +34,9 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
- "uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "brianlic",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
diff --git a/windows/hub/windows-10.yml b/windows/hub/windows-10.yml
index a981edf38a..e858c87806 100644
--- a/windows/hub/windows-10.yml
+++ b/windows/hub/windows-10.yml
@@ -40,7 +40,7 @@ sections:
- items:
- type: markdown
text: "
- Get answers to commom questions, or get help with a specific problem.
+ Get answers to common questions, or get help with a specific problem.
"
diff --git a/windows/known-issues/docfx.json b/windows/known-issues/docfx.json
index 102f32f826..ebcaf22f82 100644
--- a/windows/known-issues/docfx.json
+++ b/windows/known-issues/docfx.json
@@ -35,7 +35,6 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
- "uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
index 9221109b4d..5a6da07e0b 100644
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@@ -32,7 +32,6 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
- "uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 98ab45165f..903c748516 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -41,7 +41,7 @@ Applying the Windows Restricted Traffic Limited Functionality Baseline is the sa
It is recommended that you restart a device after making configuration changes to it.
Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
-To use Microsoft InTune cloud based device managment for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm).
+To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm).
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
@@ -69,7 +69,8 @@ The following table lists management options for each setting, beginning with Wi
| [11. Mail synchronization](#bkmk-mailsync) |  | |  |
| [12. Microsoft Account](#bkmk-microsoft-account) | |  |  |
| [13. Microsoft Edge](#bkmk-edge) |  |  |  |
-| [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |
+| [14. Network Connection Status Indicator](#bkmk-ncsi)
+) | |  |  |
| [15. Offline maps](#bkmk-offlinemaps) |  |  |  |
| [16. OneDrive](#bkmk-onedrive) | |  |  |
| [17. Preinstalled apps](#bkmk-preinstalledapps) |  | | |
@@ -604,9 +605,9 @@ For a complete list of the Microsoft Edge policies, see [Available policies for
### 14. Network Connection Status Indicator
-Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCSI, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. See the [Microsoft Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/bg-p/NetworkingBlog) to learn more.
-In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was `http://www.msftncsi.com`.
+In versions of Windows 10 prior to version 1607 and Windows Server 2016, the URL was `http://www.msftncsi.com/ncsi.txt`.
You can turn off NCSI by doing one of the following:
@@ -1465,7 +1466,7 @@ To turn this Off in the UI:
### 18.23 Voice Activation
-In the **Vocie activation** area, you can choose turn Off apps ability to listen for a Voice keyword.
+In the **Voice activation** area, you can choose turn Off apps ability to listen for a Voice keyword.
To turn this Off in the UI:
@@ -1671,7 +1672,7 @@ In Group Policy, configure:
-OR-
-- Create a REG_DWORD registry setting named **EnableSmartScreen** in **HKEY_LOCAL_MACHINE\\Sofware\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**.
+- Create a REG_DWORD registry setting named **EnableSmartScreen** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**.
-and-
diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md
index 35f3ef35ee..1d4984ab8f 100644
--- a/windows/privacy/manage-windows-1709-endpoints.md
+++ b/windows/privacy/manage-windows-1709-endpoints.md
@@ -422,6 +422,10 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op
| svchost | HTTPS | *.update.microsoft.com |
| svchost | HTTPS | *.delivery.mp.microsoft.com |
+These are dependent on enabling:
+- [Device authentication](manage-windows-1709-endpoints.md#device-authentication)
+- [Microsoft account](manage-windows-1709-endpoints.md#microsoft-account)
+
The following endpoint is used for content regulation.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md
index 983d8bce4b..4c1d88e554 100644
--- a/windows/privacy/manage-windows-1803-endpoints.md
+++ b/windows/privacy/manage-windows-1803-endpoints.md
@@ -427,6 +427,10 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op
| svchost | HTTPS | *.update.microsoft.com |
| svchost | HTTPS | *.delivery.mp.microsoft.com |
+These are dependent on enabling:
+- [Device authentication](manage-windows-1803-endpoints.md#device-authentication)
+- [Microsoft account](manage-windows-1803-endpoints.md#microsoft-account)
+
The following endpoint is used for content regulation.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index eb0dfe93cd..45e7568fd3 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -146,8 +146,8 @@ Office|The following endpoints are used to connect to the Office 365 portal's sh
|||HTTP|cs9.wac.phicdn.net|
|||HTTP|emdl.ws.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com|
-|||HTTP|*.windowsupdate.com*|
-||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com|
+|||HTTP|*.windowsupdate.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTPS|*.delivery.mp.microsoft.com|
|||HTTPS|*.update.microsoft.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com|
diff --git a/windows/release-information/TOC.md b/windows/release-information/TOC.md
index 735c4e5527..c905dea447 100644
--- a/windows/release-information/TOC.md
+++ b/windows/release-information/TOC.md
@@ -1,36 +1,36 @@
# [Windows 10 release information](index.md)
-## [Message center](windows-message-center.yml)
-## Version 1903
-### [Known issues and notifications](status-windows-10-1903.yml)
-### [Resolved issues](resolved-issues-windows-10-1903.yml)
-## Version 1809 and Windows Server 2019
-### [Known issues and notifications](status-windows-10-1809-and-windows-server-2019.yml)
-### [Resolved issues](resolved-issues-windows-10-1809-and-windows-server-2019.yml)
-## Version 1803
-### [Known issues and notifications](status-windows-10-1803.yml)
-### [Resolved issues](resolved-issues-windows-10-1803.yml)
-## Version 1709
-### [Known issues and notifications](status-windows-10-1709.yml)
-### [Resolved issues](resolved-issues-windows-10-1709.yml)
-## Version 1703
-### [Known issues and notifications](status-windows-10-1703.yml)
-### [Resolved issues](resolved-issues-windows-10-1703.yml)
-## Version 1607 and Windows Server 2016
-### [Known issues and notifications](status-windows-10-1607-and-windows-server-2016.yml)
-### [Resolved issues](resolved-issues-windows-10-1607.yml)
-## Version 1507
-### [Known issues and notifications](status-windows-10-1507.yml)
-### [Resolved issues](resolved-issues-windows-10-1507.yml)
-## Previous versions
-### Windows 8.1 and Windows Server 2012 R2
-#### [Known issues and notifications](status-windows-8.1-and-windows-server-2012-r2.yml)
-####[Resolved issues](resolved-issues-windows-8.1-and-windows-server-2012-r2.yml)
-### Windows Server 2012
-#### [Known issues and notifications](status-windows-server-2012.yml)
-####[Resolved issues](resolved-issues-windows-server-2012.yml)
-### Windows 7 and Windows Server 2008 R2
-#### [Known issues and notifications](status-windows-7-and-windows-server-2008-r2-sp1.yml)
-####[Resolved issues](resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml)
-### Windows Server 2008 SP2
-#### [Known issues and notifications](status-windows-server-2008-sp2.yml)
-####[Resolved issues](resolved-issues-windows-server-2008-sp2.yml)
\ No newline at end of file
+# [Message center](windows-message-center.yml)
+# Version 1903
+## [Known issues and notifications](status-windows-10-1903.yml)
+## [Resolved issues](resolved-issues-windows-10-1903.yml)
+# Version 1809 and Windows Server 2019
+## [Known issues and notifications](status-windows-10-1809-and-windows-server-2019.yml)
+## [Resolved issues](resolved-issues-windows-10-1809-and-windows-server-2019.yml)
+# Version 1803
+## [Known issues and notifications](status-windows-10-1803.yml)
+## [Resolved issues](resolved-issues-windows-10-1803.yml)
+# Version 1709
+## [Known issues and notifications](status-windows-10-1709.yml)
+## [Resolved issues](resolved-issues-windows-10-1709.yml)
+# Version 1703
+## [Known issues and notifications](status-windows-10-1703.yml)
+## [Resolved issues](resolved-issues-windows-10-1703.yml)
+# Version 1607 and Windows Server 2016
+## [Known issues and notifications](status-windows-10-1607-and-windows-server-2016.yml)
+## [Resolved issues](resolved-issues-windows-10-1607.yml)
+# Version 1507
+## [Known issues and notifications](status-windows-10-1507.yml)
+## [Resolved issues](resolved-issues-windows-10-1507.yml)
+# Previous versions
+## Windows 8.1 and Windows Server 2012 R2
+### [Known issues and notifications](status-windows-8.1-and-windows-server-2012-r2.yml)
+###[Resolved issues](resolved-issues-windows-8.1-and-windows-server-2012-r2.yml)
+## Windows Server 2012
+### [Known issues and notifications](status-windows-server-2012.yml)
+### [Resolved issues](resolved-issues-windows-server-2012.yml)
+## Windows 7 and Windows Server 2008 R2
+### [Known issues and notifications](status-windows-7-and-windows-server-2008-r2-sp1.yml)
+### [Resolved issues](resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml)
+## Windows Server 2008 SP2
+### [Known issues and notifications](status-windows-server-2008-sp2.yml)
+### [Resolved issues](resolved-issues-windows-server-2008-sp2.yml)
\ No newline at end of file
diff --git a/windows/release-information/breadcrumb/toc.yml b/windows/release-information/breadcrumb/toc.yml
index 61d8fca61e..5c9f236497 100644
--- a/windows/release-information/breadcrumb/toc.yml
+++ b/windows/release-information/breadcrumb/toc.yml
@@ -1,3 +1,11 @@
- name: Docs
tocHref: /
- topicHref: /
\ No newline at end of file
+ topicHref: /
+ items:
+ - name: Windows
+ tocHref: /windows
+ topicHref: /windows/windows-10
+ items:
+ - name: Release information
+ tocHref: /windows/release-information/
+ topicHref: /windows/release-information/index
diff --git a/windows/release-information/cat-windows-docs-pr - Shortcut.lnk b/windows/release-information/cat-windows-docs-pr - Shortcut.lnk
new file mode 100644
index 0000000000..1c599245a0
Binary files /dev/null and b/windows/release-information/cat-windows-docs-pr - Shortcut.lnk differ
diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json
index a91619d79b..5bab1ca43c 100644
--- a/windows/release-information/docfx.json
+++ b/windows/release-information/docfx.json
@@ -35,7 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+ "breadcrumb_path": "/windows/release-information/breadcrumb/toc.json",
"ms.prod": "w10",
"ms.date": "4/30/2019",
"titleSuffix": "Windows Release Information",
diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml
index 1c510dd2e2..fcb44369bb 100644
--- a/windows/release-information/resolved-issues-windows-10-1507.yml
+++ b/windows/release-information/resolved-issues-windows-10-1507.yml
@@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 10240.18244
June 11, 2019
KB4503291 | Resolved
KB4507458 | July 09, 2019
10:00 AM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 10240.18215
May 14, 2019
KB4499154 | Resolved
KB4505051 | May 19, 2019
02:00 PM PT |
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details > | OS Build 10240.18094
January 08, 2019
KB4480962 | Resolved
KB4493475 | April 09, 2019
10:00 AM PT |
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details > | OS Build 10240.18158
March 12, 2019
KB4489872 | Resolved
KB4493475 | April 09, 2019
10:00 AM PT |
@@ -52,6 +53,15 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4507458.
Back to top | OS Build 10240.18244
June 11, 2019
KB4503291 | Resolved
KB4507458 | Resolved:
July 09, 2019
10:00 AM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml
index 4b9f034e96..3ad444b3d0 100644
--- a/windows/release-information/resolved-issues-windows-10-1607.yml
+++ b/windows/release-information/resolved-issues-windows-10-1607.yml
@@ -32,6 +32,8 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.
See details > | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4507460 | July 09, 2019
10:00 AM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 14393.2999
May 23, 2019
KB4499177 | Resolved
KB4509475 | June 27, 2019
02:00 PM PT |
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 14393.3025
June 11, 2019
KB4503267 | Resolved
KB4503294 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 14393.2999
May 23, 2019
KB4499177 | Resolved
KB4503267 | June 11, 2019
10:00 AM PT |
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | OS Build 14393.2848
March 12, 2019
KB4489882 | Resolved
KB4503267 | June 11, 2019
10:00 AM PT |
@@ -68,6 +70,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499177. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509475.
Back to top | OS Build 14393.2999
May 23, 2019
KB4499177 | Resolved
KB4509475 | Resolved:
June 27, 2019
02:00 PM PT
Opened:
June 20, 2019
04:46 PM PT |
| Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503294.
Back to top | OS Build 14393.3025
June 11, 2019
KB4503267 | Resolved
KB4503294 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503267.
Back to top | OS Build 14393.2999
May 23, 2019
KB4499177 | Resolved
KB4503267 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
@@ -78,6 +81,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ Devices with Hyper-V enabled may receive BitLocker error 0xC0210000Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.
Affected platforms: - Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2016
Resolution: This issue was resolved in KB4507460.
Back to top | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4507460 | Resolved:
July 09, 2019
10:00 AM PT
Opened:
May 21, 2019
08:50 AM PT |
Update not showing as applicable through WSUS or SCCM or when manually installedKB4494440 or later updates may not show as applicable through WSUS or SCCM to the affected platforms. When manually installing the standalone update from Microsoft Update Catalog, it may fail to install with the error, \"The update is not applicable to your computer.\"
Affected platforms: - Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2016
Resolution: The servicing stack update (SSU) ( KB4498947) must be installed before installing the latest cumulative update (LCU). The LCU will not be reported as applicable until the SSU is installed. For more information, see Servicing stack updates.
Back to top | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4498947 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 24, 2019
04:20 PM PT |
| Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: We have released an \"optional, out-of-band\" update for Windows 10 ( KB4505052) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505052 from Windows Update and then restarting your device.
This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505052, search for it in the Microsoft Update Catalog.
Back to top | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4505052 | Resolved:
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | OS Build 14393.2941
April 25, 2019
KB4493473 | Resolved
KB4494440 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
diff --git a/windows/release-information/resolved-issues-windows-10-1703.yml b/windows/release-information/resolved-issues-windows-10-1703.yml
index d5caa67124..57777605fe 100644
--- a/windows/release-information/resolved-issues-windows-10-1703.yml
+++ b/windows/release-information/resolved-issues-windows-10-1703.yml
@@ -32,6 +32,8 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.
See details > | OS Build 15063.1805
May 14, 2019
KB4499181 | Resolved
KB4507450 | July 09, 2019
10:00 AM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4509476 | June 26, 2019
04:00 PM PT |
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 15063.1868
June 11, 2019
KB4503279 | Resolved
KB4503289 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4503279 | June 11, 2019
10:00 AM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 15063.1805
May 14, 2019
KB4499181 | Resolved
KB4505055 | May 19, 2019
02:00 PM PT |
@@ -63,6 +65,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499162. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509476.
Back to top | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4509476 | Resolved:
June 26, 2019
04:00 PM PT
Opened:
June 20, 2019
04:46 PM PT |
| Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503289.
Back to top | OS Build 15063.1868
June 11, 2019
KB4503279 | Resolved
KB4503289 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503279.
Back to top | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4503279 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
@@ -73,6 +76,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ Devices with Hyper-V enabled may receive BitLocker error 0xC0210000Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4499181 and restarting.
Affected platforms: - Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2016
Resolution: This issue was resolved in KB4507450.
Back to top | OS Build 15063.1805
May 14, 2019
KB4499181 | Resolved
KB4507450 | Resolved:
July 09, 2019
10:00 AM PT
Opened:
May 21, 2019
08:50 AM PT |
| Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: We have released an \"optional, out-of-band\" update for Windows 10 ( KB4505055) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505055 from Windows Update and then restarting your device.
This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505055, search for it in the Microsoft Update Catalog.
Back to top | OS Build 15063.1805
May 14, 2019
KB4499181 | Resolved
KB4505055 | Resolved:
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | OS Build 15063.1784
April 25, 2019
KB4493436 | Resolved
KB4499181 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
diff --git a/windows/release-information/resolved-issues-windows-10-1709.yml b/windows/release-information/resolved-issues-windows-10-1709.yml
index 0a611e7088..850dcb03d2 100644
--- a/windows/release-information/resolved-issues-windows-10-1709.yml
+++ b/windows/release-information/resolved-issues-windows-10-1709.yml
@@ -1,10 +1,10 @@
### YamlMime:YamlDocument
documentType: LandingData
-title: Resolved issues in Windows 10, version 1709 and Windows Server, vesion 1709
+title: Resolved issues in Windows 10, version 1709 and Windows Server, version 1709
metadata:
document_id:
- title: Resolved issues in Windows 10, version 1709 and Windows Server, vesion 1709
+ title: Resolved issues in Windows 10, version 1709 and Windows Server, version 1709
description: Resolved issues in Windows 10, version 1709 and Windows Server 1709
keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10, version 1709"]
ms.localizationpriority: high
@@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4509477 | June 26, 2019
04:00 PM PT |
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 16299.1217
June 11, 2019
KB4503284 | Resolved
KB4503281 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4503284 | June 11, 2019
10:00 AM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 16299.1143
May 14, 2019
KB4498946 | Resolved
KB4505062 | May 19, 2019
02:00 PM PT |
@@ -65,6 +66,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499147. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509477.
Back to top | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4509477 | Resolved:
June 26, 2019
04:00 PM PT
Opened:
June 20, 2019
04:46 PM PT |
| Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503281.
Back to top | OS Build 16299.1217
June 11, 2019
KB4503284 | Resolved
KB4503281 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503284.
Back to top | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4503284 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml
index 996005c7b9..df8d35b361 100644
--- a/windows/release-information/resolved-issues-windows-10-1803.yml
+++ b/windows/release-information/resolved-issues-windows-10-1803.yml
@@ -32,9 +32,9 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4509478 | June 26, 2019
04:00 PM PT |
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 17134.829
June 11, 2019
KB4503286 | Resolved
KB4503288 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4503286 | June 11, 2019
10:00 AM PT |
- Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.
See details > | OS Build 17134.648
March 12, 2019
KB4489868 | Resolved
KB4503286 | June 11, 2019
10:00 AM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 17134.765
May 14, 2019
KB4499167 | Resolved
KB4505064 | May 19, 2019
02:00 PM PT |
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | OS Build 17134.753
April 25, 2019
KB4493437 | Resolved
KB4499167 | May 14, 2019
10:00 AM PT |
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details > | OS Build 17134.753
April 25, 2019
KB4493437 | Resolved
KB4499167 | May 14, 2019
10:00 AM PT |
@@ -66,6 +66,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499183. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509478.
Back to top | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4509478 | Resolved:
June 26, 2019
04:00 PM PT
Opened:
June 20, 2019
04:46 PM PT |
| Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503288.
Back to top | OS Build 17134.829
June 11, 2019
KB4503286 | Resolved
KB4503288 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503286.
Back to top | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4503286 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
@@ -95,7 +96,6 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- Issue using PXE to start a device from WDSAfter installing KB4489868, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4503286.
Back to top | OS Build 17134.648
March 12, 2019
KB4489868 | Resolved
KB4503286 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT |
Custom URI schemes may not start corresponding applicationAfter installing KB4489868, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493437.
Back to top | OS Build 17134.648
March 12, 2019
KB4489868 | Resolved
KB4493437 | Resolved:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493464.
Back to top | OS Build 17134.677
March 19, 2019
KB4489894 | Resolved
KB4493464 | Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 19, 2019
10:00 AM PT |
Stop error when attempting to start SSH from WSLAfter applying KB4489868, a stop error occurs when attempting to start the Secure Shell (SSH) client program from Windows Subsystem for Linux (WSL) with agent forwarding enabled using a command line switch (ssh -A) or a configuration setting.
Affected platforms: - Client: Windows 10, version 1803; Windows 10, version 1709
- Server: Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue was resolved in KB4493464.
Back to top | OS Build 17134.648
March 12, 2019
KB4489868 | Resolved
KB4493464 | Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT |
diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
index e0eab68c77..b5d57f8c65 100644
--- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
@@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 17763.529
May 21, 2019
KB4497934 | Resolved
KB4509479 | June 26, 2019
04:00 PM PT |
Devices with Realtek Bluetooth radios drivers may not pair or connect as expected
Devices with some Realtek Bluetooth radios drivers, in some circumstances, may have issues pairing or connecting to devices.
See details > | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
KB4501371 | June 18, 2019
02:00 PM PT |
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 17763.557
June 11, 2019
KB4503327 | Resolved
KB4501371 | June 18, 2019
02:00 PM PT |
Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) apps, you may receive an error.
See details > | OS Build 17763.379
March 12, 2019
KB4489899 | Resolved
KB4501371 | June 18, 2019
02:00 PM PT |
@@ -77,6 +78,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4497934. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509479.
Back to top | OS Build 17763.529
May 21, 2019
KB4497934 | Resolved
KB4509479 | Resolved:
June 26, 2019
04:00 PM PT
Opened:
June 20, 2019
04:46 PM PT |
| Devices with Realtek Bluetooth radios drivers may not pair or connect as expected In some circumstances, devices with Realtek Bluetooth radios may have issues pairing or connecting to Bluetooth devices due to a driver issue.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server 2019
Resolution: This issue was resolved in KB4501371.
Back to top | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
KB4501371 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 14, 2019
05:45 PM PT |
| Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4501371.
Back to top | OS Build 17763.557
June 11, 2019
KB4503327 | Resolved
KB4501371 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503327.
Back to top | OS Build 17763.529
May 21, 2019
KB4497934 | Resolved
KB4503327 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml
index 07a61ea961..226786acae 100644
--- a/windows/release-information/resolved-issues-windows-10-1903.yml
+++ b/windows/release-information/resolved-issues-windows-10-1903.yml
@@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 18362.175
June 11, 2019
KB4503293 | Resolved
KB4501375 | June 27, 2019
10:00 AM PT |
Duplicate folders and documents showing in user profile directory
If known folders (e.g. Desktop, Documents, or Pictures folders) are redirected, an empty folder with that same name may be created.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4497935 | May 29, 2019
02:00 PM PT |
Older versions of BattlEye anti-cheat software incompatible
Microsoft and BattlEye have identified a compatibility issue with some games that use older versions of BattlEye anti-cheat software.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| June 07, 2019
04:26 PM PT |
AMD RAID driver incompatibility
Installation process may stop when trying to install Windows 10, version 1903 update on computers that run certain versions of AMD RAID drivers.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| June 06, 2019
11:06 AM PT |
@@ -46,6 +47,15 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4501375.
Back to top | OS Build 18362.175
June 11, 2019
KB4503293 | Resolved
KB4501375 | Resolved:
June 27, 2019
10:00 AM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
index 3f1f8ce7af..2c5038bcff 100644
--- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -32,6 +32,8 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499164 | Resolved
KB4503277 | June 20, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503292 | Resolved
KB4503277 | June 20, 2019
02:00 PM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499164 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493472 | Resolved
| May 14, 2019
01:23 PM PT |
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493472 | Resolved
| May 14, 2019
01:22 PM PT |
@@ -59,6 +61,16 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503277. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499164 | Resolved
KB4503277 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503277. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503292 | Resolved
KB4503277 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
index 71310515c7..45706d7e3c 100644
--- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
@@ -32,6 +32,8 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499151 | Resolved
KB4503283 | June 20, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503276 | Resolved
KB4503283 | June 20, 2019
02:00 PM PT |
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | March 12, 2019
KB4489881 | Resolved
KB4503276 | June 11, 2019
10:00 AM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499151 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | April 25, 2019
KB4493443 | Resolved
KB4499151 | May 14, 2019
10:00 AM PT |
@@ -60,6 +62,16 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503283. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499151 | Resolved
KB4503283 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503283. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503276 | Resolved
KB4503283 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
diff --git a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
index 251a66b50a..9d094123ba 100644
--- a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
+++ b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
@@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503273 | Resolved
KB4503271 | June 20, 2019
02:00 PM PT |
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493471 | Resolved
| May 14, 2019
01:21 PM PT |
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493471 | Resolved
| May 14, 2019
01:19 PM PT |
Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.
See details > | March 12, 2019
KB4489880 | Resolved
KB4499149 | May 14, 2019
10:00 AM PT |
@@ -52,6 +53,15 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503271. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503273 | Resolved
KB4503271 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: April 2019
- items:
- type: markdown
diff --git a/windows/release-information/resolved-issues-windows-server-2012.yml b/windows/release-information/resolved-issues-windows-server-2012.yml
index 144e2d3484..15736d25c5 100644
--- a/windows/release-information/resolved-issues-windows-server-2012.yml
+++ b/windows/release-information/resolved-issues-windows-server-2012.yml
@@ -32,6 +32,9 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Some devices and generation 2 Hyper-V VMs may have issues installing updates
Some devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing some updates when Secure Boot is enabled.
See details > | June 11, 2019
KB4503285 | Resolved
KB4503295 | June 21, 2019
02:00 PM PT |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499171 | Resolved
KB4503295 | June 21, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503285 | Resolved
KB4503295 | June 20, 2019
02:00 PM PT |
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | March 12, 2019
KB4489891 | Resolved
KB4503285 | June 11, 2019
10:00 AM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499171 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | April 25, 2019
KB4493462 | Resolved
KB4499171 | May 14, 2019
10:00 AM PT |
@@ -57,6 +60,17 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ Some devices and generation 2 Hyper-V VMs may have issues installing updatesSome devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing KB4503285 or later updates when Secure Boot is enabled.
Affected platforms: - Server: Windows Server 2012
Resolution: This issue was resolved in KB4503295. If your device is using Security Only updates, this issue was resolved in KB4508776.
Back to top | June 11, 2019
KB4503285 | Resolved
KB4503295 | Resolved:
June 21, 2019
02:00 PM PT
Opened:
June 19, 2019
04:57 PM PT |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503295. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499171 | Resolved
KB4503295 | Resolved:
June 21, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503295. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503285 | Resolved
KB4503295 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml
index 038724ee59..e81ad9523c 100644
--- a/windows/release-information/status-windows-10-1507.yml
+++ b/windows/release-information/status-windows-10-1507.yml
@@ -60,8 +60,8 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 10240.18244
June 11, 2019
KB4503291 | Mitigated
| June 13, 2019
02:21 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 10240.18094
January 08, 2019
KB4480962 | Mitigated
| April 25, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 10240.18244
June 11, 2019
KB4503291 | Resolved
KB4507458 | July 09, 2019
10:00 AM PT |
"
@@ -77,7 +77,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To mitigate this issue, see KB4508640.
Next steps: We are working on a resolution and estimate a solution will be available in late June.
Back to top | OS Build 10240.18244
June 11, 2019
KB4503291 | Mitigated
| Last updated:
June 13, 2019
02:21 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4507458.
Back to top | OS Build 10240.18244
June 11, 2019
KB4503291 | Resolved
KB4507458 | Resolved:
July 09, 2019
10:00 AM PT
Opened:
June 12, 2019
11:11 AM PT |
"
diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
index 5032531126..0136063415 100644
--- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
+++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
@@ -61,15 +61,15 @@ sections:
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)
See details > | OS Build 14393.2941
April 25, 2019
KB4493473 | Mitigated
| June 07, 2019
04:25 PM PT |
- Devices running Windows Server 2016 with Hyper-V seeing Bitlocker error 0xC0210000
Some devices running Windows Server with Hyper-V enabled may start into Bitlocker recovery with error 0xC0210000
See details > | OS Build 14393.2969
May 14, 2019
KB4494440 | Mitigated
| May 23, 2019
09:57 AM PT |
Cluster service may fail if the minimum password length is set to greater than 14
The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.
See details > | OS Build 14393.2639
November 27, 2018
KB4467684 | Mitigated
| April 25, 2019
02:00 PM PT |
SCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.
See details > | OS Build 14393.2639
November 27, 2018
KB4467684 | Mitigated
| April 25, 2019
02:00 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 14393.2724
January 08, 2019
KB4480961 | Mitigated
| April 25, 2019
02:00 PM PT |
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
See details > | OS Build 14393.2608
November 13, 2018
KB4467691 | Mitigated
| February 19, 2019
10:00 AM PT |
+ Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.
See details > | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4507460 | July 09, 2019
10:00 AM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 14393.2999
May 23, 2019
KB4499177 | Resolved
KB4509475 | June 27, 2019
02:00 PM PT |
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 14393.3025
June 11, 2019
KB4503267 | Resolved
KB4503294 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 14393.2999
May 23, 2019
KB4499177 | Resolved
KB4503267 | June 11, 2019
10:00 AM PT |
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | OS Build 14393.2848
March 12, 2019
KB4489882 | Resolved
KB4503267 | June 11, 2019
10:00 AM PT |
- Update not showing as applicable through WSUS or SCCM or when manually installed
Update not showing as applicable through WSUS or SCCM or when manually installed
See details > | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4498947 | May 14, 2019
10:00 AM PT |
"
@@ -86,6 +86,7 @@ sections:
text: "
| Details | Originating update | Status | History |
Some applications may fail to run as expected on clients of AD FS 2016Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of KB4493473 on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.
Affected platforms: - Server: Windows Server 2016
Workaround: You can use the Allow-From value of the header if the IFRAME is only accessing pages from a single-origin URL. On the affected server, open a PowerShell window as an administrator and run the following command: set-AdfsResponseHeaders -SetHeaderName X-Frame-Options -SetHeaderValue \"allow-from https://example.com\"
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 14393.2941
April 25, 2019
KB4493473 | Mitigated
| Last updated:
June 07, 2019
04:25 PM PT
Opened:
June 04, 2019
05:55 PM PT |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499177. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509475.
Back to top | OS Build 14393.2999
May 23, 2019
KB4499177 | Resolved
KB4509475 | Resolved:
June 27, 2019
02:00 PM PT
Opened:
June 20, 2019
04:46 PM PT |
| Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503294.
Back to top | OS Build 14393.3025
June 11, 2019
KB4503267 | Resolved
KB4503294 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503267.
Back to top | OS Build 14393.2999
May 23, 2019
KB4499177 | Resolved
KB4503267 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
@@ -96,8 +97,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- Devices running Windows Server 2016 with Hyper-V seeing Bitlocker error 0xC0210000Some devices running Windows Server 2016 with Hyper-V enabled may enter Bitlocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.
Note Windows 10, version 1607 may also be affected when Bitlocker and Hyper-V are both enabled.
Affected platforms: - Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2016
Workaround: If your device is already in this state, you can successfully start Windows after suspending Bitlocker from the Windows Recovery Environment (WinRE) using the following steps: - Retrieve the 48 digit Bitlocker recovery password for the OS volume from your organization's portal or from wherever the key was stored when Bitlocker was first enabled.
- From the recovery screen, press the enter key and enter the recovery password when prompted.
- If your device starts in the Windows Recovery Environment and asks for recovery key again, select Skip the drive to continue to WinRE.
- select Advanced options then Troubleshoot then Advanced options then Command Prompt.
- Unlock OS drive using the command: Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group>
- Suspend Bitlocker using the command: Manage-bde -protectors -disable c:
- Exit the command window using the command: exit
- Select Continue from recovery environment.
- The device should now start Windows.
- Once started, launch an Administrator Command Prompt and resume the Bitlocker to ensure the system remains protected, using the command: Manage-bde -protectors -enable c:
Note The workaround needs to be followed on every system restart unless Bitlocker is suspended before restarting.
To prevent this issue, execute the following command to temporarily suspend Bitlocker just before restarting the system: Manage-bde -protectors -disable c: -rc 1 Note This command will suspend Bitlocker for 1 restart of the device (-rc 1 option only works inside OS and does not work from recovery environment).
Next steps: Microsoft is presently investigating this issue and will provide an update when available.
Back to top | OS Build 14393.2969
May 14, 2019
KB4494440 | Mitigated
| Last updated:
May 23, 2019
09:57 AM PT
Opened:
May 21, 2019
08:50 AM PT |
- Update not showing as applicable through WSUS or SCCM or when manually installedKB4494440 or later updates may not show as applicable through WSUS or SCCM to the affected platforms. When manually installing the standalone update from Microsoft Update Catalog, it may fail to install with the error, \"The update is not applicable to your computer.\"
Affected platforms: - Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2016
Resolution: The servicing stack update (SSU) ( KB4498947) must be installed before installing the latest cumulative update (LCU). The LCU will not be reported as applicable until the SSU is installed. For more information, see Servicing stack updates.
Back to top | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4498947 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 24, 2019
04:20 PM PT |
+ Devices with Hyper-V enabled may receive BitLocker error 0xC0210000Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.
Affected platforms: - Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2016
Resolution: This issue was resolved in KB4507460.
Back to top | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4507460 | Resolved:
July 09, 2019
10:00 AM PT
Opened:
May 21, 2019
08:50 AM PT |
"
diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml
index 1a2f316a92..99416c1cc3 100644
--- a/windows/release-information/status-windows-10-1703.yml
+++ b/windows/release-information/status-windows-10-1703.yml
@@ -61,6 +61,8 @@ sections:
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 15063.1563
January 08, 2019
KB4480973 | Mitigated
| April 25, 2019
02:00 PM PT |
+ Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.
See details > | OS Build 15063.1805
May 14, 2019
KB4499181 | Resolved
KB4507450 | July 09, 2019
10:00 AM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4509476 | June 26, 2019
04:00 PM PT |
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 15063.1868
June 11, 2019
KB4503279 | Resolved
KB4503289 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4503279 | June 11, 2019
10:00 AM PT |
@@ -78,11 +80,21 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499162. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509476.
Back to top | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4509476 | Resolved:
June 26, 2019
04:00 PM PT
Opened:
June 20, 2019
04:46 PM PT |
| Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503289.
Back to top | OS Build 15063.1868
June 11, 2019
KB4503279 | Resolved
KB4503289 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503279.
Back to top | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4503279 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
+- title: May 2019
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ Devices with Hyper-V enabled may receive BitLocker error 0xC0210000Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4499181 and restarting.
Affected platforms: - Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2016
Resolution: This issue was resolved in KB4507450.
Back to top | OS Build 15063.1805
May 14, 2019
KB4499181 | Resolved
KB4507450 | Resolved:
July 09, 2019
10:00 AM PT
Opened:
May 21, 2019
08:50 AM PT |
+
+ "
+
- title: January 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml
index bcb005f9a8..3363497f79 100644
--- a/windows/release-information/status-windows-10-1709.yml
+++ b/windows/release-information/status-windows-10-1709.yml
@@ -61,6 +61,7 @@ sections:
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 16299.904
January 08, 2019
KB4480978 | Mitigated
| April 25, 2019
02:00 PM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4509477 | June 26, 2019
04:00 PM PT |
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 16299.1217
June 11, 2019
KB4503284 | Resolved
KB4503281 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4503284 | June 11, 2019
10:00 AM PT |
@@ -78,6 +79,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499147. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509477.
Back to top | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4509477 | Resolved:
June 26, 2019
04:00 PM PT
Opened:
June 20, 2019
04:46 PM PT |
| Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503281.
Back to top | OS Build 16299.1217
June 11, 2019
KB4503284 | Resolved
KB4503281 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503284.
Back to top | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4503284 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml
index 79f9c6cc48..bbff4c0692 100644
--- a/windows/release-information/status-windows-10-1803.yml
+++ b/windows/release-information/status-windows-10-1803.yml
@@ -62,9 +62,9 @@ sections:
| Summary | Originating update | Status | Last updated |
Startup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.
See details > | OS Build 17134.829
June 11, 2019
KB4503286 | Mitigated
| June 14, 2019
04:41 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 17134.523
January 08, 2019
KB4480966 | Mitigated
| April 25, 2019
02:00 PM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4509478 | June 26, 2019
04:00 PM PT |
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 17134.829
June 11, 2019
KB4503286 | Resolved
KB4503288 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4503286 | June 11, 2019
10:00 AM PT |
- Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.
See details > | OS Build 17134.648
March 12, 2019
KB4489868 | Resolved
KB4503286 | June 11, 2019
10:00 AM PT |
"
@@ -81,20 +81,12 @@ sections:
text: "
| Details | Originating update | Status | History |
| Startup to a black screen after installing updates We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803
- Server: Windows Server 2019
Workaround: To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17134.829
June 11, 2019
KB4503286 | Mitigated
| Last updated:
June 14, 2019
04:41 PM PT
Opened:
June 14, 2019
04:41 PM PT |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499183. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509478.
Back to top | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4509478 | Resolved:
June 26, 2019
04:00 PM PT
Opened:
June 20, 2019
04:46 PM PT |
| Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503288.
Back to top | OS Build 17134.829
June 11, 2019
KB4503286 | Resolved
KB4503288 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503286.
Back to top | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4503286 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
-- title: March 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- Issue using PXE to start a device from WDSAfter installing KB4489868, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4503286.
Back to top | OS Build 17134.648
March 12, 2019
KB4489868 | Resolved
KB4503286 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT |
-
- "
-
- title: January 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
index d7c3a03b69..0f816b4c0d 100644
--- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
@@ -68,12 +68,12 @@ sections:
Startup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.
See details > | OS Build 17763.557
June 11, 2019
KB4503327 | Mitigated
| June 14, 2019
04:41 PM PT |
Devices with some Asian language packs installed may receive an error
After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F
See details > | OS Build 17763.437
April 09, 2019
KB4493509 | Mitigated
| May 03, 2019
10:59 AM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 17763.253
January 08, 2019
KB4480116 | Mitigated
| April 09, 2019
10:00 AM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 17763.529
May 21, 2019
KB4497934 | Resolved
KB4509479 | June 26, 2019
04:00 PM PT |
Devices with Realtek Bluetooth radios drivers may not pair or connect as expected
Devices with some Realtek Bluetooth radios drivers, in some circumstances, may have issues pairing or connecting to devices.
See details > | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
KB4501371 | June 18, 2019
02:00 PM PT |
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 17763.557
June 11, 2019
KB4503327 | Resolved
KB4501371 | June 18, 2019
02:00 PM PT |
Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) apps, you may receive an error.
See details > | OS Build 17763.379
March 12, 2019
KB4489899 | Resolved
KB4501371 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 17763.529
May 21, 2019
KB4497934 | Resolved
KB4503327 | June 11, 2019
10:00 AM PT |
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.
See details > | OS Build 17763.379
March 12, 2019
KB4489899 | Resolved
KB4503327 | June 11, 2019
10:00 AM PT |
- Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Upgrade block: Microsoft has identified issues with certain new Intel display drivers, which accidentally turn on unsupported features in Windows.
See details > | OS Build 17763.134
November 13, 2018
KB4467708 | Resolved
| May 21, 2019
07:42 AM PT |
"
@@ -90,6 +90,7 @@ sections:
text: "
| Details | Originating update | Status | History |
| Startup to a black screen after installing updates We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803
- Server: Windows Server 2019
Workaround: To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.557
June 11, 2019
KB4503327 | Mitigated
| Last updated:
June 14, 2019
04:41 PM PT
Opened:
June 14, 2019
04:41 PM PT |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4497934. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509479.
Back to top | OS Build 17763.529
May 21, 2019
KB4497934 | Resolved
KB4509479 | Resolved:
June 26, 2019
04:00 PM PT
Opened:
June 20, 2019
04:46 PM PT |
| Devices with Realtek Bluetooth radios drivers may not pair or connect as expected In some circumstances, devices with Realtek Bluetooth radios may have issues pairing or connecting to Bluetooth devices due to a driver issue.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server 2019
Resolution: This issue was resolved in KB4501371.
Back to top | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
KB4501371 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 14, 2019
05:45 PM PT |
| Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4501371.
Back to top | OS Build 17763.557
June 11, 2019
KB4503327 | Resolved
KB4501371 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503327.
Back to top | OS Build 17763.529
May 21, 2019
KB4497934 | Resolved
KB4503327 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
@@ -123,12 +124,3 @@ sections:
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following: - Perform the operation from a process that has administrator privilege.
- Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.253
January 08, 2019
KB4480116 | Mitigated
| Last updated:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT |
"
-
-- title: November 2018
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- | Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort Upgrade block: Microsoft has identified issues with certain new Intel display drivers. Intel inadvertently released versions of its display driver (versions 24.20.100.6344, 24.20.100.6345) to OEMs that accidentally turned on unsupported features in Windows. As a result, after updating to Windows 10, version 1809, audio playback from a monitor or television connected to a PC via HDMI, USB-C, or a DisplayPort may not function correctly on devices with these drivers. Note: This Intel display driver issue is different from the Intel Smart Sound Technology driver (version 09.21.00.3755) audio issue previously documented.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Next steps: Intel has released updated drivers to OEM device manufacturers. OEMs need to make the updated driver available via Windows Update. For more information, see the Intel Customer Support article.
Resolution: Microsoft has removed the safeguard hold.
Back to top | OS Build 17763.134
November 13, 2018
KB4467708 | Resolved
| Resolved:
May 21, 2019
07:42 AM PT
Opened:
November 13, 2018
10:00 AM PT |
-
- "
diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml
index b4cca0b008..2ab20e2c38 100644
--- a/windows/release-information/status-windows-10-1903.yml
+++ b/windows/release-information/status-windows-10-1903.yml
@@ -70,17 +70,15 @@ sections:
Loss of functionality in Dynabook Smartphone Link app
After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.
See details > | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| May 24, 2019
03:10 PM PT |
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Investigating
| May 21, 2019
04:47 PM PT |
Audio not working with Dolby Atmos headphones and home theater
Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Investigating
| May 21, 2019
07:17 AM PT |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 18362.175
June 11, 2019
KB4503293 | Mitigated
| June 13, 2019
02:21 PM PT |
+ RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.
See details > | OS Build 18362.145
May 29, 2019
KB4497935 | Mitigated
| July 01, 2019
05:04 PM PT |
Error attempting to update with external USB device or memory card attached
PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| June 11, 2019
12:34 PM PT |
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| May 24, 2019
11:02 AM PT |
Unable to discover or connect to Bluetooth devices
Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| May 21, 2019
04:48 PM PT |
Intel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in battery drain.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| May 21, 2019
04:47 PM PT |
Cannot launch Camera app
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| May 21, 2019
04:47 PM PT |
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| May 21, 2019
04:46 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 18362.175
June 11, 2019
KB4503293 | Resolved
KB4501375 | June 27, 2019
10:00 AM PT |
Duplicate folders and documents showing in user profile directory
If known folders (e.g. Desktop, Documents, or Pictures folders) are redirected, an empty folder with that same name may be created.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4497935 | May 29, 2019
02:00 PM PT |
- Older versions of BattlEye anti-cheat software incompatible
Microsoft and BattlEye have identified a compatibility issue with some games that use older versions of BattlEye anti-cheat software.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| June 07, 2019
04:26 PM PT |
- AMD RAID driver incompatibility
Installation process may stop when trying to install Windows 10, version 1903 update on computers that run certain versions of AMD RAID drivers.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| June 06, 2019
11:06 AM PT |
- D3D applications and games may fail to enter full-screen mode on rotated displays
Some Direct3D (D3D) applications and games may fail to enter full-screen mode on rotated displays.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4497935 | May 29, 2019
02:00 PM PT |
"
@@ -96,7 +94,8 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To mitigate this issue, see KB4508640.
Next steps: We are working on a resolution and estimate a solution will be available in late June.
Back to top | OS Build 18362.175
June 11, 2019
KB4503293 | Mitigated
| Last updated:
June 13, 2019
02:21 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+ | RASMAN service may stop working and result in the error “0xc0000005” The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0. You may also receive an error in the Application section of Windows Logs in Event Viewer with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.
This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.
Affected platforms - Client: Windows 10, version 1903
Workaround: To mitigate this issue, use one of the steps below, either the group policy step or the registry step, to configure one of the default telemetry settings:
Set the value for the following group policy settings: - Group Policy Path: Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Telemetry
- Safe Policy Setting: Enabled and set to 1 (Basic) or 2 (Enhanced) or 3 (Full)
Or set the following registry value: SubKey: HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection Setting: AllowTelemetry Type: REG_DWORD Value: 1, 2 or 3
Note If the Remote Access Connection Manager service is not running after setting the Group Policy or registry key, you will need to manually start the service or restart the device.
Next Steps: We are working on a resolution and estimate a solution will be available in late July.
Back to top | OS Build 18362.145
May 29, 2019
KB4497935 | Mitigated
| Last updated:
July 01, 2019
05:04 PM PT
Opened:
June 28, 2019
05:01 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4501375.
Back to top | OS Build 18362.175
June 11, 2019
KB4503293 | Resolved
KB4501375 | Resolved:
June 27, 2019
10:00 AM PT
Opened:
June 12, 2019
11:11 AM PT |
"
@@ -116,8 +115,5 @@ sections:
| Cannot launch Camera app Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating: \"Close other apps, error code: 0XA00F4243.”
To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Workaround: To temporarily resolve this issue, perform one of the following:
- Unplug your camera and plug it back in.
or - Disable and re-enable the driver in Device Manager. In the Search box, type \"Device Manager\" and press Enter. In the Device Manager dialog box, expand Cameras, then right-click on any RealSense driver listed and select Disable device. Right click on the driver again and select Enable device.
or - Restart the RealSense service. In the Search box, type \"Task Manager\" and hit Enter. In the Task Manager dialog box, click on the Services tab, right-click on RealSense, and select Restart.
Note This workaround will only resolve the issue until your next system restart.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| Last updated:
May 21, 2019
04:47 PM PT
Opened:
May 21, 2019
07:20 AM PT |
| Intermittent loss of Wi-Fi connectivity Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).
To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.
Affected platforms: - Client: Windows 10, version 1903
Workaround: Download and install an updated Wi-Fi driver from your device manufacturer (OEM). Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| Last updated:
May 21, 2019
04:46 PM PT
Opened:
May 21, 2019
07:13 AM PT |
| Duplicate folders and documents showing in user profile directory If you have redirected known folders (e.g. Desktop, Documents, or Pictures folders) you may see an empty folder with the same name in your %userprofile% directories after updating to Windows 10, version 1903. This may occur if known folders were redirected when you chose to back up your content to OneDrive using the OneDrive wizard, or if you chose to back up your content during the Windows Out-of-Box-Experience (OOBE). This may also occur if you redirected your known folders manually through the Properties dialog box in File Explorer. This issue does not cause any user files to be deleted and a solution is in progress.
To safeguard your update experience, we have applied a quality hold on devices with redirected known folders from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4497935 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Window 10, version 1903. (Posted June 11, 2019)
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4497935 | Resolved:
May 29, 2019
02:00 PM PT
Opened:
May 21, 2019
07:16 AM PT |
- | Older versions of BattlEye anti-cheat software incompatible Microsoft and BattlEye have identified a compatibility issue with some games that use older versions of BattlEye anti-cheat software. When launching a game that uses an older, impacted version of BattlEye anti-cheat software on a device running Windows 10, version 1903, the device may experience a system crash.
To safeguard your gaming experience, we have applied a compatibility hold on devices with the impacted versions of BattlEye software used by games installed on your PC. This will prevent Windows 10, version 1903 from being offered until the incompatible version of BattlEye software is no longer installed on the device.
Affected platforms: - Client: Windows 10, version 1903
Workaround: Before updating your machine, we recommend you do one or more of the following:
- Verify that your game is up to date with the latest available version of BattlEye software. Some game platforms allow you to validate your game files, which can confirm that your installation is fully up to date.
- Restart your system and open the game again.
- Uninstall BattlEye using https://www.battleye.com/downloads/UninstallBE.exe, and then reopen your game.
- Uninstall and reinstall your game.
Resolution: This issue was resolved externally by BattlEye for all known impacted games. For a list of recent games that use BattlEye, go to https://www.battleye.com/. We recommend following the workaround before updating to Windows 10, version 1903, as games with incompatible versions of BattleEye may fail to open after updating Windows. If you have confirmed your game is up to date and you have any issues with opening games related to a BattlEye error, please see https://www.battleye.com/support/faq/.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| Resolved:
June 07, 2019
04:26 PM PT
Opened:
May 21, 2019
07:34 AM PT |
- | AMD RAID driver incompatibility Microsoft and AMD have identified an incompatibility with AMD RAID driver versions earlier than 9.2.0.105. When you attempt to install the Windows 10, version 1903 update on a Windows 10-based computer with an affected driver version, the installation process stops and you get a message like the following: AMD Ryzen™ or AMD Ryzen™ Threadripper™ configured in SATA or NVMe RAID mode. “A driver is installed that causes stability problems on Windows. This driver will be disabled. Check with your software/driver provider for an updated version that runs on this version of Windows.” To safeguard your update experience, we have applied a compatibility hold on devices with these AMD drivers from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Resolution: This issue has been resolved externally by AMD. To resolve this issue, you will need to download the latest AMD RAID drivers directly from AMD at https://www.amd.com/en/support/chipsets/amd-socket-tr4/x399. The drivers must be version 9.2.0.105 or later. Install the drivers on the affected computer, and then restart the installation process for the Windows 10, version 1903 feature update. Note The safeguard hold will remain in place on machines with the older AMD RAID drivers. We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
| Resolved:
June 06, 2019
11:06 AM PT
Opened:
May 21, 2019
07:12 AM PT |
- | D3D applications and games may fail to enter full-screen mode on rotated displays Some Direct3D (D3D) applications and games (e.g., 3DMark) may fail to enter full-screen mode on displays where the display orientation has been changed from the default (e.g., a landscape display in portrait mode).
Affected platforms: - Client: Windows 10, version 1903
- Server: Windows Server, version 1903
Resolution: This issue was resolved in KB4497935.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4497935 | Resolved:
May 29, 2019
02:00 PM PT
Opened:
May 21, 2019
07:05 AM PT |
"
diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
index 256030a289..02209f2340 100644
--- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -60,9 +60,9 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503292 | Mitigated
| June 13, 2019
02:21 PM PT |
- IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working
See details > | May 14, 2019
KB4499164 | Mitigated
| June 13, 2019
02:21 PM PT |
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details > | April 09, 2019
KB4493472 | Mitigated
| April 25, 2019
02:00 PM PT |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499164 | Resolved
KB4503277 | June 20, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503292 | Resolved
KB4503277 | June 20, 2019
02:00 PM PT |
"
@@ -78,8 +78,8 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To mitigate this issue, see KB4508640.
Next steps: We are working on a resolution and estimate a solution will be available in late June.
Back to top | June 11, 2019
KB4503292 | Mitigated
| Last updated:
June 13, 2019
02:21 PM PT
Opened:
June 12, 2019
11:11 AM PT |
- | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Workaround: To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.
Next steps: We are working on a resolution and estimate a solution will be available in late June.
Back to top | May 14, 2019
KB4499164 | Mitigated
| Last updated:
June 13, 2019
02:21 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503277. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499164 | Resolved
KB4503277 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503277. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503292 | Resolved
KB4503277 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
index c6f2a419b8..0c01e06684 100644
--- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
@@ -60,11 +60,11 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503276 | Mitigated
| June 13, 2019
02:21 PM PT |
- IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working
See details > | May 14, 2019
KB4499151 | Mitigated
| June 13, 2019
02:21 PM PT |
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
See details > | April 25, 2019
KB4493443 | Mitigated
| May 15, 2019
05:53 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
See details > | January 08, 2019
KB4480963 | Mitigated
| April 25, 2019
02:00 PM PT |
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details > | April 09, 2019
KB4493446 | Mitigated
| April 18, 2019
05:00 PM PT |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499151 | Resolved
KB4503283 | June 20, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503276 | Resolved
KB4503283 | June 20, 2019
02:00 PM PT |
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | March 12, 2019
KB4489881 | Resolved
KB4503276 | June 11, 2019
10:00 AM PT |
"
@@ -81,8 +81,8 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To mitigate this issue, see KB4508640.
Next steps: We are working on a resolution and estimate a solution will be available in late June.
Back to top | June 11, 2019
KB4503276 | Mitigated
| Last updated:
June 13, 2019
02:21 PM PT
Opened:
June 12, 2019
11:11 AM PT |
- | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Workaround: To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.
Next steps: We are working on a resolution and estimate a solution will be available in late June.
Back to top | May 14, 2019
KB4499151 | Mitigated
| Last updated:
June 13, 2019
02:21 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503283. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499151 | Resolved
KB4503283 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503283. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503276 | Resolved
KB4503283 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml
index 34d366614e..4d86a87e46 100644
--- a/windows/release-information/status-windows-server-2008-sp2.yml
+++ b/windows/release-information/status-windows-server-2008-sp2.yml
@@ -60,7 +60,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503273 | Mitigated
| June 13, 2019
02:21 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503273 | Resolved
KB4503271 | June 20, 2019
02:00 PM PT |
"
@@ -76,6 +76,6 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To mitigate this issue, see KB4508640.
Next steps: We are working on a resolution and estimate a solution will be available in late June.
Back to top | June 11, 2019
KB4503273 | Mitigated
| Last updated:
June 13, 2019
02:21 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503271. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503273 | Resolved
KB4503271 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml
index a7ddbf6451..7588536963 100644
--- a/windows/release-information/status-windows-server-2012.yml
+++ b/windows/release-information/status-windows-server-2012.yml
@@ -60,10 +60,11 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503285 | Mitigated
| June 13, 2019
02:21 PM PT |
- IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working
See details > | May 14, 2019
KB4499171 | Mitigated
| June 13, 2019
02:21 PM PT |
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
See details > | April 25, 2019
KB4493462 | Mitigated
| May 15, 2019
05:53 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
See details > | January 08, 2019
KB4480975 | Mitigated
| April 25, 2019
02:00 PM PT |
+ Some devices and generation 2 Hyper-V VMs may have issues installing updates
Some devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing some updates when Secure Boot is enabled.
See details > | June 11, 2019
KB4503285 | Resolved
KB4503295 | June 21, 2019
02:00 PM PT |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499171 | Resolved
KB4503295 | June 21, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503285 | Resolved
KB4503295 | June 20, 2019
02:00 PM PT |
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | March 12, 2019
KB4489891 | Resolved
KB4503285 | June 11, 2019
10:00 AM PT |
"
@@ -80,8 +81,9 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To mitigate this issue, see KB4508640.
Next steps: We are working on a resolution and estimate a solution will be available in late June.
Back to top | June 11, 2019
KB4503285 | Mitigated
| Last updated:
June 13, 2019
02:21 PM PT
Opened:
June 12, 2019
11:11 AM PT |
- | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Workaround: To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.
Next steps: We are working on a resolution and estimate a solution will be available in late June.
Back to top | May 14, 2019
KB4499171 | Mitigated
| Last updated:
June 13, 2019
02:21 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ Some devices and generation 2 Hyper-V VMs may have issues installing updatesSome devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing KB4503285 or later updates when Secure Boot is enabled.
Affected platforms: - Server: Windows Server 2012
Resolution: This issue was resolved in KB4503295. If your device is using Security Only updates, this issue was resolved in KB4508776.
Back to top | June 11, 2019
KB4503285 | Resolved
KB4503295 | Resolved:
June 21, 2019
02:00 PM PT
Opened:
June 19, 2019
04:57 PM PT |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503295. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499171 | Resolved
KB4503295 | Resolved:
June 21, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503295. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503285 | Resolved
KB4503295 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml
index 08b34fe4ba..31946a06a8 100644
--- a/windows/release-information/windows-message-center.yml
+++ b/windows/release-information/windows-message-center.yml
@@ -50,6 +50,9 @@ sections:
text: "
| Message | Date |
+ Evolving Windows 10 servicing and quality
Find out how we plan to further optimize the delivery of the next Windows 10 feature update for devices running Windows 10, version 1903. If you're a commercial customer, please see the Windows IT Pro Blog for more details on how to plan for this new update option in your environment. | July 01, 2019
02:00 PM PT |
+ Windows 10, version 1903 starting to roll out to devices running Windows 10, version 1803 and earlier
We are now beginning to build and train the machine learning (ML) based rollout process to update devices running Windows 10, version 1803 (the April 2018 Update) and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates, and improvements. | June 18, 2019
02:00 PM PT |
+ Windows 10, version 1903 available by selecting “Check for updates”
Windows 10, version 1903 is now available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel. | June 06, 2019
06:00 PM PT |
Windows 10, version 1903 rollout begins
The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback. | May 21, 2019
10:00 AM PT |
What’s new in Windows Update for Business
We are enhancing and expanding the capabilities of Windows Update for Business to make the move to the cloud even easier. From simplified branch readiness options to better control over deadlines and reboots, read about the enhancements to Windows Update for Business as a part of Windows 10, version 1903. | May 21, 2019
10:00 AM PT |
What’s new for businesses and IT pros in Windows 10
Explore the newest capabilities for businesses and IT in the latest feature update in the areas of intelligent security, simplified updates, flexible management, and enhanced productivity. | May 21, 2019
10:00 AM PT |
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index d407ef1215..14b733039f 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -32,14 +32,12 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
- "uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
- "ms.author": "justinha",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.security",
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 364908841f..d63ee0bd86 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -193,7 +193,7 @@ The DSMA is a well-known user account type.
It is a user neutral account that can be used to run processes that are either multi-user aware or user-agnostic.
The DSMA is disabled by default on the desktop SKUs (full windows SKUs) and WS 2016 with the Desktop.
-The DSMA has a well-known RID of 503. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: S-1-5-21--503
+The DSMA has a well-known RID of 503. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: S-1-5-21-\-503
The DSMA is a member of the well-known group **System Managed Accounts Group**, which has a well-known SID of S-1-5-32-581.
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index 576e8b4fd0..d8db3e63d2 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -283,6 +283,14 @@ The following table describes changes in SID implementation in the Windows opera
| Most of the operating system files are owned by the TrustedInstaller security identifier (SID)| Windows Server 2008, Windows Vista| The purpose of this change is to prevent a process that is running as an administrator or under the LocalSystem account from automatically replacing the operating system files. |
| Restricted SID checks are implemented| Windows Server 2008, Windows Vista| When restricting SIDs are present, Windows performs two access checks. The first is the normal access check, and the second is the same access check against the restricting SIDs in the token. Both access checks must pass to allow the process to access the object. |
+## Capability SIDs
+
+Capability Security Identifiers (SIDs) are used to uniquely and immutably identify capabilities. Capabilities represent an unforgeable token of authority that grants access to resources (Examples: documents, camera, locations etc...) to Universal Windows Applications. An App that “has” a capability is granted access to the resource the capability is associated with, and one that “does not have” a capability is denied access to the resource.
+
+All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location.
+
+All Capability SIDs are prefixed by S-1-15-3
+
## See also
- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 6b0c32bc57..57524af4a3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -19,7 +19,7 @@ ms.reviewer:
# Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments
**Applies to**
-- Windows 10, version 1702 or later
+- Windows 10, version 1703 or later
- Windows Server, versions 2016 and 2019
- Hybrid or On-Premises deployment
- Key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
index ec2e495b92..6865d59384 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
@@ -182,7 +182,7 @@ The User Portal and Mobile Application web services need to communicate with the
1. Open **Active Directory Users and Computers**.
2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**.
-3. In the **New Object – User** dialog box, type **PFWSDK_** in the **First name** and **User logon name** boxes, where ** is the name of the primary MFA server running the Web Services SDK. Click **Next**.
+3. In the **New Object – User** dialog box, type **PFWSDK_\** in the **First name** and **User logon name** boxes, where *\* is the name of the primary MFA server running the Web Services SDK. Click **Next**.
4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account.
#### Add the MFA SDK user account to the Phonefactor Admins group
@@ -192,7 +192,7 @@ Adding the WebServices SDK user account to the Phonefactor Admins group provides
1. Open **Active Directory Users and Computers**.
2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactor Admins** security group and select Properties.
3. Click the Members tab.
-4. Click **Add**. Click **Object Types..** Type the PFWSDK_ user name in the **Enter the object names to select** box and then click **OK**.
+4. Click **Add**. Click **Object Types..** Type the PFWSDK_\ user name in the **Enter the object names to select** box and then click **OK**.
* The computer account for the primary MFA Server
* The Webservices SDK user account
* Group or user account that will manage the User Portal server.
@@ -507,7 +507,7 @@ Sign in the primary AD FS server with _local administrator_ equivalent credentia
Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
+Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **\** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
### Run the AD FS Adapter PowerShell cmdlet
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 4e0e71aa57..eaf63601ae 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -66,6 +66,9 @@ After a successful key registration, Windows creates a certificate request using
The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
+> [!NOTE]
+> In order for AD FS to verify the key used in the certificate request, it needs to be able to access the https://enterpriseregistration.windows.net endpoint.
+
The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index da3bf064e5..c4d3011a16 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -28,6 +28,9 @@ The Windows Server 2016 Active Directory Federation Server Certificate Registrat
The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.
+> [!NOTE]
+> In order for AD FS to verify user certificate requests for Windows Hello for Business, it needs to be able to access the https://enterpriseregistration.windows.net endpoint.
+
### Configure the Registration Authority
Sign-in the AD FS server with *Domain Admin* equivalent credentials.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 6e3126b3c7..3a8ba5db87 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -55,7 +55,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
8. Close the console.
-#### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template
+#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
@@ -77,6 +77,9 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
+>[!NOTE]
+>The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail.
+
### Enrollment Agent certificate template
Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate life-cycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
@@ -183,6 +186,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise
4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
+
### Section Review
> [!div class="checklist"]
> * Domain Controller certificate template
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 561401fa44..d1342ab11f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -66,7 +66,7 @@ The minimum required enterprise certificate authority that can be used with Wind
* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name).
* The certificate Key Usage section must contain Digital Signature and Key Encipherment.
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
-* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1).
+* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
* The certificate template must have an extension that has the BMP data value "DomainController".
* The domain controller certificate must be installed in the local computer's certificate store.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 0c6d6de655..bda944c54a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -77,6 +77,8 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
+>[!NOTE]
+>The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail.
### Publish Certificate Templates to a Certificate Authority
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 83bb883504..ba1e004510 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -26,7 +26,7 @@ Windows Hello addresses the following problems with passwords:
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
-- Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
+- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing).
>[!div class="mx-tdBreakAll"]
>| | | |
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
index 9b6ae813f1..eb46ba61fe 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
@@ -182,7 +182,7 @@ The User Portal and Mobile Application web services need to communicate with the
1. Open **Active Directory Users and Computers**.
2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**.
-3. In the **New Object – User** dialog box, type **PFWSDK_** in the **First name** and **User logon name** boxes, where ** is the name of the primary MFA server running the Web Services SDK. Click **Next**.
+3. In the **New Object – User** dialog box, type **PFWSDK_\** in the **First name** and **User logon name** boxes, where *\* is the name of the primary MFA server running the Web Services SDK. Click **Next**.
4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account.
#### Add the MFA SDK user account to the Phonefactor Admins group
@@ -192,7 +192,7 @@ Adding the WebServices SDK user account to the Phonefactor Admins group provides
1. Open **Active Directory Users and Computers**.
2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties.
3. Click the Members tab.
-4. Click **Add**. Click **Object Types..** Type the PFWSDK_ user name in the **Enter the object names to select** box and then click **OK**.
+4. Click **Add**. Click **Object Types..** Type the PFWSDK_\ user name in the **Enter the object names to select** box and then click **OK**.
* The computer account for the primary MFA Server
* The Webservices SDK user account
* Group or user account that will manage the User Portal server.
@@ -507,7 +507,7 @@ Sign in the primary AD FS server with _local administrator_ equivalent credentia
Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
+Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **\** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
### Run the AD FS Adapter PowerShell cmdlet
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index d7b76ad3f5..cd6424eb47 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -53,9 +53,9 @@ Windows stores biometric data that is used to implement Windows Hello securely o
## The difference between Windows Hello and Windows Hello for Business
-- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, however it is not backed by asymmetric (public/private key) or certificate-based authentication.
+- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, but can use a simple password hash depending on an individual's account type. This configuration is referred to as Windows Hello convenience PIN and it is not backed by asymmetric (public/private key) or certificate-based authentication.
-- Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, uses key-based or certificate-based authentication.
+- **Windows Hello for Business**, which is configured by Group Policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This makes it much more secure than **Windows Hello convenience PIN**.
## Benefits of Windows Hello
@@ -95,7 +95,6 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
-
## Learn more
[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 2a808c73fa..e3226ec136 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -1713,7 +1713,7 @@ In **Configure user storage of BitLocker recovery information**, select whether
Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you cannot specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
-In **Save BitLocker recovery information to Active Directory Doman Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS.
+In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS.
Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
For more information about the BitLocker repair tool, see [Repair-bde](https://technet.microsoft.com/library/ff829851.aspx).
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index a5e58c1e6b..8dd40cf580 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -101,7 +101,7 @@ To install the role using Windows PowerShell, use the following command:
Install-WindowsFeature WDS-Deployment
```
-You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Doman Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
+You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
### Confirm the WDS Service is running
diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index a251c95b5e..7f618aa9ba 100644
--- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -43,7 +43,7 @@ It is important to note that this binding to PCR values also includes the hashin
## What happens when PCR banks are switched?
-When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. For the same input, each hash algorithm will return a different cryptographic signature for the same inputs.
+When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs.
As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR banks to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows 10 will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index 736efd6668..6edaaf0f7d 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -10,9 +10,9 @@ ms.mktglfcycl:
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
-ms.author: dolmont
-manager: dansimp
+author: stephow-MSFT
+ms.author: stephow
+manager: laurawi
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
@@ -62,7 +62,13 @@ Once you have WIP policies in place, by using the WIP section of Device Health,
The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
-1. In **Device Health** click the app you want to add to your policy and copy the publisher information.
+1. In **Device Health** click the app you want to add to your policy and copy the **WipAppId**.
+
+ For example, if the app is Google Chrome, the WipAppId is:
+
+ `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108`
+
+ In the steps below, you separate the WipAppId by back slashes into the **PUBLISHER**, **PRODUCT NAME**, and **FILE** fields.
2. In Intune, click **App protection policies** and then choose the app policy you want to add an application to.
@@ -74,12 +80,36 @@ The information needed for the following steps can be found using Device Health,
5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above.
+ For example, if the WipAppId is
+
+ `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108`
+
+ the text before the first back slash is the publisher:
+
+ `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US`
+
6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**).
+ For example, if the WipAppId is
+
+ `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108`
+
+ the text between the first and second back slashes is the product name:
+
+ `GOOGLE CHROME`
+
7. Copy the name of the executable (for example, snippingtool.exe) and paste it in **FILE** (required).
+ For example, if the WipAppId is
+
+ `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108`
+
+ the text between the second and third back slashes is the file:
+
+ `CHROME.EXE`
+
8. Type the version number of the app into **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 3946fe4807..9535492f02 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -72,6 +72,7 @@
#### [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
##### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
+#####[Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
#### [Secure score](microsoft-defender-atp/overview-secure-score.md)
@@ -420,6 +421,11 @@
#### [Troubleshoot Microsoft Defender ATP service issues](microsoft-defender-atp/troubleshoot-mdatp.md)
##### [Check service health](microsoft-defender-atp/service-status.md)
+
+#### [Troubleshoot live response issues]()
+##### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md)
+
+
####Troubleshoot attack surface reduction
##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
@@ -515,7 +521,7 @@
##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
-###### [How to list XML elements in ](auditing/how-to-list-xml-elements-in-eventdata.md)
+###### [How to list XML elements in \](auditing/how-to-list-xml-elements-in-eventdata.md)
###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)
diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
index 41c866e704..74e6e22b45 100644
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@@ -219,7 +219,7 @@ The most common values:
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided.
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. |
| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. |
-| 0x1B | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. |
+| 0x1D | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. |
| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. |
| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. |
| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.
If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. |
diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 184de5418f..991a843fa3 100644
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -1,26 +1,26 @@
---
-title: Device Guard is the combination of Windows Defender Application Control and virtualization-based protection of code integrity (Windows 10)
-description: Device Guard consists of both hardware and software system integrity hardening capabilites that can be deployed separately or in combination.
-keywords: virtualization, security, malware
+title: Windows Defender Application Control and virtualization-based protection of code integrity (Windows 10)
+description: Hardware and software system integrity hardening capabilites that can be deployed separately or in combination.
+keywords: virtualization, security, malware, device guard
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
author: dansimp
-ms.date: 09/07/2018
+ms.date: 07/01/2019
ms.reviewer:
manager: dansimp
ms.author: dansimp
---
-# Device Guard: Windows Defender Application Control and virtualization-based protection of code integrity
+# Windows Defender Application Control and virtualization-based protection of code integrity
**Applies to**
- Windows 10
- Windows Server 2016
-Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI).
+Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI).
-Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices. This combined "configuration state" of configurable code integrity and HVCI has been referred to as Windows Defender Device Guard.
+Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices.
Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions:
@@ -29,28 +29,22 @@ Using configurable code integrity to restrict devices to only authorized apps ha
3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
-## (Re-)Introducing Windows Defender Application Control
+## Windows Defender Application Control
-When we originally designed the configuration state that we have referred to as Windows Defender Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between the two main OS features of the Device Guard configuration, configurable code integrity and HVCI, we intentionally focused our discussion around the Device Guard lockdown state you achieve when deploying them together.
+When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either.
-However, the use of the term Device Guard to describe this configuration state has unintentionally left an impression for many IT professionals that the two features were inexorably linked and could not be deployed separately.
-Additionally, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet.
-
-As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either.
-But configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
+Configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control).
We hope this change will help us better communicate options for adopting application control within an organization.
-Does this mean Windows Defender Device Guard configuration state is going away? Not at all. The term Device Guard will continue to be used as a way to describe the fully locked down state achieved through the use of Windows Defender Application Control (WDAC), HVCI, and hardware and firmware security features. It also allows us to work with our OEM partners to identify specifications for devices that are “Device Guard capable” so that our joint customers can easily purchase devices that meet all of the hardware and firmware requirements of the original "Device Guard" locked down scenario for Windows 10 based devices.
-
## Related topics
[Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control)
-[Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
+[Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
-[Driver compatibility with Windows Defender Device Guard in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
+[Driver compatibility with Windows Defender in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
[Code integrity](https://technet.microsoft.com/library/dd348642.aspx)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md
index 0f9409ab26..44f14073d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md
@@ -3,7 +3,12 @@
## [Overview](overview.md)
### [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
#### [What's in the dashboard and what it means for my organization](tvm-dashboard-insights.md)
+#### [Exposure score](tvm-exposure-score.md)
#### [Configuration score](configuration-score.md)
+#### [Security recommendation](tvm-security-recommendation.md)
+#### [Remediation](tvm-remediation.md)
+#### [Software inventory](tvm-software-inventory.md)
+#### [Weaknesses](tvm-weaknesses.md)
#### [Scenarios](threat-and-vuln-mgt-scenarios.md)
@@ -65,9 +70,6 @@
###### [Remove file from blocked list](respond-file-alerts.md#remove-file-from-blocked-list)
###### [Check activity details in Action center](respond-file-alerts.md#check-activity-details-in-action-center)
###### [Deep analysis](respond-file-alerts.md#deep-analysis)
-###### [Submit files for analysis](respond-file-alerts.md#submit-files-for-analysis)
-###### [View deep analysis reports](respond-file-alerts.md#view-deep-analysis-reports)
-###### [Troubleshoot deep analysis](respond-file-alerts.md#troubleshoot-deep-analysis)
##### [Investigate entities using Live response](live-response.md)
@@ -75,6 +77,7 @@
### [Automated investigation and remediation](automated-investigations.md)
#### [Learn about the automated investigation and remediation dashboard](manage-auto-investigation.md)
+#### [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md)
### [Secure score](overview-secure-score.md)
@@ -82,14 +85,12 @@
### [Microsoft Threat Experts](microsoft-threat-experts.md)
-### [Threat analytics](threat-analytics.md)
-
### [Advanced hunting](overview-hunting.md)
#### [Query data using Advanced hunting](advanced-hunting.md)
##### [Advanced hunting reference](advanced-hunting-reference.md)
##### [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
#### [Custom detections](overview-custom-detections.md)
-#####[Create custom detections rules](custom-detection-rules.md)
+##### [Create custom detections rules](custom-detection-rules.md)
### [Management and APIs](management-apis.md)
#### [Understand threat intelligence concepts](threat-indicator-concepts.md)
@@ -119,7 +120,7 @@
### [Assign user access to the portal](assign-portal-access.md)
### [Evaluate Microsoft Defender ATP](evaluate-atp.md)
-####Evaluate attack surface reduction
+#### Evaluate attack surface reduction
##### [Hardware-based isolation](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
##### [Application control](../windows-defender-application-control/audit-windows-defender-application-control-policies.md)
##### [Exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
@@ -133,7 +134,7 @@
## [Configure and manage capabilities](onboard.md)
### [Configure attack surface reduction](configure-attack-surface-reduction.md)
-###Hardware-based isolation
+### Hardware-based isolation
#### [System integrity](../windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
#### [Application isolation](../windows-defender-application-guard/install-wd-app-guard.md)
##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md)
@@ -352,6 +353,11 @@
#### Interoperability
##### [Partner applications](partner-applications.md)
+#### [Manage machine configuration](configure-machines.md)
+##### [Monitor and increase machine onboarding](configure-machines-onboarding.md)
+##### [Increase compliance to the security baseline](configure-machines-security-baseline.md)
+##### [Optimize ASR rule deployment and detections](configure-machines-asr.md)
+
#### Role-based access control
##### [Manage portal access using RBAC](rbac.md)
###### [Create and manage roles](user-roles.md)
@@ -363,7 +369,7 @@
### Configure Microsoft Threat Protection integration
#### [Configure Conditional Access](configure-conditional-access.md)
#### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md)
-####[Configure information protection in Windows](information-protection-in-windows-config.md)
+#### [Configure information protection in Windows](information-protection-in-windows-config.md)
### [Configure Microsoft Defender Security Center settings](preferences-setup.md)
@@ -385,14 +391,14 @@
##### [Enable Threat intel](enable-custom-ti.md)
##### [Enable SIEM integration](enable-siem-integration.md)
-####Rules
+#### Rules
##### [Manage suppression rules](manage-suppression-rules.md)
##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md)
##### [Manage indicators](manage-indicators.md)
##### [Manage automation file uploads](manage-automation-file-uploads.md)
##### [Manage automation folder exclusions](manage-automation-folder-exclusions.md)
-####Machine management
+#### Machine management
##### [Onboarding machines](onboard-configure.md)
##### [Offboarding machines](offboard-machines.md)
@@ -401,7 +407,7 @@
## [Troubleshoot Microsoft Defender ATP](troubleshoot-overview.md)
-###Troubleshoot sensor state
+### Troubleshoot sensor state
#### [Check sensor state](check-sensor-status.md)
#### [Fix unhealthy sensors](fix-unhealthy-sensors.md)
#### [Inactive machines](fix-unhealthy-sensors.md#inactive-machines)
@@ -411,10 +417,14 @@
### [Troubleshoot Microsoft Defender ATP service issues](troubleshoot-mdatp.md)
#### [Check service health](service-status.md)
-###Troubleshoot attack surface reduction
+
+### [Troubleshoot live response issues]()
+#### [Troubleshoot issues related to live response](troubleshoot-live-response.md)
+
+### Troubleshoot attack surface reduction
#### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md)
#### [Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md)
-#### [Collect diagnostic data for files](../windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md)
+#### [Collect diagnostic data for files](../windows-defender-exploit-guard/troubleshoot-np.md)
### [Troubleshoot next generation protection](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index 46f0887e3f..22f1392737 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -29,35 +29,52 @@ Depending on the Microsoft security products that you use, some advanced feature
Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
## Automated investigation
+
When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations.md).
## Live response
-When you enable this feature, users with the appropriate permissions can initiate a live response session on machines.
-For more information on role assignments see, [Create and manage roles](user-roles.md).
+When you enable this feature, users with the appropriate permissions can initiate a live response session on machines.
+
+For more information on role assignments see, [Create and manage roles](user-roles.md).
## Live response unsigned script execution
-Enabling this feature allows you to run unsigned scripts in a live response session.
+Enabling this feature allows you to run unsigned scripts in a live response session.
## Auto-resolve remediated alerts
+
For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature.
->[!TIP]
+>[!TIP]
>For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.
>[!NOTE]
> - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.
>- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
-
## Block file
-This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled, see [Block files in your network](respond-file-alerts.md#block-files-in-your-network) for more details.
-If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
+Blocking is only available if your organization uses Windows Defender Antivirus as the active antimalware solution, and if the cloud-based protection feature is enabled.
+
+This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on machines in your organization.
+
+To turn **Allow or block** files on:
+
+1. In the navigation pane, select **Settings** > **Advanced features** > **Allow or block file**.
+
+1. Toggle the setting between **On** and **Off**.
+
+ 
+
+1. Select **Save preferences** at the bottom of the page.
+
+Once you have enabled this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.
## Show user details
+
When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
+
- Security operations dashboard
- Alert queue
- Machine details page
@@ -65,20 +82,21 @@ When you enable this feature, you'll be able to see user details stored in Azure
For more information, see [Investigate a user account](investigate-user.md).
## Skype for Business integration
+
Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
>[!NOTE]
-> When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when machines are in isolation mode.
-
+> When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when machines are in isolation mode.
## Azure Advanced Threat Protection integration
+
The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view.
-
>[!NOTE]
->You'll need to have the appropriate license to enable this feature.
+>You'll need to have the appropriate license to enable this feature.
### Enable the Microsoft Defender ATP integration from the Azure ATP portal
+
To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
1. Login to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
@@ -90,6 +108,7 @@ To receive contextual machine integration in Azure ATP, you'll also need to enab
When you complete the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page.
## Office 365 Threat Intelligence connection
+
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
@@ -100,41 +119,46 @@ When you enable this feature, you'll be able to incorporate data from Office 365
To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
## Microsoft Threat Experts
+
Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability, while experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it.
>[!NOTE]
>The Microsoft Threat Experts capability in Microsoft Defender ATP is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).
## Microsoft Cloud App Security
-Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
+
+Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
>[!NOTE]
>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
## Azure Information Protection
+
Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings.
-
## Microsoft Intune connection
-This feature is only available if you have an active Microsoft Intune (Intune) license.
-When you enable this feature, you'll be able to share Microsoft Defender ATP device information to Intune and enhance policy enforcement.
+This feature is only available if you have an active Microsoft Intune (Intune) license.
+
+When you enable this feature, you'll be able to share Microsoft Defender ATP device information to Intune and enhance policy enforcement.
>[!NOTE]
->You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature.
-
+>You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature.
## Preview features
+
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
## Enable advanced features
+
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
3. Click **Save preferences**.
## Related topics
+
- [Update data retention settings](data-retention-settings.md)
- [Configure alert notifications](configure-email-notifications.md)
- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
index 8e6f64817f..c22f668986 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@@ -18,7 +18,7 @@ ms.topic: conceptual
ms.date: 04/24/2018
---
-# Advanced hunting query best practices Microsoft Defender ATP
+# Advanced hunting query best practices in Microsoft Defender ATP
**Applies to:**
@@ -28,23 +28,26 @@ ms.date: 04/24/2018
## Performance best practices
The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries.
-- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/).
-- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
-- Use 'has' keyword over 'contains' when looking for full tokens.
+- When trying new queries, always use `limit` to avoid extremely large result sets or use `count` to assess the size of the result set.
+- Use time filters first. Ideally, limit your queries to 7 days.
+- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
+- Use the `has` operator over `contains` when looking for full tokens.
- Use looking in specific column rather than using full text search across all columns.
-- When joining between two tables - choose the table with less rows to be the first one (left-most).
-- When joining between two tables - project only needed columns from both sides of the join.
+- When joining between two tables, specify the table with fewer rows first.
+- When joining between two tables, project only needed columns from both sides of the join.
+
+>[!Tip]
+>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/en-us/azure/kusto/query/best-practices).
## Query tips and pitfalls
-### Unique Process IDs
-Process IDs are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
+### Using process IDs
+Process IDs (PIDs) are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
To address this issue, Microsoft Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time.
+So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either `MachineId` or `ComputerName`), a process ID (`ProcessId` or `InitiatingProcessId`) and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`)
-So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either MachineId or ComputerName), a process ID (ProcessId or InitiatingProcessId) and the process creation time (ProcessCreationTime or InitiatingProcessCreationTime)
-
-The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB) - possibly scanning for file shares.
+The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
Example query:
```
@@ -54,13 +57,13 @@ NetworkCommunicationEvents
| where RemoteIPCount > 10
```
-The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime - to make sure the query looks at a single process, and not mixing multiple processes with the same process ID.
+The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
-### Using command line queries
+### Using command lines
-Command lines may vary - when applicable, filter on file names and do fuzzy matching.
+Command lines can vary. When applicable, filter on file names and do fuzzy matching.
-There are numerous ways to construct a command line to accomplish a task.
+There are numerous ways to construct a command line to accomplish a task.
For example, a malicious attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, and others. In addition, the attacker can also change the order of some parameters, add multiple quotes or spaces, and much more.
@@ -68,7 +71,7 @@ To create more durable queries using command lines, we recommended the following
- Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields, instead of filtering on the command line field.
- When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
-- Use case insensitive matches. For example, use '=~', 'in~', 'contains' instead of '==', 'in' or 'contains_cs'
+- Use case insensitive matches. For example, use `=~`, `in~`, `contains` instead of `==`, `in` or `contains_cs`
- To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS obfuscation techniques, but it does mitigate the most common ones.
The following example query shows various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
@@ -90,7 +93,4 @@ ProcessCreationEvents
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
```
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
-
-
-
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
index 44e20add28..4ca2aebb87 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
@@ -23,7 +23,7 @@ ms.date: 08/15/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-To get you started in querying your data, you can use the basic or Advanced query examples that have some preloaded queries for you to understand the basic query syntax.
+To get you started in querying your data, you can use the Basic or Advanced query examples, which have some preloaded queries to help you understand the basic query syntax.
@@ -109,7 +109,7 @@ You can create or modify a query and save it as your own query or share it with
### Update a query
These steps guide you on modifying and overwriting an existing query.
-1. Edit an existing query.
+1. Edit an existing query.
2. Click the **Save**.
@@ -151,6 +151,3 @@ Check out the [Advanced hunting repository](https://github.com/Microsoft/Windows
## Related topic
- [Advanced hunting reference](advanced-hunting-reference.md)
- [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
index da4a174d2c..a3455dcc67 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@@ -63,12 +63,39 @@ So, for example:
- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
+#### Understanding alert categories
+We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will retain the previous category names.
+
+The table below lists the current categories and how they generally map to previous categories.
+
+| New category | Previous categories | Detected threat activity or component |
+|----------------------|----------------------|-------------|
+| Collection | - | Locating and collecting data for exfiltration |
+| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands |
+| Credential access | CredentialTheft | Obtaining valid credentials to extend control over devices and other resources in the network |
+| Defense evasion | - | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits |
+| Discovery | Reconnaissance, WebFingerprinting | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers |
+| Execution | Delivery, MalwareDownload | Launching attacker tools and malicious code, including RATs and backdoors |
+| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location |
+| Exploit | Exploit | Exploit code and possible exploitation activity |
+| Initial access | SocialEngineering, WebExploit, DocumentExploit | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails |
+| Lateral movement | LateralMovement, NetworkPropagation | Moving between devices in the target network to reach critical resources or gain network persistence |
+| Malware | Malware, Backdoor, Trojan, TrojanDownloader, CredentialStealing, Weaponization, RemoteAccessTool | Backdoors, trojans, and other types of malicious code |
+| Persistence | Installation, Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts |
+| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account |
+| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access |
+| Suspicious activity | General, None, NotApplicable, EnterprisePolicy, SuspiciousNetworkTraffic | Atypicaly activity that could be malware activity or part of an attack |
+| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) |
+
### Status
You can choose to limit the list of alerts based on their status.
### Investigation state
Corresponds to the automated investigation state.
+### Category
+You can choose to filter the queue to display specific types of malicious activity.
+
### Assigned to
You can choose between showing alerts that are assigned to you or automation.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
index 05fcb78399..3817d34a9a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@@ -46,7 +46,7 @@ status | Enum | Specifies the current status of the alert. Possible values are:
investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' .
classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
-category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General' .
+category| String | Category of the alert. Possible values are: 'Collection', 'Command and control', 'Credential access', 'Defense evasion', 'Discovery', 'Execution', 'Exfiltration', 'Exploit', 'Initial access', 'Lateral movement', 'Malware', 'Persistence', 'Privilege escalation', 'Ransomware', 'Suspicious activity', 'Unwanted software'.
detectionSource | string | Detection source.
threatFamilyName | string | Threat family.
title | string | Alert title.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
index a09b2f556d..a3d83d4880 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
@@ -1,5 +1,5 @@
---
-title: Advanced Hunting API
+title: Hello World
ms.reviewer:
description: Use this API to run advanced queries
keywords: apis, supported apis, advanced hunting, query
@@ -19,10 +19,9 @@ ms.topic: article
# Microsoft Defender ATP API - Hello World
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## Get Alerts using a simple PowerShell script
@@ -33,68 +32,60 @@ It only takes 5 minutes done in two steps:
- Use examples: only requires copy/paste of a short PowerShell script
### Do I need a permission to connect?
-For the App registration stage, you must have a Global administrator role in your Azure Active Directory (Azure AD) tenant.
+For the Application registration stage, you must have a **Global administrator** role in your Azure Active Directory (Azure AD) tenant.
### Step 1 - Create an App in Azure Active Directory
-1. Log on to [Azure](https://portal.azure.com) with your Global administrator user.
+1. Log on to [Azure](https://portal.azure.com) with your **Global administrator** user.
-2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**.
+2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**.
- 
+ 
-3. In the registration form, enter the following information, then click **Create**.
+3. In the registration form, choose a name for your application and then click **Register**.
- - **Name:** Choose your own name.
- - **Application type:** Web app / API
- - **Redirect URI:** `https://127.0.0.1`
+4. Allow your Application to access Microsoft Defender ATP and assign it **'Read all alerts'** permission:
- 
+ - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
-4. Allow your App to access Microsoft Defender ATP and assign it 'Read all alerts' permission:
+ - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
- - Click **Settings** > **Required permissions** > **Add**.
+ 
- 
+ - Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions**
- - Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
+ 
- **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+ **Important note**: You need to select the relevant permissions. 'Read All Alerts' is only an example!
- 
+ For instance,
- - Click **Select permissions** > **Read all alerts** > **Select**.
+ - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
+ - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
+ - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
- 
+5. Click **Grant consent**
- - Click **Done**
+ - **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
- 
+ 
- - Click **Grant permissions**
+6. Add a secret to the application.
- **Note**: Every time you add permission you must click on **Grant permissions**.
+ - Click **Certificates & secrets**, add description to the secret and click **Add**.
- 
+ **Important**: After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!
-5. Create a key for your App:
+ 
- - Click **Keys**, type a key name and click **Save**.
+7. Write down your application ID and your tenant ID:
- 
+ - On your application page, go to **Overview** and copy the following:
-6. Write down your App ID and your Tenant ID:
-
- - App ID:
-
- 
-
- - Tenant ID: Navigate to **Azure Active Directory** > **Properties**
-
- 
+ 
-Done! You have successfully registered an application!
+Done! You have successfully registered an application!
### Step 2 - Get a token using the App and use this token to access the API.
@@ -106,8 +97,8 @@ Done! You have successfully registered an application!
# Paste below your Tenant ID, App ID and App Secret (App key).
$tenantId = '' ### Paste your tenant ID here
-$appId = '' ### Paste your app ID here
-$appSecret = '' ### Paste your app key here
+$appId = '' ### Paste your Application ID here
+$appSecret = '' ### Paste your Application secret here
$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
index ba81f53c58..4c97c07b2e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@@ -39,19 +39,19 @@ Field numbers match the numbers in the images below.
>
> | Portal label | SIEM field name | ArcSight field | Example value | Description |
> |------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-> | 1 | AlertTitle | name | A dll was unexpectedly loaded into a high integrity process without a UAC prompt | Value available for every alert. |
-> | 2 | Severity | deviceSeverity | Medium | Value available for every alert. |
-> | 3 | Category | deviceEventCategory | Privilege Escalation | Value available for every alert. |
-> | 4 | Source | sourceServiceName | WindowsDefenderATP | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every alert. |
-> | 5 | MachineName | sourceHostName | liz-bean | Value available for every alert. |
+> | 1 | AlertTitle | name | Windows Defender AV detected 'Mikatz' high-severity malware | Value available for every alert. |
+> | 2 | Severity | deviceSeverity | High | Value available for every alert. |
+> | 3 | Category | deviceEventCategory | Malware | Value available for every alert. |
+> | 4 | Detection source | sourceServiceName | Antivirus | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every alert. |
+> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every alert. |
> | 6 | FileName | fileName | Robocopy.exe | Available for alerts associated with a file or process. |
> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for alerts associated with a file or process. |
-> | 8 | UserDomain | sourceNtDomain | contoso | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
-> | 9 | UserName | sourceUserName | liz-bean | The user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
-> | 10 | Sha1 | fileHash | 5b4b3985339529be3151d331395f667e1d5b7f35 | Available for alerts associated with a file or process. |
-> | 11 | Md5 | deviceCustomString5 | 55394b85cb5edddff551f6f3faa9d8eb | Available for Windows Defender AV alerts. |
-> | 12 | Sha256 | deviceCustomString6 | 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5 | Available for Windows Defender AV alerts. |
-> | 13 | ThreatName | eviceCustomString1 | Trojan:Win32/Skeeyah.A!bit | Available for Windows Defender AV alerts. |
+> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
+> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
+> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for alerts associated with a file or process. |
+> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV alerts. |
+> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV alerts. |
+> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV alerts. |
> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
> | 15 | Url | requestUrl | down.esales360.cn | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
@@ -60,7 +60,7 @@ Field numbers match the numbers in the images below.
> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every alert. |
> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the activity relevant to the alert occurred. Value available for every alert. |
> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every alert. |
-> | 22 | Actor | deviceCustomString4 | | Available for alerts related to a known actor group. |
+> | 22 | Actor | deviceCustomString4 | BORON | Available for alerts related to a known actor group. |
> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every alert. |
> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. |
> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
new file mode 100644
index 0000000000..8945fc0931
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -0,0 +1,54 @@
+---
+title: Manage actions related to automated investigation and remediation
+description: Use the action center to manage actions related to automated investigation and response
+keywords: action, center, autoir, automated, investigation, response, remediation
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Manage actions related to automated investigation and remediation
+
+The Action center aggregates all investigations that require an action for an investigation to proceed or be completed.
+
+
+
+The action center consists of two main tabs:
+- Pending actions - Displays a list of ongoing investigations that require attention. A recommended action is presented to the analyst, which they can approve or reject.
+- History - Acts as an audit log for:
+ - All actions taken by AutoIR or approved by an analyst with ability to undo actions that support this capability (for example, quarantine file).
+ - All commands ran and remediation actions applied in Live Response with ability to undo actions that support this capability.
+ - Remediation actions applied by Windows Defender AV with ability to undo actions that support this capability.
+
+
+
+
+Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
+
+From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
+
+
+>[!NOTE]
+>The tab will only appear if there are pending actions for that category.
+
+### Approve or reject an action
+You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
+
+Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
+
+From the panel, you can click on the Open investigation page link to see the investigation details.
+
+You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.
+
+## Related topics
+- [Automated investigation and investigation](automated-investigations.md)
+- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index a4e69d1eab..7e77ed48e3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -56,7 +56,7 @@ During an Automated investigation, details about each analyzed entity is categor
The **Log** tab reflects the chronological detailed view of all the investigation actions taken on the alert.
-If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions.
+If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. You can also go to the **Action center** to get an aggregated view all pending actions and manage remediaton actions. It also acts as an audit trail for all Automated investigation actions.
### How an Automated investigation expands its scope
diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
index ac4575e88d..8057947dc2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
@@ -25,7 +25,7 @@ ms.date: 04/24/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
-The sensor health tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
+The sensor health tile is found on the Security Operations dashboard. This tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service:
- **Misconfigured** - These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
@@ -44,7 +44,7 @@ You can filter the health state list by the following status:
- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service.
-You can view the machine details when you click on a misconfigured or inactive machine. You’ll see more specific machine information when you click the information icon.
+You can view the machine details when you click on a misconfigured or inactive machine.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
index edc1463dfc..919befad8e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@@ -1,6 +1,5 @@
---
title: Overview of Configuration score in Microsoft Defender Security Center
-ms.reviewer:
description: Expand your visibility into the overall security configuration posture of your organization
keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
search.product: eADQiWindows 10XVcnh
@@ -9,8 +8,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
+ms.author: dolmont
+author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -22,12 +21,10 @@ ms.date: 04/11/2019
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[!include[Prerelease information](prerelease.md)]
-
>[!NOTE]
-> Secure score is now part of Threat & Vulnerability Management as Configuration score. We’ll keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection) page.
+> Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
-The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over your organization's security posture based on security best practices.
+The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over the security posture of your organization based on security best practices. High configuration score means your endpoints are more resilient from cybersecurity threat attacks.
Your configuration score widget shows the collective security configuration state of your machines across the following categories:
- Application
@@ -38,20 +35,27 @@ Your configuration score widget shows the collective security configuration stat
## How it works
-What you'll see in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
+The data in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
- Compare collected configurations to the collected benchmarks to discover misconfigured assets
- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration
- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams)
- Collect and monitor changes of security control configuration state from all assets
-From the widget, you'd be able to see which security aspect require attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can take action based on security benchmarks.
+From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks.
## Improve your configuration score
-The goal is to improve your configuration score by remediating the issues in the security recommendations list. You can filter the view based on:
-- **Related component** - **Accounts**, **Application**, **Network**, **OS**, or **Security controls**
-- **Remediation type** - **Configuration change** or **Software update**
+The goal is to remediate the issues in the security recommendations list to improve your configuration score. You can filter the view based on:
+- **Related component** — **Accounts**, **Application**, **Network**, **OS**, or **Security controls**
+- **Remediation type** — **Configuration change** or **Software update**
+
+See how you can [improve your security configuration](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
index 05c041475c..133f0ecb0a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
@@ -69,7 +69,7 @@ You can create rules that determine the machines and alert severities to send em
Here's an example email notification:
-
+
## Edit a notification rule
1. Select the notification rule you'd like to edit.
@@ -101,4 +101,4 @@ This section lists various issues that you may encounter when using email notifi
- [Update data retention settings](data-retention-settings.md)
- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
- [Enable Secure Score security controls](enable-secure-score.md)
-- [Configure advanced features](advanced-features.md)
\ No newline at end of file
+- [Configure advanced features](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
index d16c45de90..54f60b64f4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
@@ -52,9 +52,9 @@ ms.date: 04/24/2018
4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
-5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
+5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate Task (At least Windows 7)**.
-6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under **Security options**.
+6. In the **Task** window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM and then click **Check Names** then **OK**. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
@@ -84,7 +84,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
4. Click **Policies**, then **Administrative templates**.
-5. Click **Windows components** and then **Microsoft Defender ATP**.
+5. Click **Windows components** and then **Windows Defender ATP**.
6. Choose to enable or disable sample sharing from your machines.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
new file mode 100644
index 0000000000..9b0a3173f6
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
@@ -0,0 +1,55 @@
+---
+title: Optimize ASR rule deployment and detections
+description: Ensure your attack surface reduction (ASR) rules are fully deployed and optimized to effectively identify and prevent actions that are typically taken by malware during exploitation.
+keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: procedural
+---
+
+# Optimize ASR rule deployment and detections
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+[Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
+
+
+*Attack surface management card*
+
+The **Attack surface management** card is an entry point to tools in Microsoft 365 security center that you can use to:
+
+- Understand how ASR rules are currently deployed in your organization
+- Review ASR detections and identify possible incorrect detections
+- Analyze the impact of exclusions and generate the list of file paths to exclude
+
+Selecting **Go to attack surface management** takes you to **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
+
+
+*Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center*
+
+>[!NOTE]
+>To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
+
+For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+
+# Related topics
+- [Ensure your machines are configured properly](configure-machines.md)
+- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
+- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
new file mode 100644
index 0000000000..ad42b1bcd9
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
@@ -0,0 +1,76 @@
+---
+title: Get machines onboarded to Microsoft Defender ATP
+description: Track onboarding of Intune-managed machines to Windows Defender ATP and increase onboarding rate.
+keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, configuration management
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: procedural
+---
+
+# Get machines onboarded to Microsoft Defender ATP
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
+
+## Discover and track unprotected machines
+
+The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 machines that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 machines.
+
+
+*Card showing onboarded machines compared to the total number of Intune-managed Windows 10 machine*
+
+>[!NOTE]
+>- If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines.
+>- During preview, you might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
+
+## Onboard more machines with Intune profiles
+
+Microsoft Defender ATP provides several convenient options for [onboarding Windows 10 machines](onboard-configure.md). For Intune-managed machines, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP sensor to select machines, effectively onboarding these devices to the service.
+
+From the **Onboarding** card, select **Onboard more machines** to create and assign a profile on Intune. The link takes you to a similar overview of your onboarding state.
+
+>[!TIP]
+>Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**.
+
+From the overview, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the machines you want to onboard.
+
+1. Select **Create a device configuration profile to configure ATP sensor**.
+
+ 
+ *Microsoft Defender ATP device compliance page on Intune device management*
+
+2. Specify a name for the profile, specify desired configuration options for sample sharing and reporting frequency, and select **Create** to save the new profile.
+
+ 
+ *Configuration profile creation*
+
+3. After creating the profile, assign it to all your machines. You can review profiles and their deployment status anytime by accessing **Device configuration > Profiles** on Intune.
+
+ 
+ *Assigning the new agent profile to all machines*
+
+>[!TIP]
+>To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-profile-assign).
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+
+# Related topics
+- [Ensure your machines are configured properly](configure-machines.md)
+- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
+- [Optimize ASR rule deployment and detections](configure-machines-asr.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
new file mode 100644
index 0000000000..b7a5c0bf30
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
@@ -0,0 +1,108 @@
+---
+title: Increase compliance to the Microsoft Defender ATP security baseline
+description: The Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
+keywords: Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection ASR, security baseline
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: procedural
+---
+
+# Increase compliance to the Microsoft Defender ATP security baseline
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
+
+To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a).
+
+## Compare the Microsoft Defender ATP and the Windows Intune security baselines
+The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
+
+- [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows)
+- [Microsoft Defender ATP baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp)
+
+Both baselines are maintained so that they complement one another and have identical values for shared settings. Deploying both baselines to the same machine will not result in conflicts. Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls.
+
+## Get permissions to manage security baselines in Intune
+
+By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage security baseline profiles. If you haven’t been assigned either role, work with a Global Administrator or an Intune Service Administrator to [create a custom role in Intune](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role) with full permissions to security baselines and then assign that role to your Azure AD group.
+
+
+
+*Security baseline permissions on Intune*
+
+## Monitor compliance to the Microsoft Defender ATP security baseline
+
+The **Security baseline** card on [machine configuration management](configure-machines.md) provides an overview of compliance across Windows 10 machines that have been assigned the Microsoft Defender ATP security baseline.
+
+
+*Card showing compliance to the Microsoft Defender ATP security baseline*
+
+Each machine is given one of the following status types:
+
+- **Matches baseline**—machine settings match all the settings in the baseline
+- **Does not match baseline**—at least one machine setting doesn't match the baseline
+- **Misconfigured**—at least one baseline setting isn't properly configured on the machine and is in a conflict, error, or pending state
+- **Not applicable**—At least one baseline setting isn't applicable on the machine
+
+To review specific machines, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the machines.
+
+>[!NOTE]
+>During preview, you might encounter a few known limitations:
+>- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
+>- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
+
+## Review and assign the Microsoft Defender ATP security baseline
+
+Machine configuration management monitors baseline compliance only of Windows 10 machines that have been specifically assigned the Microsoft Defender ATP security baseline. You can conveniently review the baseline and assign it to machines on Intune device management.
+
+1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed.
+
+ >[!TIP]
+ > Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines (preview) > PREVIEW: Windows Defender ATP baseline**.
+
+
+2. Create a new profile.
+
+ 
+ *Microsoft Defender ATP security baseline overview on Intune*
+
+3. During profile creation, you can review and adjust specific settings on the baseline.
+
+ 
+ *Security baseline options during profile creation on Intune*
+
+4. Assign the profile to the appropriate machine group.
+
+ 
+ *Assigning the security baseline profile on Intune*
+
+5. Save the profile and deploy it to the assigned machine group.
+
+ 
+ *Saving and deploying the security baseline profile on Intune*
+
+>[!TIP]
+>To learn more about Intune security baselines and assigning them, read [Create a Windows 10 security baseline in Intune](https://docs.microsoft.com/intune/security-baselines).
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+
+# Related topics
+- [Ensure your machines are configured properly](configure-machines.md)
+- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
+- [Optimize ASR rule deployment and detections](configure-machines-asr.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
new file mode 100644
index 0000000000..62140b2d6d
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
@@ -0,0 +1,69 @@
+---
+title: Ensure your machines are configured properly
+description: Properly configure machines to boost overall resilience against threats and enhance your capability to detect and respond to attacks.
+keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: procedural
+---
+
+# Ensure your machines are configured properly
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+With properly configured machines, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your machines:
+
+- Onboard to Microsoft Defender ATP
+- Meet or exceed the Microsoft Defender ATP security baseline configuration
+- Have strategic attack surface mitigations in place
+
+
+*Machine configuration management page*
+
+You can track configuration status at an organizational level and quickly take action in response to poor onboarding coverage, compliance issues, and poorly optimized attack surface mitigations through direct, deep links to device management pages on Microsoft Intune and Microsoft 365 security center.
+
+In doing so, you benefit from:
+- Comprehensive visibility of the events on your machines
+- Robust threat intelligence and powerful machine learning technologies for processing raw events and identifying the breach activity and threat indicators
+- A full stack of security features configured to efficiently stop the installation of malicious implants, hijacking of system files and process, data exfiltration, and other threat activities
+- Optimized attack surface mitigations, maximizing strategic defenses against threat activity while minimizing impact to productivity
+
+## Enroll machines to Intune management
+
+Machine configuration management works closely with Intune device management to establish the inventory of the machines in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 machines.
+
+Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll).
+
+>[!TIP]
+>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
+
+>[!NOTE]
+>During preview, you might encounter a few known limitations:
+>- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
+>- The count of onboarded machines tracked by machine configuration management might not include machines onboarded using Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles. To include these machines, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to these machines.
+>- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
+
+
+## In this section
+Topic | Description
+:---|:---
+[Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)| Track onboarding status of Intune-managed machines and onboard more machines through Intune.
+[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed machines.
+[Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center.
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 69993debe0..ad8b37b921 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -137,7 +137,7 @@ Agent Resource | Ports
## Windows Server, version 1803 and Windows Server 2019
-To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines.
+To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below.
Supported tools include:
- Local script
@@ -245,4 +245,4 @@ To offboard the server, you can use either of the following methods:
- [Onboard non-Windows machines](configure-endpoints-non-windows.md)
- [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md)
-- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
\ No newline at end of file
+- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
index eac5c12814..249bf4cfb4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
@@ -30,7 +30,7 @@ ms.date: 04/24/2018
During the onboarding process, a wizard takes you through the general settings of Microsoft Defender ATP. After onboarding, you might want to update the data retention settings.
-1. In the navigation pane, select **Settings** > **Data rention**.
+1. In the navigation pane, select **Settings** > **Data retention**.
2. Select the data retention duration from the drop-down list.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
index 1abeaeef86..1939474a15 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
@@ -1,8 +1,8 @@
---
title: Evaluate Microsoft Defender Advanced Threat Protection
ms.reviewer:
-description:
-keywords:
+description: Evaluate the different security capabilities in Microsoft Defender ATP.
+keywords: attack surface reduction, evaluate, next, generation, protection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -16,7 +16,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/10/2018
---
# Evaluate Microsoft Defender ATP
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
index 4a19677915..080111bee7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
@@ -216,7 +216,7 @@ See The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
+>The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
- Create a new Console Application
- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
@@ -215,7 +203,7 @@ You will get an answer of the form:
Sanity check to make sure you got a correct token:
- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
- Validate you get a 'roles' claim with the desired permissions
-- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Microsoft Defender ATP's roles:
+- In the screen shot below you can see a decoded token acquired from an Application with permissions to all of Microsoft Defender ATP's roles:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1.png b/windows/security/threat-protection/microsoft-defender-atp/images/1.png
deleted file mode 100644
index 70ce314c00..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/WDATP-components.png b/windows/security/threat-protection/microsoft-defender-atp/images/WDATP-components.png
deleted file mode 100644
index 51f4335265..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/WDATP-components.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/action-center.png b/windows/security/threat-protection/microsoft-defender-atp/images/action-center.png
new file mode 100644
index 0000000000..02ad4445e6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/action-center.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png
index 19428a4156..849bacfa44 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png and b/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png b/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png
new file mode 100644
index 0000000000..74d57acf8e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG
index d7e7d092eb..57337cd9ab 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-save-query.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-save-query.PNG
index 2da889163c..4c6352b1e1 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-save-query.PNG and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-save-query.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-numbered.png b/windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-numbered.png
deleted file mode 100644
index 39c6a467aa..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-numbered.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing.png b/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing.png
new file mode 100644
index 0000000000..39c4236d7c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-tenant-id.png b/windows/security/threat-protection/microsoft-defender-atp/images/api-tenant-id.png
deleted file mode 100644
index ebac0b0e34..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/api-tenant-id.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/app-and-tenant-ids.png b/windows/security/threat-protection/microsoft-defender-atp/images/app-and-tenant-ids.png
new file mode 100644
index 0000000000..1f4f508c8c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/app-and-tenant-ids.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions-public-client.png b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions-public-client.png
new file mode 100644
index 0000000000..3fc32f22db
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions-public-client.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions.png
new file mode 100644
index 0000000000..15977b7c35
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-O365-admin-portal-customer.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-O365-admin-portal-customer.png
index c4a23269f5..5f7148efcf 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-O365-admin-portal-customer.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-O365-admin-portal-customer.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png
index 9d46d16055..43394cf2aa 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png
index a23b78fd2f..1db12b6733 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-report.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-report.png
deleted file mode 100644
index c7c4d60928..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-report.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-1.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-1.PNG
new file mode 100644
index 0000000000..c2b346d926
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-1.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-2.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-2.PNG
new file mode 100644
index 0000000000..a9d6418d30
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-2.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file.png
new file mode 100644
index 0000000000..b894538426
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG
index 40d4cf3b5c..47264c9f3c 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png
index e023ffdfd6..c8c053fd44 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-details.png
deleted file mode 100644
index f98240f439..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-details.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-mgt-pane.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-mgt-pane.png
index cb4a38b529..1f95169ebf 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-mgt-pane.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-mgt-pane.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png
index 7ae7d3aa20..f6ae75b2cd 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-process-tree.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-process-tree.png
index b6ff98567a..a768200aab 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-process-tree.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-process-tree.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-source.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-source.png
deleted file mode 100644
index c2155cc7ee..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-source.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline.png
index b34d5f4779..04078d3be3 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png
index 1d9c37de33..3480437d09 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-group.png
deleted file mode 100644
index e3bf3d41f0..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-group.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-q.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-q.png
deleted file mode 100644
index 1131ead044..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-q.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue-user.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue-user.png
deleted file mode 100644
index 00185b3daa..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue-user.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue.png
deleted file mode 100644
index 5bf942065e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png
index ecfb56f1a8..7423e63ab9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png
index ec05ebcd1f..3290ef44c9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq1.png
deleted file mode 100644
index 22a72d1306..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq2.png
deleted file mode 100644
index 7d65413066..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq2.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png
index ec8235b996..a80f24b421 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-approve-reject-action.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-approve-reject-action.png
deleted file mode 100644
index f96acc7694..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-approve-reject-action.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png
index 2ac2a20e91..da9b66063b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app.png
deleted file mode 100644
index 4449661657..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app2.png
new file mode 100644
index 0000000000..e04f757cff
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-subscriptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-subscriptions.png
index 8951659d17..dbcb2fee94 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-subscriptions.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-subscriptions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-create-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-create-dashboard.png
index fc628073fc..2b0a0be8d6 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-create-dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-create-dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-9.png
deleted file mode 100644
index f40dff2c63..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-9.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-full.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-full.png
deleted file mode 100644
index e4ec0ca34e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-full.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics.png
deleted file mode 100644
index 4f738b77ae..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png
index fed14b65f4..9f868ac29e 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-ready.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-ready.png
index 3495a90989..0df653a018 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-ready.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-ready.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-retention-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-retention-policy.png
deleted file mode 100644
index 7b9454924e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-retention-policy.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-delete-query.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-delete-query.png
index 703204c040..5e19d47b57 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-delete-query.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-delete-query.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-detailed-actor.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-detailed-actor.png
index 3df0eccc18..c1a4e36c75 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-detailed-actor.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-detailed-actor.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-connector.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-connector.png
index fc1a15b8e1..763a218960 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-connector.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-connector.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-action.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-action.png
new file mode 100644
index 0000000000..8e878d29a0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-action.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-open-save.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-open-save.PNG
new file mode 100644
index 0000000000..5cc1b1457b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-open-save.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file.PNG
new file mode 100644
index 0000000000..06dcfc796c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-confirm-delete.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-confirm-delete.PNG
new file mode 100644
index 0000000000..bb483bad25
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-confirm-delete.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-file.png
new file mode 100644
index 0000000000..f553b74b89
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-settings.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-settings.PNG
new file mode 100644
index 0000000000..b70aee3333
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-settings.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-example-email-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-example-email-notification.png
index 78290030a9..11e72fc6a9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-example-email-notification.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-example-email-notification.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-in-org.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-in-org.png
index 12f980de0a..7e343cce7a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-in-org.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-in-org.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png
index ea5619c545..56e2d7dcf0 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-names.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-names.PNG
new file mode 100644
index 0000000000..3bf537a3ea
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-names.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png
index 2787e7d147..b87ce58fcd 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png
deleted file mode 100644
index bf39e4b81e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-preference-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-preference-setup.png
deleted file mode 100644
index 9533a07777..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-preference-setup.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-geographic-location-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-geographic-location-setup.png
deleted file mode 100644
index 18e8861973..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-geographic-location-setup.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-get-data.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-get-data.png
index 5f7bdc83b7..48f6c597a6 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-get-data.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-get-data.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png
index 043255312e..b8117dc41d 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png
index bb11c88b62..c937e8fd04 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png
index 0b52a39faa..ffb98eef37 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png
index 5875c6fdb3..a952df593f 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png
index 7944809cde..4a5462d01a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph.png
index 1dd7f28817..35d1d00d6b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png
index ffac35fc9b..62f5f70047 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png
index 1e4d52ff8d..dc353f8c25 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png
index a2a61cb49b..89bc5c8f90 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png
index 7fcdfcc834..f0dcb7626b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png
index 7d02d3d6ed..5292a0a77f 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-industry-information.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-industry-information.png
deleted file mode 100644
index e53106da3e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-industry-information.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view.png
deleted file mode 100644
index 97529ae015..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view2.png
deleted file mode 100644
index 5ce3e0d034..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view2.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png
index 9dd1e801dd..d628c4780a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-view-ata.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-view-ata.png
deleted file mode 100644
index 5e2258d16d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-view-ata.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-misconfigured.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-misconfigured.png
deleted file mode 100644
index 3de8f88a28..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-misconfigured.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view.png
deleted file mode 100644
index 6145c08a4c..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view2.png
deleted file mode 100644
index 692b21869f..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view2.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-view-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-view-list.png
deleted file mode 100644
index ac38039f3a..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-view-list.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-main-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-main-portal.png
deleted file mode 100644
index 3336f8a1ac..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-main-portal.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping1.png
deleted file mode 100644
index b34e915132..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png
index d3291b5cd5..3074e07daa 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping7.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping7.png
index 8e5589a6ca..e65ee2668a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping7.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping7.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mcas-settings.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mcas-settings.png
deleted file mode 100644
index 11e12c2890..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mcas-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mdm-onboarding-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mdm-onboarding-package.png
deleted file mode 100644
index 2645ee2e58..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mdm-onboarding-package.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-new-alerts-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-new-alerts-list.png
deleted file mode 100644
index b9a758e159..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-new-alerts-list.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-no-subscriptions-found.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-no-subscriptions-found.png
index b538946141..d3d0ce1fbf 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-no-subscriptions-found.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-no-subscriptions-found.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-not-authorized-to-access-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-not-authorized-to-access-portal.png
index 738c1470e7..8ed854fe5f 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-not-authorized-to-access-portal.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-not-authorized-to-access-portal.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-in-organization.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-in-organization.png
index b4865884d3..d4e9f24da9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-in-organization.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-in-organization.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png
index 845b97a82a..c835d12524 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png
deleted file mode 100644
index 8a88c16936..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-run-detection-test.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-run-detection-test.png
index 02cc1bbc0f..edd651d7db 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-run-detection-test.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-run-detection-test.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints.png
deleted file mode 100644
index 36d21b5ebe..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-mdm.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-mdm.png
deleted file mode 100644
index 18b70c8c27..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-mdm.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-organization-size.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-organization-size.png
deleted file mode 100644
index e7e69034f0..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-organization-size.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-file.png
index 006d7c1a3f..96c32ee9a8 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-list.png
index 8da2532df7..d8ea23b4f2 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-list.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-list.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-sensor.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-sensor.png
deleted file mode 100644
index 06147c025e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-sensor.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-welcome-screen.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-welcome-screen.png
deleted file mode 100644
index fda9bac914..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-welcome-screen.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal.png
deleted file mode 100644
index 0dc5215ce4..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-accept.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-accept.png
index d36fb7296c..78de2711e1 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-accept.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-accept.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-consent.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-consent.png
index 881c69c22c..39e48e2f4f 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-consent.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-consent.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-extension.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-extension.png
index eb02b6627a..865594531d 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-extension.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-extension.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-navigator.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-navigator.png
deleted file mode 100644
index 2c2c75ac33..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-navigator.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preferences-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preferences-setup.png
index f271f16509..06c902871b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preferences-setup.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preferences-setup.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-experience.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-experience.png
deleted file mode 100644
index 8055212471..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-experience.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png
index 0908f75e43..d053776856 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-remediated-alert.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-remediated-alert.png
deleted file mode 100644
index d49b681907..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-remediated-alert.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-rename-incident.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-rename-incident.png
index 3df94c2e4d..be213c2acd 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-rename-incident.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-rename-incident.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-1.png
deleted file mode 100644
index ae8d72d307..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png
index 56a204ca39..b8d078d435 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-dashboard.png
deleted file mode 100644
index 1b3c80e762..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-dashboard.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines.png
deleted file mode 100644
index e7f8d974bf..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines2.png
deleted file mode 100644
index f80648993e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines2.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls-9.png
deleted file mode 100644
index 9ce191083b..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls-9.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls.png
deleted file mode 100644
index 023881cd9b..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-resized.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-resized.png
deleted file mode 100644
index 0c0f7d0eec..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-resized.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-tile.png
deleted file mode 100644
index 8e2da99e51..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-tile.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter.png
deleted file mode 100644
index e59480d960..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-tile.png
deleted file mode 100644
index 067d26d957..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-tile.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding-workspaceid.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding-workspaceid.png
deleted file mode 100644
index 1c3154f188..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding-workspaceid.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding.png
deleted file mode 100644
index 07fa544f73..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-powerbi.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-powerbi.png
index 68d57863d9..a730bd0ba7 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-powerbi.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-powerbi.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-complete.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-complete.png
deleted file mode 100644
index 8ca66b33cc..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-complete.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-incomplete.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-incomplete.png
index 554c69e2a6..0d0ebde222 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-incomplete.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-incomplete.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png
index 6b88b46227..eaf5e89d60 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-shared-queries.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-shared-queries.png
index bdcc1997eb..d3b6a7b64b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-shared-queries.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-shared-queries.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping1.png
deleted file mode 100644
index c59c3c04c0..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png
index 7a8d78a19e..fddaf0076c 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png
index 1f09d12343..55730d43ee 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png
index db6082c4e1..85d190c821 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png
index a66341935b..3cc33d038b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-subscription-expired.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-subscription-expired.png
index 8fc24beeab..26dc2a5bb3 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-subscription-expired.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-subscription-expired.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-task-manager.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-task-manager.png
index 4c4e057756..6202dd62e0 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-task-manager.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-task-manager.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-protection-reports.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-protection-reports.png
index ddda52b1f0..f64c755ac6 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-protection-reports.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-protection-reports.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png
index e39ee3c1ed..e5c1b21246 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-time-zone-menu.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-time-zone-menu.png
new file mode 100644
index 0000000000..430d6ce99e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-time-zone-menu.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-pane.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-pane.png
deleted file mode 100644
index b08381baed..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-pane.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-azureatp.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-azureatp.png
index e3f37f7626..7d9ac1d36d 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-azureatp.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-azureatp.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-tdp.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-tdp.png
deleted file mode 100644
index 8822bdf62d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-tdp.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png
deleted file mode 100644
index b0732653d6..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details.png
deleted file mode 100644
index 94c0f5cd1f..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-view-ata.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-view-ata.png
deleted file mode 100644
index 2bea8cb48d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-view-ata.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-windows-cloud-instance-creation.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-windows-cloud-instance-creation.png
deleted file mode 100644
index 990f12c3c8..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-windows-cloud-instance-creation.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/components.png b/windows/security/threat-protection/microsoft-defender-atp/images/components.png
deleted file mode 100644
index 0ddc52f5d3..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/components.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/creating-account.png b/windows/security/threat-protection/microsoft-defender-atp/images/creating-account.png
deleted file mode 100644
index 54599d4b99..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/creating-account.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/dashboard.png
index a91410b6a2..01aa4c4ac4 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/desktop.ini b/windows/security/threat-protection/microsoft-defender-atp/images/desktop.ini
new file mode 100644
index 0000000000..c6b68739d7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/desktop.ini
@@ -0,0 +1,4 @@
+[LocalizedFileNames]
+atp-mapping7.png=@atp-mapping7,0
+atp-machine-health-details.PNG=@atp-machine-health-details,0
+email-notification.png=@email-notification,0
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/download-file.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/download-file.PNG
new file mode 100644
index 0000000000..fdbbc1cd18
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/download-file.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/email-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/email-notification.png
deleted file mode 100644
index 1b9875fcad..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/email-notification.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png b/windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png
new file mode 100644
index 0000000000..a83123905f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/grant-consent.png b/windows/security/threat-protection/microsoft-defender-atp/images/grant-consent.png
new file mode 100644
index 0000000000..0735940d05
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/grant-consent.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png b/windows/security/threat-protection/microsoft-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png
deleted file mode 100644
index 5e14e15378..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png b/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png
new file mode 100644
index 0000000000..41c451506b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-create2.png b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-create2.png
new file mode 100644
index 0000000000..03c10910cb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-create2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-select-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-select-permissions.png
index 2114b14c4d..a2f05155dd 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-select-permissions.png and b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-select-permissions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/new-secure-score-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-secure-score-dashboard.png
index b302d30f54..ca19ec82c4 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/new-secure-score-dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/new-secure-score-dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/pending-actions.png b/windows/security/threat-protection/microsoft-defender-atp/images/pending-actions.png
index 8cb0f643a6..74f55f62f5 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/pending-actions.png and b/windows/security/threat-protection/microsoft-defender-atp/images/pending-actions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png b/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png
index 773447a838..39895c6e01 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png and b/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/run-as-admin.png b/windows/security/threat-protection/microsoft-defender-atp/images/run-as-admin.png
index f5166b77bc..784902b963 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/run-as-admin.png and b/windows/security/threat-protection/microsoft-defender-atp/images/run-as-admin.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sec-ops-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/sec-ops-dashboard.png
deleted file mode 100644
index f858a4664a..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/sec-ops-dashboard.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_card.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_card.png
new file mode 100644
index 0000000000..dbf9cf07fa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_card.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_m365exlusions.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_m365exlusions.png
new file mode 100644
index 0000000000..65d9ad6967
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_m365exlusions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_card.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_card.png
new file mode 100644
index 0000000000..c88ea0f49c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_card.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png
new file mode 100644
index 0000000000..f8147866f5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png
new file mode 100644
index 0000000000..a6b401f564
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png
new file mode 100644
index 0000000000..8f88c5899e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png
new file mode 100644
index 0000000000..2955624a72
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_permissions.png
new file mode 100644
index 0000000000..c97ef90085
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_permissions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_main.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_main.png
new file mode 100644
index 0000000000..551526ae72
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_main.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png
new file mode 100644
index 0000000000..097725199f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_2deviceconfprofile.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_2deviceconfprofile.png
new file mode 100644
index 0000000000..7a14844ecd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_2deviceconfprofile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_3assignprofile.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_3assignprofile.png
new file mode 100644
index 0000000000..1a2f78c4ea
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_3assignprofile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_card.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_card.png
new file mode 100644
index 0000000000..331ad032a6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_card.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png
index b1b9ba11c9..1b5f4378e8 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png and b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png
index 083f3a098d..ed1c3f4f2c 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ss1.png b/windows/security/threat-protection/microsoft-defender-atp/images/ss1.png
deleted file mode 100644
index ebd17712d6..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ss1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png b/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png
new file mode 100644
index 0000000000..d9409e3ab1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-resource-id.png b/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-resource-id.png
new file mode 100644
index 0000000000..cbd0d20303
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-resource-id.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png
index 309fd3074c..fea2bf16f9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta.png
index db89f750a7..95ad384e50 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ta.png and b/windows/security/threat-protection/microsoft-defender-atp/images/ta.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png
new file mode 100644
index 0000000000..11d2edcf3e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-breach-insights.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-breach-insights.png
new file mode 100644
index 0000000000..6407cd8f57
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-breach-insights.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-menu.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-menu.png
new file mode 100644
index 0000000000..aeab8c3b5c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-menu.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png
new file mode 100644
index 0000000000..a40e39c3d0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software.png
new file mode 100644
index 0000000000..3ef800afac
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-vuln-globalsearch.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-vuln-globalsearch.png
new file mode 100644
index 0000000000..76af989b3f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-vuln-globalsearch.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-menu.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-menu.png
new file mode 100644
index 0000000000..e210b07bf4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-menu.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png
index 36c8c8b48f..4da702615b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_dashboard.png
index d321e0ca67..580b189700 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_exp_score.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_exp_score.png
new file mode 100644
index 0000000000..301fdf1d11
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_exp_score.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_details.png
index 6e474ccfa6..2b22b3f8b3 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_menu.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_menu.png
index eaaa01d3c0..b77c2cb10a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_menu.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_menu.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png
index 2711f9560e..ec4fa8bc44 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png
index 3dd9ada0c9..ee0608e4b0 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_recommendations_page.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_recommendations_page.png
index 1ae6f4320d..50736dfe6d 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_recommendations_page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_recommendations_page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_software_page_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_software_page_details.png
index 095eb7424c..a55fa7fdf8 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_software_page_details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_software_page_details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/wdatp-pillars.png b/windows/security/threat-protection/microsoft-defender-atp/images/wdatp-pillars.png
deleted file mode 100644
index 06ad5e6ed2..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/wdatp-pillars.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/wdsc.png b/windows/security/threat-protection/microsoft-defender-atp/images/wdsc.png
deleted file mode 100644
index 3cd583ed74..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/wdsc.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-2.png
deleted file mode 100644
index 8123965c84..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-2.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-end.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-end.png
deleted file mode 100644
index 40f15eb65a..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-end.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-readalerts.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-readalerts.png
deleted file mode 100644
index 2872b71881..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-readalerts.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission.png
deleted file mode 100644
index 38e98ce07d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-app-id1.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-app-id1.png
deleted file mode 100644
index 4c058c2f93..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-app-id1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key.png
deleted file mode 100644
index 4ddb1fae83..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key2.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key2.png
new file mode 100644
index 0000000000..99339be6a7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create.png
deleted file mode 100644
index dea9d8493d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-multitenant.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-multitenant.png
deleted file mode 100644
index 47203a8151..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-multitenant.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-settings.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-settings.png
deleted file mode 100644
index 1b8396b50e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-get-appid.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-get-appid.png
deleted file mode 100644
index 103081f82c..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-get-appid.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-grant-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-grant-permissions.png
deleted file mode 100644
index b7c7e0926f..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-grant-permissions.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-select-permission.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-select-permission.png
deleted file mode 100644
index 8edc069eaf..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-select-permission.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png b/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png
index 7a52f49989..98886ae426 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png and b/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png b/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png
deleted file mode 100644
index 1761e2e539..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png b/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png
deleted file mode 100644
index fbd6a798b0..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
index 72a68df56d..ee65c7302f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
@@ -53,7 +53,7 @@ Default sensitive information types include information such as bank account num
Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type).
-When a file is created or edited on a Windows device, Windows Defender ATP scans the content to evaluate if it contains sensitive information.
+When a file is created or edited on a Windows device, Microsoft Defender ATP scans the content to evaluate if it contains sensitive information.
Turn on the Azure Information Protection integration so that when a file that contains sensitive information is discovered by Microsoft Defender ATP though labels or information types, it is automatically forwarded to Azure Information Protection from the device.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
index a70b53af9f..11e43b707c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
@@ -28,15 +28,14 @@ ms.date: 04/24/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink)
-Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
+Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
-Click an alert to see the alert details view and the various tiles that provide information about the alert.
+Click an alert to see the alert details view and the various tiles that provide information about the alert.
-You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them. You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations.md).
+You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them. You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations.md).
-
The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the machine or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand.
For more information about managing alerts, see [Manage alerts](manage-alerts.md).
@@ -49,7 +48,7 @@ Alerts attributed to an adversary or actor display a colored tile with the actor
-Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs) and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
+Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs), and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
Some actor profiles include a link to download a more comprehensive threat intelligence report.
@@ -86,7 +85,7 @@ The **Incident Graph** expansion by destination IP Address, shows the organizati
You can click the full circles on the incident graph to expand the nodes and view the expansion to other machines where the matching criteria were observed.
## Artifact timeline
-The **Artifact timeline** feature provides an addition view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert.
+The **Artifact timeline** feature provides an additional view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
index 0df367e9d4..8268c3ce96 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
@@ -39,17 +39,31 @@ You can see information from the following sections in the URL view:
- URL in organization
- Most recent observed machines with URL
-## URL Worldwide
-The URL details, contacts, and nameservers sections display various attributes about the URL.
+## URL worldwide
-## Alerts related to this URL
-The **Alerts related to this URL** section provides a list of alerts that are associated with the URL.
+The **URL Worldwide** section lists the URL, a link to further details at Whois, the number of related open incidents, and the number of active alerts.
-## URL in organization
-The **URL in organization** section provides details on the prevalence of the URL in the organization.
+## Incident
-## Most recent observed machinew with URL
-The **Most recent observed machinew with URL** section provides a chronological view on the events and associated alerts that were observed on the URL.
+The **Incident** card displays a bar chart of all active alerts in incidents over the past 180 days.
+
+## Prevalence
+
+The **Prevalence** card provides details on the prevalence of the URL within the organization, over a specified period of time.
+
+Although the default time period is the past 30 days, you can customize the range by selecting the downward-pointing arrow in the corner of the card. The shortest range available is for prevalence over the past day, while the longest range is over the past 6 months.
+
+## Alerts
+
+The **Alerts** tab provides a list of alerts that are associated with the URL. The table shown here is a filtered version of the alerts visible on the Alert queue screen, showing only alerts associated with the domain, their severity, status, the associated incident, classification, investigation state, and more.
+
+The Alerts tab can be adjusted to show more or less information, by selecting **Customize columns** from the action menu above the column headers. The number of items displayed can also be adjusted, by selecting **items per page** on the same menu.
+
+## Observed in organization
+
+The **Observed in organization** tab provides a chronological view on the events and associated alerts that were observed on the URL. This tab includes a timeline and a customizable table listing event details, such as the time, machine, and a brief description of what happened.
+
+You can view events from different periods of time by entering the dates into the text fields above the table headers. You can also customize the time range by selecting different areas of the timeline.
**Investigate a domain:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
index cf7f97c744..aa344ebf81 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
@@ -17,58 +17,89 @@ ms.collection: M365-security-compliance
ms.topic: article
ms.date: 04/24/2018
---
+
# Investigate a file associated with a Microsoft Defender ATP alert
**Applies to:**
-
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+[!include[Prerelease information](prerelease.md)]
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
-You can investigate files by using the search feature, clicking on a link from the **Alert process tree**, **Incident graph**, **Artifact timeline**, or from an event listed in the **Machine timeline**.
+There are many ways to access the detailed profile page of a specific file. For example, you can use the search feature, click on a link from the **Alert process tree**, **Incident graph**, **Artifact timeline**, or select an event listed in the **Machine timeline**.
+
+Once on the detailed profile page, you can switch between the new and old page layouts by toggling **new File page**. The rest of this article describes the newer page layout.
You can get information from the following sections in the file view:
-- File details, Malware detection, Prevalence worldwide
+- File details, Malware detection, File prevalence
- Deep analysis
-- Alerts related to this file
-- File in organization
-- Most recent observed machines with file
+- Alerts
+- Observed in organization
+- Deep analysis
+- File names
-## File worldwide and Deep analysis
-The file details, malware detection, and prevalence worldwide sections display various attributes about the file. You’ll see actions you can take on the file. For more information on how to take action on a file, see [Take response action on a file](respond-file-alerts.md).
+You can also take action on a file from this page.
-You'll see details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if available, and the file’s prevalence worldwide. You'll also be able to [submit a file for deep analysis](respond-file-alerts.md#deep-analysis).
+## File actions
+
+Along the top of the profile page, above the file information cards. Actions you can perform here include:
+
+- Stop and quarantine
+- Add/edit indicator
+- Download file
+- Action center
+
+For more information on these actions, see [Take response action on a file](respond-file-alerts.md).
+
+## File details, Malware detection, and File prevalence
+
+The file details, incident, malware detection, and file prevalence cards display various attributes about the file.
+
+You'll see details such as the file’s MD5, the Virus Total detection ratio, and Windows Defender AV detection if available, and the file’s prevalence, both worldwide and within your organizations.
-## Alerts related to this file
-The **Alerts related to this file** section provides a list of alerts that are associated with the file. This list is a simplified version of the Alerts queue, and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
+## Alerts
+
+The **Alerts** tab provides a list of alerts that are associated with the file. This list covers much of the same information as the Alerts queue, except for the machine group, if any, the affected machine belongs to. You can choose what kind of information is shown by selecting **Customize columns** from the toolbar above the column headers.
-## File in organization
-The **File in organization** section provides details on the prevalence of the file, prevalence in email inboxes and the name observed in the organization.
+## Observed in organization
-
+The **Observed in organization** tab allows you to specify a date range to see which devices have been observed with the file.
-## Most recent observed machines with the file
-The **Most recent observed machines with the file** section allows you to specify a date range to see which machines have been observed with the file.
+>[!NOTE]
+>This tab will show a maximum number of 100 machines. To see _all_ devices with the file, export the tab to a CSV file, by selecting **Export** from the action menu above the tab's column headers.
-This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
+Use the slider or the range selector to quickly specify a time period that you want to check for events involving the file. You can specify a time window as small as a single day. This will allow you to see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
+
+## Deep analysis
+
+The **Deep analysis** tab allows you to [submit the file for deep analysis](respond-file-alerts.md#deep-analysis), to uncover more details about the the file's behavior, as well as the effect it is having within your organizations. After you submit the file, the deep analysis report will appear in this tab once results are available. If deep analysis did not find anything, the report will be empty and the results space will remain blank.
+
+
+
+## File names
+
+The **File names** tab lists all names the file has been observed to use, within your organizations.
+
+
## Related topics
+
- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
-- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
\ No newline at end of file
+- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
+- [Take response actions on a file](respond-file-alerts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
index cddaa7e5f6..acff32cc9b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
@@ -25,6 +25,11 @@ ms.topic: article
Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them.
+When you investigate an incident, you'll see:
+- Incident details
+- Incident comments and actions
+- Tabs (alerts, machines, investigations, evidence, graph)
+
## Analyze incident details
Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph).
@@ -40,8 +45,6 @@ Alerts are grouped into incidents based on the following reasons:
- Same file - The files associated with the alert are exactly the same
- Same URL - The URL that triggered the alert is exactly the same
-
-
You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
index eaabada51a..4f3711af17 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
@@ -17,15 +17,13 @@ ms.collection: M365-security-compliance
ms.topic: article
ms.date: 04/24/2018
---
+
# Investigate an IP address associated with a Microsoft Defender ATP alert
**Applies to:**
-
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
Examine possible communication between your machines and external internet protocol (IP) addresses.
@@ -34,22 +32,31 @@ Identifying all machines in the organization that communicated with a suspected
You can find information from the following sections in the IP address view:
-- IP worldwide, Reverse DNS names
+- IP worldwide
+- Reverse DNS names
- Alerts related to this IP
- IP in organization
-- Most recent observed machines with IP
+- Prevalence
## IP Worldwide and Reverse DNS names
+
The IP address details section shows attributes of the IP address such as its ASN and its Reverse DNS names.
## Alerts related to this IP
-The **Alerts related to this IP** section provides a list of alerts that are associated with the IP.
+
+The **Alerts related to this IP** section provides a list of alerts that are associated with the IP.
## IP in organization
+
The **IP in organization** section provides details on the prevalence of the IP address in the organization.
+## Prevalence
+
+The **Prevalence** section displays how many machines have connected to this IP address, and when the IP was first and last seen. You can filter the results of this section by time period; the default period is 30 days.
+
## Most recent observed machines with IP
-The **Most recent observed machines with IP** section provides a chronological view on the events and associated alerts that were observed on the IP address.
+
+The **Most recent observed machines** with IP section provides a chronological view on the events and associated alerts that were observed on the IP address.
**Investigate an external IP:**
@@ -67,6 +74,7 @@ Use the search filters to define the search criteria. You can also use the timel
Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
## Related topics
+
- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
index 5cdc7994a1..216cc284d1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@@ -20,11 +20,12 @@ ms.topic: article
# Investigate machines in the Microsoft Defender ATP Machines list
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
-Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach.
+Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of the breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
@@ -61,41 +62,42 @@ Response actions run along the top of a specific machine page and include:
- Isolate machine
- Action center
-You can take response actions in the action center, in a specific machine page, or in a specific file page.
+You can take response actions in the Action center, in a specific machine page, or in a specific file page.
For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts.md).
- For more information, see [Investigate user entities](investigate-user.md).
+For more information, see [Investigate user entities](investigate-user.md).
+
## Cards
### Active alerts
-If you have enabled the Azure ATP feature and there are alerts related to the machine, you can view a high level overview of the alerts and risk level. More information is available in the "Alerts" drill down.
+The **Azure Advanced Threat Protection** card will display a high-level overview of alerts related to the machine and their risk level, if you have enabled the Azure ATP feature, and there are any active alerts. More information is available in the "Alerts" drill down.
-
+
>[!NOTE]
>You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
### Logged on users
-The "Logged on users" tile shows the amount of users who have logged on in the past 30 days, along with the most and least frequent users. Selecting the "See all users" link opens the details pane that displays information such as user type, logon type, and first/last seen. For more information, see [Investigate user entities](investigate-user.md).
+The **Logged on users** card shows how many users have logged on in the past 30 days, along with the most and least frequent users. Selecting the "See all users" link opens the details pane, which displays information such as user type, log on type, and when the user was first and last seen. For more information, see [Investigate user entities](investigate-user.md).
### Security assessments
-The Security assessments tile shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A machine's exposure level is determined by the cumulative impact of it's pending security recommendations.
+The **Security assessments** card shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A machine's exposure level is determined by the cumulative impact of its pending security recommendations.
-
+
## Tabs
-The five tabs under the cards section show relevant security and threat prevention information related to the machine. In every tab, you can customize the columns that are shown.
+The five tabs under the cards section show relevant security and threat prevention information related to the machine. In each tab, you can customize the columns that are shown by selecting **Customize columns** from the bar above the column headers.
### Alerts
-The **Alerts** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts and customize the columns.
+The **Alerts** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts.
@@ -112,6 +114,7 @@ Timeline also enables you to selectively drill down into events that occurred wi
>[!NOTE]
> For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-filtering-platform-connection).
>Firewall covers the following events
+>
>- [5025](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5025) - firewall service stopped
>- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network
>- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection
@@ -142,13 +145,13 @@ You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline
### Security recommendations
-**Security recommendations** are generated from Microsoft Defender ATP's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it.
+**Security recommendations** are generated from Microsoft Defender ATP's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details.
### Software inventory
-The **Software inventory** section lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed machines, and version distribution.
+The **Software inventory** section lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed machines, and version distribution. See [Software inventory](tvm-software-inventory.md) for details
@@ -159,6 +162,7 @@ The **Discovered vulnerabilities** section shows the name, severity, and threat
## Related topics
+
- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
@@ -166,3 +170,5 @@ The **Discovered vulnerabilities** section shows the name, severity, and threat
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
+- [Security recommendation](tvm-security-recommendation.md)
+- [Software inventory](tvm-software-inventory.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
index f4570512ea..4ef33de1cf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
@@ -23,14 +23,14 @@ ms.date: 04/24/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink)
## Investigate user account entities
+
Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account.
You can find user account information in the following views:
+
- Dashboard
- Alert queue
- Machine details page
@@ -38,34 +38,39 @@ You can find user account information in the following views:
A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown.
When you investigate a user account entity, you'll see:
+
- User account details, Azure Advanced Threat Protection (Azure ATP) alerts, and Logged on machines
- Alerts related to this user
- Observed in organization (machines logged on to)
-**User details**
-The user account entity details, Azure ATP alerts, and logged on machines sections display various attributes about the user account.
+The user account details, Azure ATP alerts, and logged on machines cards display various attributes about the user account.
-The user entity tile provides details about the user such as when the user was first and last seen. Depending on the integration features you enable, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal.
+### User details
-**Azure Advanced Threat Protection**
-If you have enabled the Azure ATP feature and there are alerts related to the user, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. The Azure ATP tile also provides details such as the last AD site, total group memberships, and login failure associated with the user.
+The **User details** card provides information about the user, such as when the user was first and last seen. Depending on the integration features you've enabled, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal.
+
+### Azure Advanced Threat Protection
+
+The **Azure Advanced Threat Protection** card will contain a link that will take you to the Azure ATP page, if you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide more information about the alerts. This card also provides details such as the last AD site, total group memberships, and login failure associated with the user.
>[!NOTE]
>You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
-**Logged on machines**
-You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine.
+### Logged on machines
+The **Logged on machines** card shows a list of the machines that the user has logged on to. You can expand these to see details of the log-on events for each machine.
## Alerts related to this user
-This section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.
+
+The **Alerts related to this user** section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.
## Observed in organization
-This section allows you to specify a date range to see a list of machines where this user was observed logged on to, and the most frequent and least frequent logged on user account on each of these machines.
-The machine health state is displayed in the machine icon and color as well as in a description text. Clicking on the icon displays additional details regarding machine health.
+The **Observed in organization** section allows you to specify a date range to see a list of machines where this user was observed logged on to, the most frequent and least frequent logged on user account for each of these machines, and total observed users on each machine.
+
+Selecting an item on the Observed in organization table will expand the item, revealing more details about the machine. Directly selecting a link within an item will send you to the corresponding page.
@@ -78,6 +83,7 @@ The machine health state is displayed in the machine icon and color as well as i
A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of machines it was observed logged on to in the last 30 days.
You can filter the results by the following time periods:
+
- 1 day
- 3 days
- 7 days
@@ -85,6 +91,7 @@ You can filter the results by the following time periods:
- 6 months
## Related topics
+
- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
@@ -92,4 +99,3 @@ You can filter the results by the following time periods:
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/licensing.md b/windows/security/threat-protection/microsoft-defender-atp/licensing.md
index 934b929def..d96d8546ea 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/licensing.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/licensing.md
@@ -30,15 +30,16 @@ ms.topic: article
Checking for the license state and whether it got properly provisioned, can be done through the **Office 365 admin center** or through the **Microsoft Azure portal**.
-1. In the **Office 365 admin center** navigate to **Billing** > **Subscriptions**.
+1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
+
+ 
+
+1. Alternately, in the **Office 365 admin center**, navigate to **Billing** > **Subscriptions**.
- On the screen you will see all the provisioned licenses and their current **Status**.
-2. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
-
- 
## Cloud Service Provider validation
@@ -103,8 +104,6 @@ When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windo
5. A dedicated cloud instance of Microsoft Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete.
- 
-
6. You are almost done. Before you can start using Microsoft Defender ATP you'll need to:
- [Onboard Windows 10 machines](configure-endpoints.md)
@@ -119,8 +118,6 @@ When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windo
7. After onboarding machines you can click **Start using Microsoft Defender ATP**. You will now launch Microsoft Defender ATP for the first time.
- 
-
## Related topics
- [Onboard machines to the Microsoft Defender Advanced Threat Protection service](onboard-configure.md)
- [Troubleshoot onboarding process and portal access issues](troubleshoot-onboarding-error-messages.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
index c5abbcade3..22efe55158 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
@@ -22,8 +22,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[!include[Prerelease information](prerelease.md)]
-
+
The machines status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.
The dashboard is structured into two sections:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
index 046e0f4f05..9a0cc2d05f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
@@ -26,11 +26,11 @@ ms.topic: article
Microsoft Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**.
-You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view.
+You can manage alerts by selecting an alert in the **Alerts queue**, or the **Alerts** tab of the Machine page for an individual device.
Selecting an alert in either of those places brings up the **Alert management pane**.
-
+
## Link to another incident
You can create a new incident from the alert or link to an existing incident.
@@ -40,11 +40,11 @@ If an alert is no yet assigned, you can select **Assign to me** to assign the al
## Suppress alerts
-There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security Center. Microsoft Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
+There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security Center. Microsoft Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
-When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
+When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue, prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
There are two contexts for a suppression rule that you can choose from:
@@ -60,7 +60,6 @@ You can use the examples in the following table to help you choose the context f
| **Suppress alert on this machine** | Alerts with the same alert title and on that specific machine only will be suppressed.
All other alerts on that machine will not be suppressed. | - A security researcher is investigating a malicious script that has been used to attack other machines in your organization.
- A developer regularly creates PowerShell scripts for their team.
|
| **Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed. | - A benign administrative tool is used by everyone in your organization.
|
-
### Suppress an alert and create a new suppression rule:
Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the context, you’ll be able to configure the action and scope on the alert.
@@ -68,13 +67,13 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
2. Select **Create a suppression rule**.
- You can create a suppression rule based on the following attributes:
+ You can create a suppression condition using these attributes. An AND operator is applied between each condition, so suppression occurs only if all conditions are met.
- * File hash
- * File name - wild card supported
- * File path - wild card supported
- * IP
- * URL - wild card supported
+ * File SHA1
+ * File name - wildcard supported
+ * Folder path - wildcard supported
+ * IP address
+ * URL - wildcard supported
3. Select the **Trigerring IOC**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index 4db5431253..1521bb3b89 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -102,7 +102,7 @@ You'll also have access to the following sections that help you see details of t
- Investigation graph
- Alerts
- Machines
-- Threats
+- Key findings
- Entities
- Log
- Pending actions
@@ -138,7 +138,7 @@ Selecting a machine using the checkbox brings up the machine details pane where
Clicking on an machine name brings you the machine page.
-### Threats
+### Key findings
Shows details related to threats associated with this investigation.
### Entities
@@ -162,37 +162,9 @@ If there are pending actions on an Automated investigation, you'll see a pop up
-When you click on the pending actions link, you'll be taken to the pending actions page. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Pending actions**.
+When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Action center**. For more information, see [Action center](auto-investigation-action-center.md).
-The pending actions view aggregates all investigations that require an action for an investigation to proceed or be completed.
-
-
-
-Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
-
-From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
-
-Pending actions are grouped together in the following tabs:
-- Quarantine file
-- Remove persistence
-- Stop process
-- Expand pivot
-- Quarantine service
-
->[!NOTE]
->The tab will only appear if there are pending actions for that category.
-
-### Approve or reject an action
-You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
-
-Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
-
-
-
-From the panel, you can click on the Open investigation page link to see the investigation details.
-
-You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.
-
## Related topic
- [Investigate Microsoft Defender ATP alerts](investigate-alerts.md)
+- [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
index 31fb4bb075..6f2cd9df63 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
@@ -23,11 +23,15 @@ ms.date: 010/08/2018
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress.
+Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**.
+
+
+Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
+
-Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
+You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
@@ -35,28 +39,26 @@ Selecting an incident from the **Incidents queue** brings up the **Incident mana
## Assign incidents
If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
-## Change the incident status
+## Set status and classification
+### Incident status
You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents.
For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation.
Alternatively, your SoC analyst might set the incident as **Resolved** if the incident has been remediated.
-## Classify the incident
+### Classification
You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them.
-## Rename incident
-By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification.
-
-
-
-## Add comments and view the history of an incident
+### Add comments
You can add comments and view historical events about an incident to see previous changes made to it.
Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
Added comments instantly appear on the pane.
+
+
## Related topics
- [Incidents queue](incidents-queue.md)
- [View and organize the Incidents queue](view-incidents-queue.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index 661633b8eb..ba54f650be 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -45,6 +45,16 @@ For a detailed comparison table of Windows 10 commercial edition comparison, see
For more information about licensing requirements for Microsoft Defender ATP platform on Windows Server, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114).
+## Browser requirements
+Access to Microsoft Defender ATP is done through a browser, supporting the following browsers:
+- Microsoft Edge
+- Internet Explorer version 11
+- Google Chrome
+
+>[!NOTE]
+>While other browsers might work, the mentioned browsers are the ones supported.
+
+
## Hardware and software requirements
### Supported Windows versions
- Windows 7 SP1 Enterprise
@@ -146,6 +156,9 @@ For more information on additional proxy configuration settings see, [Configure
Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
+
+
+
## Windows Defender Antivirus configuration requirement
The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 070ec84568..cc13be6a2b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -1,6 +1,5 @@
---
title: Next-generation Threat & Vulnerability Management
-ms.reviewer:
description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning
search.product: eADQiWindows 10XVcnh
@@ -9,8 +8,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
+ms.author: dolmont
+author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -22,18 +21,14 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[!include[Prerelease information](prerelease.md)]
-
-Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrustructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
+Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
## Next-generation capabilities
Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase.
-It is the first solution in the industry to automate the remediation process through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) for patching, configuration changes, or upgrades.
->[!Note]
-> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks.
+It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
@@ -44,25 +39,30 @@ It provides the following solutions to frequently-cited gaps across security ope
To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides:
- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
-- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, as well as software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
-- Application runtime context. Constant visibility into application usage patterns for better prioritization and decision-making. Critical dependencies, such as vulnerable runtime libraries being loaded by other applications, are made visible.
-- Configuration posture. Visibility into organizational security configuration, surfacing issues like disabled antivirus, enabled SMBv1, or misconfigurations that could allow escalation of privileges. Issues are reported in the dashboard with actionable security recommendations.
+- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, and software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
+- Application runtime context. Visibility on application usage patterns for better prioritization and decision-making.
+- Configuration posture. Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations.
### Intelligence-driven prioritization
Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context:
- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
-- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to call attention to exposed machines with business-critical applications, confidential data, or high-value users.
+- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users.
### Seamless remediation
Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
-- One-click remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click. We plan to expand this capability to other IT security management platforms.
+- Remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
## Related topics
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
index 9d743faca2..cb57adc063 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
@@ -41,7 +41,7 @@ The Microsoft secure score tile is reflective of the sum of all the Windows Defe
-Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
+Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Microsoft Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/en-us/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
@@ -74,7 +74,7 @@ Clicking on the affected machines link at the top of the table takes you to the
Within the tile, you can click on each control to see the recommended optimizations.
-Clicking the link under the Misconfigured machines column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
+Clicking the link under the **Misconfigured machines** column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
## Related topic
- [Threat analytics](threat-analytics.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index 200d144ad9..84cf299759 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -49,17 +49,25 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
-(1) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Automated investigations**, **Machines list**, **Service health**, **Advanced hunting**, and **Settings**.
-**Dashboards** | Access the Security operations, the Secure Score, or Threat analytics dashboard.
+**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Machines list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Interoperability**, **Threat & vulnerability management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**.
+**Dashboards** | Access the Security operations, the Secure Score, or Threat analytics dashboard.
**Incidents** | View alerts that have been aggregated as incidents.
-**Alerts** | View alerts generated from machines in your organizations.
+**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and the corresponding number of alerts.
+**Alerts queue** | View alerts generated from machines in your organizations.
**Automated investigations** | Displays a list of automated investigations that's been conducted in the network, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
-**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and the corresponding number of alerts.
+**Reports** | View graphs detailing alert trends over time, and alert summary charts categorizing threats by severity, status, and attack approach
+**Interoperability** | Lists supported partner applications that can work together with Microsoft Defender, as well as applications that are already connected to Microsoft Defender.
+**Threat & Vulnerability management** | View your configuration score, exposure score, exposed machines, vulnerable software, and take action on top security recommendations.
+**Evaluation and tutorials** | Manage test machines, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walkthrough in a trial environment.
**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
-**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure Score dashboard.
+**Configuration management** | Displays on-boarded machines, your organizations' security baseline, predictive analysis, and allows you to perform attack surface management on your machines.
+**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure Score dashboard.
**(2) Main portal** | Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
-**(3) Community center, Time settings, Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product. **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information. **Help and support** - Gives you access to the Microsoft Defender ATP guide, Microsoft support, and Premier support. **Feedback** - Access the feedback button to provide comments about the portal.
+**(3) Community center, Localization, Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product. **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information. **Help and support** - Gives you access to the Microsoft Defender ATP guide, Microsoft support, and Premier support. **Feedback** - Access the feedback button to provide comments about the portal.
+
+> [!NOTE]
+> For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions.
## Microsoft Defender ATP icons
The following table provides information on the icons used all throughout the portal:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
index c70bb4f029..31ca59c206 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
@@ -175,14 +175,10 @@ You can use Power BI Desktop to analyse data from Microsoft Defender ATP and mas
1. In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Microsoft Defender Advanced Threat Protection**.
- 
-
2. Click **Connect**.
3. On the Preview Connector windows, click **Continue**.
- 
-
4. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
@@ -191,8 +187,6 @@ You can use Power BI Desktop to analyse data from Microsoft Defender ATP and mas
6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
- 
-
7. Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source.
8. Add visuals and select fields from the available data sources.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
new file mode 100644
index 0000000000..74282e67bc
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
@@ -0,0 +1,89 @@
+---
+title: Stream Microsoft Defender Advanced Threat Protection events.
+description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to your Event Hub.
+keywords: raw data export, streaming API, API, Azure Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Azure Event Hubs
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+
+## Before you begin:
+
+1. Create an [event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) in your tenant.
+2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
+
+## Enable raw data streaming:
+
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) with a Global Admin user.
+2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
+3. Click on **Add data export settings**.
+4. Choose a name for your new settings.
+5. Choose **Forward events to Azure Event Hubs**.
+6. Type your **Event Hubs name** and your **Event Hubs resource ID**.
+ In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**:
+
+ 
+
+7. Choose the events you want to stream and click **Save**.
+
+## The schema of the events in Azure Event Hubs:
+
+```
+{
+ "records": [
+ {
+ "time": ""
+ "tenantId": ""
+ "category": ""
+ "properties": { }
+ }
+ ...
+ ]
+}
+```
+
+- Each event hub message in Azure Event Hubs contains list of records.
+- Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
+- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](overview-hunting.md).
+
+## Data types mapping:
+
+To get the data types for event properties do the following:
+
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
+2. Run the following query to get the data types mapping for each event:
+
+```
+{EventType}
+| getschema
+| project ColumnName, ColumnType
+
+```
+
+- Here is an example for Machine Info event:
+
+
+
+## Related topics
+- [Overview of Advanced Hunting](overview-hunting.md)
+- [Microsoft Defender ATP streaming API](raw-data-export.md)
+- [Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)
+- [Azure Event Hubs documentation](https://docs.microsoft.com/en-us/azure/event-hubs/)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
new file mode 100644
index 0000000000..1cea01f7d1
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
@@ -0,0 +1,89 @@
+---
+title: Stream Microsoft Defender Advanced Threat Protection events.
+description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to your Storage account.
+keywords: raw data export, streaming API, API, Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Storage account
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+
+## Before you begin:
+
+1. Create a [Storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview) in your tenant.
+2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
+
+## Enable raw data streaming:
+
+1. Log in to [Microsoft Defender ATP portal](https://securitycenter.windows.com) with Global Admin user.
+2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
+3. Click on **Add data export settings**.
+4. Choose a name for your new settings.
+5. Choose **Forward events to Azure Storage**.
+6. Type your **Storage Account Resource Id**. In order to get your **Storage Account Resource Id**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**:
+
+ 
+
+7. Choose the events you want to stream and click **Save**.
+
+## The schema of the events in the Storage account:
+
+- A blob container will be created for each event type:
+
+
+
+- The schema of each row in a blob is the following JSON:
+
+```
+{
+ "time": ""
+ "tenantId": ""
+ "category": ""
+ "properties": { }
+}
+```
+
+- Each blob contains multiple rows.
+- Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
+- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](overview-hunting.md).
+
+## Data types mapping:
+
+In order to get the data types for our events properties do the following:
+
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
+2. Run the following query to get the data types mapping for each event:
+
+```
+{EventType}
+| getschema
+| project ColumnName, ColumnType
+
+```
+
+- Here is an example for Machine Info event:
+
+
+
+## Related topics
+- [Overview of Advanced Hunting](overview-hunting.md)
+- [Microsoft Defender Advanced Threat Protection Streaming API](raw-data-export.md)
+- [Stream Microsoft Defender Advanced Threat Protection events to your Azure storage account](raw-data-export-storage.md)
+- [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
new file mode 100644
index 0000000000..1349b4a57b
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
@@ -0,0 +1,43 @@
+---
+title: Stream Microsoft Defender Advanced Threat Protection event
+description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to Event Hubs or Azure storage account
+keywords: raw data export, streaming API, API, Event hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Raw Data Streaming API (Preview)
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+
+## Stream Advanced Hunting events to Event Hubs and/or Azure storage account.
+
+Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](overview-hunting.md) to an [Event Hubs](https://docs.microsoft.com/en-us/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/en-us/azure/event-hubs/).
+
+## In this section
+
+Topic | Description
+:---|:---
+[Stream Microsoft Defender ATP events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](overview-hunting.md) to Event Hubs.
+[Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](overview-hunting.md) to your Azure storage account.
+
+
+## Related topics
+- [Overview of Advanced Hunting](overview-hunting.md)
+- [Azure Event Hubs documentation](https://docs.microsoft.com/en-us/azure/event-hubs/)
+- [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 80f4ea3708..e2db21f7ff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -20,30 +20,40 @@ ms.topic: article
# Take response actions on a file
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink)
-Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center.
+Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details in the Action center.
->[!IMPORTANT]
->These response actions are only available for machines on Windows 10, version 1703 or later.
+Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new and old page layouts by toggling **new File page**. The rest of this article describes the newer page layout.
-You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file.
+Response actions run along the top of the file page, and include:
+
+- Stop and Quarantine File
+- Add Indicator
+- Download file
+- Action center
+
+You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep analysis and read past reports by selecting the **Deep analysis** tab. It's located below the file information cards.
## Stop and quarantine files in your network
-You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed.
+You can contain an attack in your organization by stopping the malicious process and quarantining the file where it was observed.
>[!IMPORTANT]
>You can only take this action if:
+>
> - The machine you're taking the action on is running Windows 10, version 1703 or later
> - The file does not belong to trusted third-party publishers or not signed by Microsoft
> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
+The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data, such as any registry keys.
-The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
+This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
>[!NOTE]
>You’ll be able to restore the file from quarantine at any time.
@@ -55,13 +65,13 @@ The action takes effect on machines with Windows 10, version 1703 or later, wher
- **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
- **Search box** - select File from the drop–down menu and enter the file name
-2. Open the **Actions menu** and select **Stop and Quarantine File**.
+2. Go to the top bar and select **Stop and Quarantine File**.
-3. Specify a reason, then click **Yes, stop and quarantine**.
+3. Specify a reason, then click **Confirm**.
- 
+ 
The Action center shows the submission information:
@@ -80,14 +90,9 @@ When the file is being removed from a machine, the following notification is sho
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
->[!IMPORTANT]
->The **Action** button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal of critical system files and files used by important applications.
+For files that widely used throughout an organization, a warning is shown before an action is implemented, to validate that the operation is intended.
-
-
-For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
-
-## Remove file from quarantine
+## Restore file from quarantine
You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run the following command on each machine where the file was quarantined.
@@ -98,118 +103,84 @@ You can roll back and remove a file from quarantine if you’ve determined that
b. Right–click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
- ```
+
+ ```Powershell
“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
```
> [!NOTE]
> Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
-## Block files in your network
+## Add indicator to block or allow a file
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
>[!IMPORTANT]
+>
>- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
+>
>- The Antimalware client version must be 4.18.1901.x or later.
->- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
+>- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
>- This response action is available for machines on Windows 10, version 1703 or later.
>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action.
>[!NOTE]
-> The PE file needs to be in the machine timeline for you to be able to take this action.
->- There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
+> The PE file needs to be in the machine timeline for you to be able to take this action.
+>
+> There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
### Enable the block file feature
-Before you can block files, you'll need to enable the feature.
-
-1. In the navigation pane, select **Settings** > **Advanced features** > **Block file**.
-
-2. Toggle the setting between **On** and **Off** and select **Save preferences**.
-
- 
+To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
-### Block a file
+### Allow or block file
-1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
+When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it.
- - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
- - **Search box** - select File from the drop–down menu and enter the file name
+Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue.
-2. Open the **Actions menu** and select **Block**.
+ See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files.
- 
+To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position that the **Add Indicator** action was, before you added the indicator.
-3. Specify a reason and select **Yes, block file** to take action on the file.
+You can also edit indicators from the **Settings** page, under **Rules** > **Indicators**. Indicators are listed in this area by their file's hash.
- 
+## Download or collect file
- The Action center shows the submission information:
- 
+Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file.
- - **Submission time** - Shows when the action was submitted.
- - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
- - **Status** - Indicates whether the file was added to or removed from the blacklist.
+
-When the file is blocked, there will be a new event in the machine timeline.
+When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are downloading the file. You can also set a password to open the file.
->[!NOTE]
->-If a file was scanned before the action was taken, it may take longer to be effective on the device.
+
-**Notification on machine user**:
-When a file is being blocked on the machine, the following notification is displayed to inform the user that the file was blocked:
-
-
-
->[!NOTE]
->The **Action** button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization caused by the removal of files that might be related to the operating system.
-
-
-
-For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
-
-## Remove file from blocked list
-
-1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
-
- - **Alerts** - Click the file links from the Description or Details in the Artifact timeline
- - **Search box** - Select File from the drop–down menu and enter the file name
-
-2. Open the **Actions** menu and select **Remove file from blocked list**.
-
- 
-
-3. Type a comment and select **Yes** to take action on the file. The file will be allowed to run in the organization.
-
-## Check activity details in Action center
-
-The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
+If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a **Collect file** button in the same location. If a file has not been seen in the organization in the past 30 days, **Collect file** will be disabled.
## Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
-The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
+The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
Deep analysis currently supports extensive analysis of portable executable (PE) files (including _.exe_ and _.dll_ files).
-Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the File view page, under a new **Deep analysis summary** section. The summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk.
+Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to display the date and time of the latest results available, as well as a summary of the report itself.
+
+The Deep analysis summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk. If nothing was found, these sections will simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
-### Submit files for analysis
+Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the the file's profile page.
-Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
-
-In the file's page, **Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
+**Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
> [!NOTE]
> Only files from Windows 10 can be automatically collected.
-You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
+You can also manually submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
> [!NOTE]
-> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Microsoft Defender ATP.
+> Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Microsoft Defender ATP.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications.
@@ -221,7 +192,7 @@ When the sample is collected, Microsoft Defender ATP runs the file in is a secur
- **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
- Search box - select **File** from the drop–down menu and enter the file name
-2. In the **Deep analysis** section of the file view, click **Submit**.
+2. In the **Deep analysis** tab of the file view, click **Submit**.
@@ -232,7 +203,7 @@ A progress bar is displayed and provides information on the different stages of
> [!NOTE]
> Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–submit files for deep analysis to get fresh data on the file.
-### View deep analysis reports
+**View deep analysis reports**
View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
@@ -244,29 +215,32 @@ You can view the comprehensive report that provides details on the following sec
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
-2. Click **See the report below**. Information on the analysis is displayed.
+2. Select the **Deep analysis** tab. If there are any previous reports, the report summary will appear in this tab.
- 
+ 
-### Troubleshoot deep analysis
+**Troubleshoot deep analysis**
If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
-2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
-3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
-4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
+1. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
+1. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
+1. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
- ```
+ ```Powershell
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: AllowSampleCollection
- Type: DWORD
+ Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection
```
-5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md).
-6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
-## Related topic
+1. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md).
+1. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
+
+## Related topics
+
- [Take response actions on a machine](respond-machine-alerts.md)
+- [Investigate files](investigate-files.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
index 5dbaa71b01..f7c9eff384 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
@@ -116,13 +116,6 @@ The tile shows you a list of user accounts with the most active alerts and the n
Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user.md).
-## Suspicious activities
-This tile shows audit events based on detections from various security components.
-
-
-
-
-
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink)
## Related topics
@@ -130,4 +123,3 @@ This tile shows audit events based on detections from various security component
- [Portal overview](portal-overview.md)
- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md)
- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
index 0bafd26ecf..a1c5557fed 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
@@ -1,7 +1,7 @@
---
-title: Microsoft Defender Advanced Threat Protection Threat analytics
+title: Track and respond to emerging threats with Microsoft Defender ATP threat analytics
ms.reviewer:
-description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization.
+description: Learn about emerging threats and attack techniques and how to stop them. Assess their impact to your organization and evaluate your organizational resilience.
keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -9,8 +9,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
+ms.author: lomayor
+author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -18,49 +18,46 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Threat analytics
+# Track and respond to emerging threats with threat analytics
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to quickly assess their security posture, covering the impact of emerging threats and their organizational resilience.
-Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to be able to quickly assess their security posture, including impact, and organizational resilience in the context of specific emerging threats.
+Threat analytics is a set of reports published by Microsoft security researchers as soon as emerging threats and outbreaks are identified. The reports help you assess the impact of threats to your environment and identify actions that can contain them.
-Threat Analytics is a set of interactive reports published by the Microsoft Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help you the assess impact of threats in your environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
-
+## View the threat analytics dashboard
->[!NOTE]
->The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts being resolved within a few days.
+The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It provides several overviews about the threats covered in the reports:
-Each threat report provides a summary to describe details such as where the threat is coming from, where it's been seen, or techniques and tools that were used by the threat.
+- **Latest threats** — lists the most recently published threat reports, along with the number of machines with resolved and unresolved alerts.
+- **High-impact threats** — lists the threats that have had the highest impact on the organization in terms of the number of machines that have had related alerts, along with the number of machines with resolved and unresolved alerts.
+- **Threat summary** — shows the number of threats among the threats reported in threat analytics with actual alerts.
-The dashboard shows the impact in your organization through the following tiles:
-- Machines with alerts - shows the current distinct number of impacted machines in your organization
-- Machines with alerts over time - shows the distinct number of impacted over time
-- Mitigation recommendations - lists the measurable mitigations and the number of machines that do not have each of the mitigations in place
-- Mitigation status - shows the number of mitigated and unmitigated machines. Machines are considered mitigated if they have all the measurable mitigations in place.
-- Mitigation status over time - shows the distinct number of machines that have been mitigated, unmitigated, and unavailable over time
+
+
+Select a threat on any of the overviews or on the table to view the report for that threat.
+
+## View a threat analytics report
+
+Each threat report generally provides an overview of the threat and an analysis of the techniques and tools used by the threat. It also provides worldwide impact information, mitigation recommendations, and detection information. It includes several cards that show dynamic data about how your organization is impacted by the threat and how prepared it is to stop the threat.
-## Organizational impact
-You can assess the organizational impact of a threat using the **Machines with alerts** and **Machines with alerts over time** tiles.
+### Organizational impact
+Each report includes cards designed to provide information about the organizational impact of a threat:
+- **Machines with alerts** — shows the current number of distinct machines in your organization that have been impacted by the threat. A machine is categorized as **Active** if there is at least 1 alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the machine have been resolved.
+- **Machines with alerts over time** — shows the number of distinct machines with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
-A machine is categorized as **Active** if there is at least 1 alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the machine are resolved.
-
-
-The **Machine with alerts over time**, shows the number of distinct machines with **Active** and **Resolved alerts over time**. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts being resolved within a few days.
-## Organizational resilience
-The **Mitigation recommendations** section provides specific actionable recommendations to improve your visibility into this threat and increase your organizational resilience.
-
-The **Mitigation status** and **Mitigation status over time** shows the endpoint configuration status assessed based on the recommended mitigations.
+### Organizational resilience
+Each report also includes cards that provide an overview of how resilient your organization can be against a given threat:
+- **Mitigation status** — shows the number of machines that have and have not applied mitigations for the threat. Machines are considered mitigated if they have all the measurable mitigations in place.
+- **Vulnerability patching status** — shows the number of machines that have applied security updates or patches that address vulnerabilities exploited by the threat.
+- **Mitigation recommendations** — lists specific actionable recommendations to improve your visibility into the threat and increase your organizational resilience. This card lists only measurable mitigations along with the number of machines that don't have these mitigations in place.
>[!IMPORTANT]
->- The chart only reflects mitigations that are measurable and where an evaluation can be made on the machine state as being compliant or non-compliant. There can be additional mitigations or compliance actions that currently cannot be computed or measured that are not reflected in the charts and are covered in the threat description under **Mitigation recommendations** section.
->- Even if all mitigations were measurable, there is no absolute guarantee of complete resilience but reflects the best possible actions that need to be taken to improve resiliency.
-
-
+>- Charts only reflect mitigations that are measurable, meaning an evaluation can be made on whether a machine has applied the mitigations or not. Check the report overview for additional mitigations that are not reflected in the charts.
+>- Even if all mitigations were measurable, they don't guarantee complete resilience. They reflect the best possible actions needed to improve resiliency.
>[!NOTE]
->The Unavailable category indicates that there is no data available from the specific machine yet.
-
-
+>Machines are counted as "unavailable" if they have been unable to transmit data to the service.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 5d53cdeabf..e3f2bdf6ef 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -1,108 +1,156 @@
----
-title: Threat & Vulnerability Management scenarios
-ms.reviewer:
-description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when collaborating with IT Administrators and SecOps while protecting their organization from cybersecurity threats.
-keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Threat & Vulnerability Management scenarios
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
-## Before you begin
-Ensure that your machines:
-- Are onboarded to Microsoft Defender Advanced Threat Protection
-- Running with Windows 10 1709 (Fall Creators Update) or later
-- Have the following mandatory updates installed:
-- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)
-- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464)
-- Have at least one security recommendation that can be viewed in the machine page
-- Are tagged or marked as co-managed
-
-
-## Reduce your threat and vulnerability exposure
-Threat & Vulnerability Management introduces a new exposure score metric which visually represents how exposed your machines are to imminent threats.
-
-The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
-- Weaknesses, such as vulnerabilities and misconfigurations discovered on the device
-- External and internal threats such as public exploit code and security alerts
-- Likelihood of the device getting breached given its current security posture
-- Value of the device to the organization given its role and content
-
-The exposure score is broken down into the following levels:
-- 0 to 29: low exposure score
-- 30 to 69: medium exposure score
-- 70 to 100: high exposure score
-
-You can reduce the exposure score by remediating issues based on prioritized security recommendations. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
-
-To lower down your threat and vulnerability exposure:
-
-1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. This opens the **Security recommendation** page.
-
- >>
-
- >[!NOTE]
- > There are two types of recommendations:
- > - Security update which refers to recommendations that require a package installation
- > - Configuration change which refers to recommendations that require a registry or GPO modification
- > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon or the possible alert activity [possible alert activity](images/tvm_alert_icon.png) icon.
-
-2. In the **Security recommendations** page, you will see the description of what needs to be done and why. It shows the vulnerability details, such as the associated exploits affecting what machines and its business impact. Click **Open software page** option from the flyout menu. 
-
-3. Click **Installed machines** and select the affected machine from the list to open the flyout page with the relevant machine details, exposure and risk levels, alert and incident activities. 
-
-4. Click **Open machine page** to connect to the machine and apply the selected recommendation. 
-
-5. Allow a few hours for the changes to propagate in the system.
-
-6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate won't be listed there anymore, and the exposure score should decrease.
-
-## Improve your security configuration
->[!NOTE]
-> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). We’ll keep the secure score page available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page.
-
-Remediating issues in the security recommendations list will improve your configuration. As you do so, your configuration score improves, which means building your organization's resilience against cybersecurity threats and vulnerabilities stronger.
-
-1. From the Configuration score widget, select **Security controls**. This opens the **Security recommendations** page showing the list of issues related to security controls.
-
- >>
-
-2. Select the first item on the list. This opens the flyout menu with the description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
- 
-
-3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
-
- > >.
- >
- > You will see a confirmation message that the remediation task has been created.
- > 
-
-4. Save your CSV file.
- 
-
-5. Send a follow up email to your IT Administrator and allow the time that you have alloted for the remediation to propagate in the system.
-
-6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
-
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Configuration score](configuration-score.md)
-
+---
+title: Threat & Vulnerability Management scenarios
+description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when you collaborate with IT Administrators and SecOps as you protect your organization from cybersecurity threats.
+keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Threat & Vulnerability Management scenarios
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Before you begin
+Ensure that your machines:
+- Are onboarded to Microsoft Defender Advanced Threat Protection
+- Run with Windows 10 1709 (Fall Creators Update) or later
+
+>[!NOTE]
+>Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
+
+- Have the following mandatory updates installed:
+- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)
+- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464)
+- Are onboarded to Microsoft Intune and System Center Configuration Manager (SCCM). If you are use SCCM, update your console to the latest May version 1905
+- Have at least one security recommendation that can be viewed in the machine page
+- Are tagged or marked as co-managed
+
+
+## Reduce your threat and vulnerability exposure
+Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
+
+The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
+- Weaknesses, such as vulnerabilities discovered on the device
+- External and internal threats such as public exploit code and security alerts
+- Likelihood of the device to get breached given its current security posture
+- Value of the device to the organization given its role and content
+
+The exposure score is broken down into the following levels:
+- 0–29: low exposure score
+- 30–69: medium exposure score
+- 70–100: high exposure score
+
+You can remediate the issues based on prioritized security recommendations to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
+
+To lower down your threat and vulnerability exposure:
+
+1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. The **Security recommendation** page opens.
+
+ >>
+
+ >[!NOTE]
+ > There are two types of recommendations:
+ > - Security update which refers to recommendations that require a package installation
+ > - Configuration change which refers to recommendations that require a registry or GPO modification
+ > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
+
+2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. 
+
+3. Click **Installed machines** and select the affected machine from the list to open the flyout panel with the relevant machine details, exposure and risk levels, alert and incident activities. 
+
+4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. 
+
+5. Allow a few hours for the changes to propagate in the system.
+
+6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
+
+## Improve your security configuration
+>[!NOTE]
+> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). The secure score page is available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page.
+
+You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
+
+1. From the Configuration score widget, select **Security controls**. The **Security recommendations** page opens and shows the list of issues related to security controls.
+
+ >
+
+2. Select the first item on the list. The flyout panel will open with a description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
+ 
+
+3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
+
+ >.
+
+ >You will see a confirmation message that the remediation task has been created.
+ >
+
+4. Save your CSV file.
+ 
+
+5. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
+
+6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
+
+## Request a remediation
+>[!NOTE]
+>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
+
+The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow.
+
+Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
+
+1. Click a security recommendation you would like to request remediation for, and then click **Remediation options**.
+
+2. Select **Open a ticket in Intune (for AAD joined devices)**, select a due date, and add optional notes for the IT Administrator. Click **Submit request**.
+
+3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
+
+4. Go to the **Remediation** page to view the status of your remediation request.
+
+See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/atp-manage-vulnerabilities) for details.
+
+>[!NOTE]
+>If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
+
+## File for exception
+With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request.
+
+There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.
+
+Exceptions can be created for both *Security update* and *Configuration change* recommendations.
+
+When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
+
+
+1. Navigate to the **Security recommendations** page under the **Threat & Vulnerability Management** section menu.
+
+2. Click the top-most recommendation. A flyout panel opens with the recommendation details.
+
+3. Click **Exception options**.
+
+4. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
+
+5. Click **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
+
+6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
index 3275739c27..c745b29ece 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
@@ -35,7 +35,9 @@ Cyberforensic investigations often rely on time stamps to piece together the seq
Microsoft Defender ATP can display either Coordinated Universal Time (UTC) or local time.
-Your current time zone setting is shown in the Microsoft Defender ATP menu. You can change the displayed time zone in the **Time zone** menu .
+Your current time zone setting is shown in the Microsoft Defender ATP menu. You can change the displayed time zone in the **Time zone** menu.
+
+.
### UTC time zone
Microsoft Defender ATP uses UTC time by default.
@@ -56,7 +58,7 @@ To set the time zone:
1. Click the **Time zone** menu .
2. Select the **Timezone UTC** indicator.
-3. Select **Timezone UTC** or your local time zone, for example -7:00.
+3. Select **Timezone UTC** or your local time zone, for example -7:00.
### Regional settings
To apply different date formats for Microsoft Defender ATP, use regional settings for Internet Explorer (IE) and Microsoft Edge (Edge). If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
new file mode 100644
index 0000000000..c9f75c07aa
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
@@ -0,0 +1,56 @@
+---
+title: Troubleshoot Microsoft Defender ATP live response issues
+description: Troubleshoot issues that might arise when using live response in Microsoft Defender ATP
+keywords: troubleshoot live response, live, response, locked, file
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: troubleshooting
+---
+
+# Troubleshoot Microsoft Defender Advanced Threat Protection live response issues
+
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+
+This page provides detailed steps to troubleshoot live response issues.
+
+## File cannot be accessed during live response sessions
+If while trying to take an action during a live response session, you encounter an error message stating that the file can't be accessed, you'll need to use the steps below to address the issue.
+
+1. Copy the following script code snippet and save it as a PS1 file:
+
+ ```
+ $copied_file_path=$args[0]
+ $action=Copy-Item $copied_file_path -Destination $env:TEMP -PassThru -ErrorAction silentlyContinue
+
+ if ($action){
+ Write-Host "You copied the file specified in $copied_file_path to $env:TEMP Succesfully"
+ }
+
+ else{
+ Write-Output "Error occoured while trying to copy a file, details:"
+ Write-Output $error[0].exception.message
+
+ }
+ ```
+
+
+2. Add the script to the live response library.
+3. Run the script with one parameter: the file path of the file to be copied.
+4. Navigate to your TEMP folder.
+5. Run the action you wanted to take on the copied file.
+
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
index 3df5dd590d..3cd0504b1f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
@@ -19,7 +19,7 @@ ms.topic: troubleshooting
# Troubleshoot service issues
-This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
+This section addresses issues that might arise as you use the Microsoft Defender Advanced Threat service.
## Server error - Access is denied due to invalid credentials
If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md
index 800b62bffd..0cf451828c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md
@@ -25,7 +25,7 @@ Troubleshoot issues that might arise as you use Microsoft Defender ATP capabilit
Topic | Description
:---|:---
Troubleshoot sensor state | Find solutions for issues related to the Microsoft Defender ATP sensor
-Troubleshoot service issues | Fix issues related to the Windows Defender Advanced Threat service
+Troubleshoot service issues | Fix issues related to the Microsoft Defender Advanced Threat service
Troubleshoot attack surface reduction | Fix issues related to network protection and attack surface reduction rules
Troubleshoot next generation protection | If you encounter a problem with antivirus, you can search the tables in this topic to find a matching issue and potential solution
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 2f3d53c781..b25ce8e1e3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -1,7 +1,6 @@
---
title: What's in the dashboard and what it means for my organization's security posture
-ms.reviewer:
-description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions in addressing cybersecurity threat vulnerabilities and building their organization's security resilience.
+description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions to address cybersecurity threat vulnerabilities and build their organization's security resilience.
keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -9,12 +8,12 @@ ms.prod: eADQiWindows 10XVcnh
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: ellevin
-author: levinec
+ms.author: dolmont
+author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Threat & Vulnerability Management dashboard overview
@@ -22,29 +21,25 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[!include[Prerelease information](prerelease.md)]
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable machine vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM)
- >[!NOTE]
- > Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks.
-
You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines
- Correlate EDR insights with endpoint vulnerabilities and process them
- Select remediation options, triage and track the remediation tasks
+- Select exception options and track active exceptions
## Threat & Vulnerability Management in Microsoft Defender Security Center
When you open the portal, you’ll see the main areas of the capability:
- 
+ 
- (1) Menu in the navigation pane
- (2) Threat & Vulnerability Management icon
@@ -55,23 +50,30 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
-(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, and **Software inventory**.
-**Dashboards** | Get a high-level view of the organization exposure score, MDATP configuration score, top remediation activities, top security recommendations, top vulnerable software, and top exposed machines data.
-**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, and have the option to open the software page, and see the remediation options.
-**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV.
-**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the vulnerabilities and misconfigurations associated and its machine and version distribution details.
-(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, **Top exposed machines**, and **Threat campaigns**.
-**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down your organization’s exposure score to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
-**MDATP Configuration score** | See the security posture of your organization’s operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security recommendation** page for details.
-**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it will take you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, OS platform, its health state, when it was last seen, and its tags.
-**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts , associated public exploits , and recommendation insights . You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
+(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**.
+**Dashboards** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data.
+**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
+**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information.
+**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
+**Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information.
+(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**.
+**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data that you want to see in the dashboard and widgets by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages only.
+**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. See [Exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score) for more information.
+**Organization Configuration score** | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. You can click the bars and it takes you to the **Security recommendation** page for details. See [Configuration score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score) for more information.
+**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it takes you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
+**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts , associated public exploits , and recommendation insights . You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page.
-**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities.
+**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities, and active exceptions.
**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.
See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
new file mode 100644
index 0000000000..f6488ecbd0
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -0,0 +1,48 @@
+---
+title: Exposure score
+description: Your exposure level reflects how vulnerable your organization is to cybersecurity threats. Apply the Threat & Vulnerability Management security recommendations to keep your exposure level low.
+keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 06/30/2019
+---
+# Exposure score
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Your exposure score reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation.
+
+The widget also gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
+
+
+
+## How it works
+
+Several factors affect your organization exposure score:
+- Weakness discovered on the device
+- Likelihood of a device getting breached
+- Value of the device to the organization
+- Relevant alert discovered on the device
+
+Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details.
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
new file mode 100644
index 0000000000..6e208209cb
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -0,0 +1,66 @@
+---
+title: Remediation
+description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
+keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Remediation
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>[!NOTE]
+>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
+
+After your organization's cybersecurity weaknesses are identified and mapped to actionable security recommendations, you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
+
+You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
+
+## Navigate through your remediation options
+You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard.
+1. From the flyout panel, you'll see the security recommendation details including your next steps. Click **Remediation options**.
+2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
+
+>[!NOTE]
+>If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
+
+3. Select a remediation due date.
+4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance.
+
+If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
+## How it works
+
+When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity.
+
+It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune.
+
+You also have the option to export all remediation activity data to CSV for records, reporting purposes, or if you want to notify your IT administration counterpart that a remediation ticket has been submitted.
+
+The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
+
+However, if the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The exceptions you've filed will also show up in the **Remediation** page, in the **Exceptions** tab.
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendation](tvm-security-recommendation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
new file mode 100644
index 0000000000..a866f2ef4f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -0,0 +1,66 @@
+---
+title: Security recommendation
+description: The weaknesses identified in the environment are mapped to actionable security recommendations and prioritized by their impact on the organizational exposure score.
+keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Security recommendation
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+The cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
+
+Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and SCCM. It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collect information from your environment.
+
+## The basis of the security recommendation
+Each machine in the organization is scored based on three important factors: threat, likelihood to be breached, and value, to help customers to focus on the right things at the right time.
+
+- Threat - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the correponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
+
+- Breach likelihood - Your organization's security posture and resilience against threats
+
+- Business value - Your organization's assets, critical processes, and intellectual properties
+
+
+## Navigate through your security recommendations
+You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need as you require it.
+
+There are security recommendations for application, operating system, network, accounts, and security controls.
+
+In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
+
+The top security recommendations lists down the improvement opportunities prioritized based on the three important factors mentioned in the previous section - threat, likelihood to be breached, and value.
+
+You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, how many exposed devices are associated with the security recommendation, vulnerabilities, and other threats.
+
+From that page, you can do any of the following depending on what you need to do:
+
+- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, and charts so you can see the exposure trend over time.
+
+- Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
+
+- Choose from exception options - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive.
+
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
new file mode 100644
index 0000000000..6954b3f5d6
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -0,0 +1,44 @@
+---
+title: Software inventory
+description: Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the software inventory page. You can see the name of the product, vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected.
+keywords: microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Software inventory
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
+
+## Navigate through your software inventory
+1. Select **Software inventory** from the Threat & Vulnerability management navigation menu.
+2. In the **Software inventory** page, select the application that you want to investigate and a flyout panel opens up with the software details, vendor information, prevalence in the organization, exposed machines, threat context, and its impact to your organization's exposure score.
+3. In the flyout panel, select **Open software page** to dive deeper into your software inventory. You will see how many weaknesses are discovered with the application, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
+
+## How it works
+In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment.
+
+Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular application is connected to a live campaign. It also provides a link to a Threat Analytics report soon as it's available.
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendation](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
new file mode 100644
index 0000000000..108aef13b2
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -0,0 +1,78 @@
+---
+title: Weaknesses
+description: The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, breach, and threat insights.
+keywords: mdatp threat & vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Weaknesses
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
+
+The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights.
+
+## Navigate through your organization's weaknesses page
+You can see the list of vulnerabilities in three ways:
+
+*Vulnerabilities in global search*
+1. Click the global search drop-down menu.
+2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then click the search icon. The **Weaknesses** page opens with the CVE information that you are looking for.
+
+3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates.
+
+>[!NOTE]
+>To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search.
+
+*Weaknesses page in the menu*
+1. Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open up the list of vulnerabilities found in your organization.
+2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+
+*Top vulnerable software widget in the dashboard*
+1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
+
+2. Click the software that you want to investigate and it takes you to the software page. You will the weaknesses found in your machine per severity level, in which machines are they installed, version distribution, and the corresponding security recommendation.
+3. Select the **Discovered vulnerabilities** tab.
+4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+
+## How it works
+When new vulnerabilities are released, you would want know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page.
+
+If the **Exposed Machines** column shows 0, that means you are not infected.
+
+If there's a number in the **Exposed Machines**, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk.
+
+You can also see the related alert and threat insights in the **Threat** column.
+
+The breach insights icons are highlighted if there are active alerts associated with the vulnerability found in your organization.
+
+
+The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is connected to specific campaign for which, Threat Analytics report links are provided that you can read.
+
+
+ >[!NOTE]
+ > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
+
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendation](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
index f6465788fd..c3753c466c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
@@ -42,6 +42,8 @@ On the top navigation you can:
## Sort and filter the incidents queue
You can apply the following filters to limit the list of incidents and get a more focused view.
+### Severity
+
Incident severity | Description
:---|:---
High (Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on machines.
@@ -49,27 +51,17 @@ Medium (Orange) | Threats rarely observed in the organization, such as anom
Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
Informational (Grey) | Informational incidents are those that might not be considered harmful to the network but might be good to keep track of.
+## Assigned to
+You can choose to filter the list by selecting assigned to anyone or ones that are assigned to you.
+
### Category
Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context.
-### Alerts
-Indicates the number of alerts associated with or part of the incidents.
-
-
-### Machines
-You can limit to show only the machines at risk which are associated with incidents.
-
-### Users
-You can limit to show only the users of the machines at risk which are associated with incidents.
-
-### Assigned to
-You can choose to show between unassigned incidents or those which are assigned to you.
-
### Status
-You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved
+You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved.
-### Classification
-Use this filter to choose between focusing on incidents flagged as true or false incidents.
+### Data sensitivity
+Use this filter to show incidents that contain sensitivity labels.
## Related topics
- [Incidents queue](incidents-queue.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index b25652932d..994b79b7b6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -28,6 +28,12 @@ The following features are generally available (GA) in the latest release of Mic
For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection).
+## June 2019
+
+- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
+
+- [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization.
+
## May 2019
- [Threat protection reports](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection)
The threat protection report provides high-level information about alerts generated in your organization.
@@ -35,7 +41,7 @@ For more information preview features, see [Preview features](https://docs.micro
- [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)
Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
-- [Indicators](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/ti-indicator)
APIs for indicators are now generally available.
+- [Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ti-indicator)
APIs for indicators are now generally available.
- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/partner-applications)
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
index bc76ebc546..af37ad2e44 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 06/27/2019
---
# Domain member: Disable machine account password changes
@@ -38,8 +38,20 @@ Verify that the **Domain member: Disable machine account password changes** opti
### Best practices
-1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions.
-2. Do not use this policy setting in an attempt to support dual-boot scenarios that use the same machine account. If you want to dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to make it easier for organizations that stockpile pre-built computers that are put into production months later; those devices do not have to be rejoined to the domain.
+1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions.
+2. Do not use this policy setting to try to support dual-boot scenarios that use the same machine account. If you want to configure dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to help organizations that stockpile pre-built computers that are put into production months later. Those devices do not have to be rejoined to the domain.
+3. You may want to consider using this policy setting in specific environments, such as the following:
+
+ - Non-persistent Virtual Desktop Infrastructure implementations. In such implementations, each session starts from a read-only base image.
+ - Embedded devices that do not have write access to the OS volume.
+
+ In either case, a password change that was made during normal operations would be lost as soon as the session ends. We strongly recommend that you plan password changes for maintenance windows. Add the password changes to the updates and modifications that Windows performs during maintenance windows. To trigger a password update on a specific OS volume, run the following command:
+
+ ```
+ Nltest /sc_change_pwd:
+ ```
+
+ In this command, \ represents the domain of the local computer. For more information about maintenance windows and non-persistent VDI implementations, see [Optimizing Windows 10, version 1803, for a Virtual Desktop Infrastructure (VDI) role: VDI optimization principles: Non-Persistent VDI](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-1803#vdi-optimization-principles).
### Location
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
index a9d641a335..b4f0324679 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 05/31/2018
+ms.date: 06/27/2019
---
# Domain member: Maximum machine account password age
@@ -28,20 +28,22 @@ Describes the best practices, location, values, and security considerations for
The **Domain member: Maximum machine account password age** policy setting determines when a domain member submits a password change.
-In Active Directory–based domains, each device has an account and password. By default, the domain members submit a password change every 30 days. Increasing this interval significantly, or setting it to **0** so that a device no longer submits a password change, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts.
+In Active Directory–based domains, each device has an account and password. By default, the domain members submit a password change every 30 days. You can extend or reduce this interval. Additionally, you can use the **Domain member: Disable machine account password changes** policy to disable the password change requirement completely. However, before you consider this option, review the implications as described in [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md).
-For more information, see [Machine Account Password Process](https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/).
+> [!IMPORTANT]
+> Significantly increasing the password change interval (or disabling password changes) gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts.
+
+For more information, see [Machine Account Password Process](https://techcommunity.microsoft.com/t5/Ask-the-Directory-Services-Team/Machine-Account-Password-Process/ba-p/396026).
### Possible values
-- User-defined number of days between 0 and 999
-- Not defined.
+- User-defined number of days between 1 and 999, inclusive
+- Not defined
### Best practices
-1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
-Setting the value to fewer days can increase replication and impact domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would impact domain controllers in large organizations with many computers or slow links between sites.
-2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer starts after being offline more than 30 days, the Netlogon service will notice the password age and initiate a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer will not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days.
+1. We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
+2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer is turned on after being offline more than 30 days, the Netlogon service notices the password age and initiates a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer does not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and then configure the value for this policy setting to a greater number of days.
### Location
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index 66aa8cbcb8..8a376e6b4f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -32,16 +32,17 @@ For more information, see [article 977321](https://support.microsoft.com/kb/9773
The following table lists and explains the allowed encryption types.
-
-| Encryption type | Description and version support |
-|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES |
-| DES_CBC_MD5 | Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default. |
-| RC4_HMAC_MD5 | Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
-| AES128_HMAC_SHA1 | Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
-| AES256_HMAC_SHA1 | Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
-| Future encryption types | Reserved by Microsoft for additional encryption types that might be implemented. |
-
+
+| Encryption type | Description and version support |
+| - | - |
+| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES| by default.
+| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES by default. |
+| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2.|
+| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. |
+| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. |
+| Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.|
+
+
### Possible values
@@ -81,16 +82,17 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Windows Server 2008 R2 and Windows 7 do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running
-Windows Server 2008 R2 and Windows 7. You can also disable DES for your computers running Windows Vista and Windows Server 2008.
+Windows Server 2008 R2, Windows 7 and Windows 10, do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running
+Windows Server 2008 R2, Windows 7 and Windows 10. You can also disable DES for your computers running Windows Vista and Windows Server 2008.
### Countermeasure
-Do not configure this policy. This will force the computers running Windows Server 2008 R2 and Windows 7 to use the AES or RC4 cryptographic suites.
+Do not configure this policy. This will force the computers running Windows Server 2008 R2, Windows 7 and Windows 10 to use the AES or RC4 cryptographic suites.
### Potential impact
-If you do not select any of the encryption types, computers running Windows Server 2008 R2 and Windows 7 might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol.
+If you do not select any of the encryption types, computers running Windows Server 2008 R2, Windows 7 and Windows 10, might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol.
+
If you do select any encryption type, you will lower the effectiveness of encryption for Kerberos authentication but you will improve interoperability with computers running older versions of Windows.
Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
index f03034aac2..ba47760e7f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
@@ -41,7 +41,7 @@ MpCmdRun.exe [command] [-options]
| Command | Description |
|:--------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------|
| \-? **or** -h | Displays all available options for this tool |
-| \-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]] [-Timeout ] [-Cancel] | Scans for malicious software |
+| \-Scan [-ScanType #] [-File \ [-DisableRemediation] [-BootSectorScan]] [-Timeout \] [-Cancel] | Scans for malicious software |
| \-Trace [-Grouping #] [-Level #] | Starts diagnostic tracing |
| \-GetFiles | Collects support information |
| \-GetFilesDiagTrack | Same as Getfiles but outputs to temporary DiagTrack folder |
@@ -49,11 +49,11 @@ MpCmdRun.exe [command] [-options]
| \-RemoveDefinitions [-DynamicSignatures] | Removes only the dynamically downloaded Security intelligence |
| \-RemoveDefinitions [-Engine] | Restores the previous installed engine |
| \-SignatureUpdate [-UNC \| -MMPC] | Checks for new Security intelligence updates |
-| \-Restore [-ListAll \| [[-Name ] [-All] \| [-FilePath ]] [-Path ]] | Restores or lists quarantined item(s) |
+| \-Restore [-ListAll \| [[-Name \] [-All] \| [-FilePath \]] [-Path \]] | Restores or lists quarantined item(s) |
| \-AddDynamicSignature [-Path] | Loads dynamic Security intelligence |
| \-ListAllDynamicSignatures | Lists the loaded dynamic Security intelligence |
| \-RemoveDynamicSignature [-SignatureSetID] | Removes dynamic Security intelligence |
-| \-CheckExclusion -path | Checks whether a path is excluded |
+| \-CheckExclusion -path \ | Checks whether a path is excluded |
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index 5d16f8d6e6..6506a13f61 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -83,7 +83,7 @@ Open the Intune management portal either by searching for Intune on https://port
1. Description: *Optional*
1. OMA-URI: **./Vendor/MSFT/Defender/SharedSignatureRoot**
1. Data type: **String**
- 1. Value: **\\\wdav-update\** (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be)
+ 1. Value: **\\\wdav-update\** (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be)
1. Click **Ok** to close the details blade, then **OK** again to close the **Custom OMA-URI Settings** blade. Click **Create** to save the new profile. The profile details page now appears.
1. Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**.
1. Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesn’t make sense, go back to the groups blade and confirm the group contains the right users or devices.
@@ -94,7 +94,7 @@ Open the Intune management portal either by searching for Intune on https://port
1. In the **Group Policy Management Editor** go to **Computer configuration**.
1. Click **Administrative templates**.
1. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**
-1. Double-click Define security intelligence location for VDI clients and set the option to Enabled. A field automatically appears, enter *\\\wdav-update *(see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). Click **OK**.
+1. Double-click Define security intelligence location for VDI clients and set the option to Enabled. A field automatically appears, enter *\\\wdav-update *(see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). Click **OK**.
1. Deploy the GPO to the VMs you want to test.
#### Use PowerShell to enable the shared security intelligence feature:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index 4bbfd25108..83abf9cc69 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -92,7 +92,7 @@ Use the following cmdlets to enable cloud-delivered protection:
```PowerShell
Set-MpPreference -MAPSReporting Advanced
-Set-MpPreference -SubmitSamplesConsent Always
+Set-MpPreference -SubmitSamplesConsent AlwaysPrompt
```
>[!NOTE]
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_32_Main_App_Fix.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_32_Main_App_Fix.png
index 1d68a3dcce..9c347679fe 100644
Binary files a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_32_Main_App_Fix.png and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_32_Main_App_Fix.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png
index 2cb9a5a416..1fba4fa7f5 100644
Binary files a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index cb39ebc506..a76cb6ae4a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -119,11 +119,11 @@ Use the following PowerShell cmdlets to set the update order.
```PowerShell
Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}
-Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce {\\UNC SHARE PATH|\\UNC SHARE PATH}
+Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\UNC SHARE PATH}
```
See the following for more information:
- [Set-MpPreference -SignatureFallbackOrder](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturefallbackorder)
-- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
+- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSource](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
- [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
@@ -133,7 +133,7 @@ Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com
```WMI
SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSouce
+SignatureDefinitionUpdateFileSharesSource
```
See the following for more information:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
index da0118cedb..5b0a86a447 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
@@ -22,21 +22,23 @@ ms.topic: conceptual
**Applies to:**
-[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
->[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+This topic describes how to deploy Microsoft Defender ATP for Mac manually. A successful deployment requires the completion of all of the following steps:
+- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
+- [Application installation](#application-installation)
+- [Client configuration](#client-configuration)
## Prerequisites and system requirements
-Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
## Download installation and onboarding packages
Download the installation and onboarding packages from Windows Defender Security Center:
1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
-2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**.
+2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**.
3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
@@ -76,18 +78,18 @@ To complete this process, you must have admin privileges on the machine.
-The installation will proceed.
+The installation proceeds.
> [!NOTE]
> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but real-time protection will be disabled.
-### Fixing disabled Real Time Protection
+### Fixing disabled Real-Time Protection
-If you did not enable Microsoft's driver during installation, then Defender's application will display a banner prompting you to enable it:
+If you did not enable Microsoft's driver during installation, then the application displays a banner prompting you to enable it:
-You can also run ```mdatp --health```. It will report if Real Time Protection is enabled but not available:
+You can also run ```mdatp --health```. It reports if Real-Time Protection is enabled but not available:
```bash
mavel-mojave:~ testuser$ mdatp --health
@@ -98,15 +100,15 @@ realTimeProtectionEnabled : true
```
> [!NOTE]
-> You have a 30 minute window to enable Real Time Protection from the warning banner, immediately following installation.
+> You have a 30 minute window to enable Real-Time Protection from the warning banner, immediately following installation.
-The warning banner containing a **Fix** button, which allows you to quickly enable Real Time Protection, without having to open a command prompt. Select the **Fix** button. It will prompt the **Security & Privacy** system window, where you will have to **Allow** system software from developers "Microsoft Corporation".
+The warning banner contains a **Fix** button, which allows you to quickly enable Real-Time Protection, without having to open a command prompt. Select the **Fix** button. It prompts the **Security & Privacy** system window, where you have to **Allow** system software from developers "Microsoft Corporation".
-If you don't see a prompt, it means that 30 or more minutes have already passed, and Real Time Protection has still not been enabled:
+If you don't see a prompt, it means that 30 or more minutes have already passed, and Real-Time Protection has still not been enabled:
-In this case, you will need to perform the following steps to enable Real Time Protection instead.
+In this case, you need to perform the following steps to enable Real-Time Protection instead.
1. In Terminal, attempt to install the driver. (The operation will fail)
```bash
@@ -126,7 +128,7 @@ In this case, you will need to perform the following steps to enable Real Time P
mavel-mojave:~ testuser$ sudo kextutil /Library/Extensions/wdavkext.kext
```
-The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real Time Protection is both enabled and available:
+The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real-Time Protection is both enabled and available:
```bash
mavel-mojave:~ testuser$ mdatp --health
@@ -140,7 +142,7 @@ realTimeProtectionEnabled : true
1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac.
- The client machine is not associated with orgId. Note that the orgid is blank.
+ The client machine is not associated with orgId. Note that the *orgId* attribute is blank.
```bash
mavel-mojave:wdavconfig testuser$ mdatp --health orgId
@@ -153,7 +155,7 @@ realTimeProtectionEnabled : true
Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
```
-3. Verify that the machine is now associated with orgId:
+3. Verify that the machine is now associated with your organization and reports a valid *orgId*:
```bash
mavel-mojave:wdavconfig testuser$ mdatp --health orgId
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
index 4a6531ad42..da2a6a8dcd 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
@@ -22,21 +22,24 @@ ms.topic: conceptual
**Applies to:**
-[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
->[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment requires the completion of all of the following steps:
+- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
+- [Client device setup](#client-device-setup)
+- [Create System Configuration profiles](#create-system-configuration-profiles)
+- [Publish application](#publish-application)
## Prerequisites and system requirements
-Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
## Download installation and onboarding packages
Download the installation and onboarding packages from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**.
-2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android** and the deployment method to **Mobile Device Management / Microsoft Intune**.
+2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS, or Android** and the deployment method to **Mobile Device Management / Microsoft Intune**.
3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
@@ -85,19 +88,19 @@ Download the installation and onboarding packages from Microsoft Defender Securi
You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
-1. You'll be asked to confirm device management.
+1. You are asked to confirm device management.
-Select **Open System Preferences**, locate **Management Profile** on the list and select **Approve...**. Your Management Profile would be displayed as **Verified**:
+Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
2. Select **Continue** and complete the enrollment.
-You may now enroll additional devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
+You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
-3. In Intune, open **Manage** > **Devices** > **All devices**. You'll see your device among those listed:
+3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
@@ -105,17 +108,17 @@ You may now enroll additional devices. You can also enroll them later, after you
1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
-3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above.
+3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.
4. Select **OK**.
5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
-6. Repeat steps 1 through 5 for additional profiles.
+6. Repeat steps 1 through 5 for more profiles.
7. Create a new profile one more time, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
8. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
-Once the Intune changes are propagated to the enrolled devices, you'll see them listed under **Monitor** > **Device status**:
+Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
@@ -125,7 +128,10 @@ Once the Intune changes are propagated to the enrolled devices, you'll see them
2. Select **App type=Other/Line-of-business app**.
3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
4. Select **Configure** and add the required information.
-5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any arbitrary value.
+5. Use **macOS Sierra 10.12** as the minimum OS and set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
+
+ > [!CAUTION]
+ > Failure to set *Ignore app version* to **Yes** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md) for additional information about how the product is updated.
@@ -138,11 +144,11 @@ Once the Intune changes are propagated to the enrolled devices, you'll see them
8. Change **Assignment type** to **Required**.
-9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
+9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
-10. After some time the application will be published to all enrolled devices. You'll see it listed on **Monitor** > **Device**, under **Device install status**:
+10. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
@@ -153,7 +159,7 @@ Once the Intune changes are propagated to the enrolled devices, you'll see them
-2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that we added in Intune.:
+2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune:
3. You should also see the Microsoft Defender icon in the top-right corner:
@@ -162,7 +168,7 @@ Once the Intune changes are propagated to the enrolled devices, you'll see them
## Logging installation issues
-See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
+For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) .
## Uninstallation
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
index a0c446dd3f..44f2ed7150 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
@@ -22,10 +22,14 @@ ms.topic: conceptual
**Applies to:**
-[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
->[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps:
+- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
+- [Create JAMF policies](#create-jamf-policies)
+- [Client device setup](#client-device-setup)
+- [Deployment](#deployment)
+- [Check onboarding status](#check-onboarding-status)
## Prerequisites and system requirements
@@ -60,7 +64,7 @@ Download the installation and onboarding packages from Windows Defender Security
mavel-macmini:Downloads test$
```
-## Create JAMF Policies
+## Create JAMF policies
You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client devices.
@@ -76,7 +80,7 @@ To set the onboarding information, add a property list file with the name, _jamf
>[!IMPORTANT]
> You must set the Preference Domain as "com.microsoft.wdav.atp"
- 
+
### Approved Kernel Extension
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md
index f994a4d7d4..91a5f56395 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md
@@ -1,6 +1,6 @@
---
title: Installing Microsoft Defender ATP for Mac with different MDM product
-description: Describes how to install Microsoft Defender ATP for Mac, using an unsupported MDM solution.
+description: Describes how to install Microsoft Defender ATP for Mac on other management solutions.
keywords: microsoft, defender, atp, mac, installation, deploy, macos, mojave, high sierra, sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,65 +17,63 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Deployment with a different MDM system
+# Deployment with a different Mobile Device Management (MDM) system
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
## Prerequisites and system requirements
-Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
## Approach
-Your organization may use a Mobile Device Management (MDM) solution we do not officially support.
-This does not mean you will be unable to deploy or run Microsoft Defender ATP for Mac.
-However, we will not be able to provide support for deploying or managing Defender via these solutions.
+> [!CAUTION]
+> Currently, Microsoft oficially supports only Intune and JAMF for the deployment and management of Microsoft Defender ATP for Mac. Microsoft makes no warranties, express or implied, with respect to the information provided below.
+
+If your organization uses a Mobile Device Management (MDM) solution that is not officially supported, this does not mean you are unable to deploy or run Microsoft Defender ATP for Mac.
Microsoft Defender ATP for Mac does not depend on any vendor-specific features. It can be used with any MDM solution that supports the following features:
-- Deploying a macOS .pkg to managed machines.
-- Deploying macOS system configuration profiles to managed machines.
-- Running an arbitrary admin-configured tool/script on managed machines.
+- Deploy a macOS .pkg to managed machines.
+- Deploy macOS system configuration profiles to managed machines.
+- Run an arbitrary admin-configured tool/script on managed machines.
-The majority of modern MDM solutions include these features, however, they may call them differently.
+Most modern MDM solutions include these features, however, they may call them differently.
-You can deploy Defender without the last requirement from the list above, however:
+You can deploy Defender without the last requirement from the preceding list, however:
-- You won't be able to collect status in a centralized way
-- If you decide to uninstall Defender, you'll need to logon to the client machine locally as an administrator
+- You will not be able to collect status in a centralized way
+- If you decide to uninstall Defender, you will need to logon to the client machine locally as an administrator
## Deployment
-Most MDM solution use the same model for managing macOS machines, with similar terminology.
-Use [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) as a template.
+Most MDM solutions use the same model for managing macOS machines, with similar terminology. Use [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) as a template.
### Package
Configure deployment of a [required application package](microsoft-defender-atp-mac-install-with-jamf.md#package),
-with the installation package (wdav.pkg) downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
+with the installation package (wdav.pkg) downloaded from [Microsoft Defender Security Center](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
-Your MDM solution can allow you uploading of an arbitrary application package, or require you to wrap it into a custom package first.
+In order to deploy the package to your enterprise, use the instructions associated with your MDM solution.
### License settings
-Setup [a system configuration profile](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile).
+Set up [a system configuration profile](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile).
Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender ATP for Mac is not part of macOS.
-Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can extracted from an onboarding package downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
-Your system may support an arbitrary property list in XML format. You can just upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
+Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
+Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
Alternatively, it may require you to convert the property list to a different format first.
-Note that your custom profile would have an id, name or domain attribute. You must use exactly "com.microsoft.wdav.atp".
-MDM will use it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client machine, and Defender will use this file for loading onboarding info.
+Typically, your custom profile has an id, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
+MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client machine, and Defender uses this file for loading the onboarding information.
-### KEXT
+### Kernel extension policy
-Setup a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to whitelist kernel extensions provided by Microsoft.
+Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to whitelist kernel extensions provided by Microsoft.
-## Was it successful?
+## Check installation status
-Run [mdatp](microsoft-defender-atp-mac-install-with-jamf.md#check-onboarding-status) on a client machine.
+Run [mdatp](microsoft-defender-atp-mac-install-with-jamf.md#check-onboarding-status) on a client machine to check the onboarding status.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
new file mode 100644
index 0000000000..856b617100
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
@@ -0,0 +1,364 @@
+---
+title: Set preferences for Microsoft Defender ATP for Mac
+ms.reviewer:
+description: Describes how to configure Microsoft Defender ATP for Mac in enterprises.
+keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, mojave, high sierra, sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Set preferences for Microsoft Defender ATP for Mac
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+>[!IMPORTANT]
+>This topic contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise environments. If you are interested in configuring the product on a device from the command-line, please refer to the [Resources](microsoft-defender-atp-mac-resources.md#configuring-from-the-command-line) page.
+
+In enterprise environments, Microsoft Defender ATP for Mac can be managed through a configuration profile. This profile is deployed from management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
+
+This topic describes the structure of this profile (including a recommended profile that you can use to get started) and instructions for how to deploy the profile.
+
+## Configuration profile structure
+
+The configuration profile is a .plist file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences.
+
+The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
+
+### Antivirus engine preferences
+
+The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of the product.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | antivirusEngine |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+#### Enable / disable real-time protection
+
+Whether real-time protection (scan files as they are accessed) is enabled or not.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | enableRealTimeProtection |
+| **Data type** | Boolean |
+| **Possible values** | true (default)
false |
+
+#### Scan exclusions
+
+Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | exclusions |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+**Type of exclusion**
+
+Specifies the type of content excluded from the scan.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | $type |
+| **Data type** | String |
+| **Possible values** | excludedPath
excludedFileExtension
excludedFileName |
+
+**Path to excluded content**
+
+Used to exclude content from the scan by full file path.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | path |
+| **Data type** | String |
+| **Possible values** | valid paths |
+| **Comments** | Applicable only if *$type* is *excludedPath* |
+
+**Path type (file / directory)**
+
+Indicates if the *path* property refers to a file or directory.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | isDirectory |
+| **Data type** | Boolean |
+| **Possible values** | false (default)
true |
+| **Comments** | Applicable only if *$type* is *excludedPath* |
+
+**File extension excluded from the scan**
+
+Used to exclude content from the scan by file extension.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | extension |
+| **Data type** | String |
+| **Possible values** | valid file extensions |
+| **Comments** | Applicable only if *$type* is *excludedFileExtension* |
+
+**Name of excluded content**
+
+Used to exclude content from the scan by file name.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | name |
+| **Data type** | String |
+| **Possible values** | any string |
+| **Comments** | Applicable only if *$type* is *excludedFileName* |
+
+#### Threat type settings
+
+The *threatTypeSettings* preference in the antivirus engine is used to control how certain threat types are handled by the product.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | threatTypeSettings |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+**Threat type**
+
+Type of the threat for which the behavior is configured.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | key |
+| **Data type** | String |
+| **Possible values** | potentially_unwanted_application
archive_bomb |
+
+**Action to take**
+
+Action to take when coming across a threat of the type specified in the preceding section. Can be:
+
+- **Audit**: your device is not protected against this type of threat, but an entry about the threat is logged.
+- **Block**: your device is protected against this type of threat and you are notified in the user interface and the security console.
+- **Off**: your device is not protected against this type of threat and nothing is logged.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | value |
+| **Data type** | String |
+| **Possible values** | audit (default)
block
off |
+
+### Cloud delivered protection preferences
+
+The *cloudService* entry in the configuration profile is used to configure the cloud driven protection feature of the product.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | cloudService |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+#### Enable / disable cloud delivered protection
+
+Whether cloud delivered protection is enabled on the device or not. To improve the security of your services, we recommend keeping this feature turned on.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | enabled |
+| **Data type** | Boolean |
+| **Possible values** | true (default)
false |
+
+#### Diagnostic collection level
+
+Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | diagnosticLevel |
+| **Data type** | String |
+| **Possible values** | optional (default)
required |
+
+#### Enable / disable automatic sample submissions
+
+Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are prompted if the submitted file is likely to contain personal information.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | automaticSampleSubmission |
+| **Data type** | Boolean |
+| **Possible values** | true (default)
false |
+
+## Recommended configuration profile
+
+To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
+
+The following configuration profile will:
+- Enable real-time protection (RTP)
+- Specify how the following threat types are handled:
+ - **Potentially unwanted applications (PUA)** are blocked
+ - **Archive bombs** (file with a high compression rate) are audited to the product logs
+- Enable cloud delivered protection
+- Enable automatic sample submission
+
+```XML
+
+
+
+
+ antivirusEngine
+
+ enableRealTimeProtection
+
+ threatTypeSettings
+
+
+ key
+ potentially_unwanted_application
+ value
+ block
+
+
+ key
+ archive_bomb
+ value
+ audit
+
+
+
+ cloudService
+
+ enabled
+
+ automaticSampleSubmission
+
+
+
+
+```
+
+## Full configuration profile example
+
+The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.
+
+```XML
+
+
+
+
+ antivirusEngine
+
+ enableRealTimeProtection
+
+ exclusions
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /var/log/system.log
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /home
+
+
+ $type
+ excludedFileExtension
+ extension
+ pdf
+
+
+ allowedThreats
+
+ eicar
+
+ threatTypeSettings
+
+
+ key
+ potentially_unwanted_application
+ value
+ block
+
+
+ key
+ archive_bomb
+ value
+ audit
+
+
+
+ cloudService
+
+ enabled
+
+ diagnosticLevel
+ optional
+ automaticSampleSubmission
+
+
+
+
+```
+
+## Configuration profile deployment
+
+Once you've built the configuration profile for your enterprise, you can deploy it through the management console that your enterprise is using. The following sections provide instructions on how to deploy this profile using JAMF and Intune.
+
+### JAMF deployment
+
+From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with *com.microsoft.wdav* as the preference domain and upload the .plist produced earlier.
+
+>[!CAUTION]
+>You must enter the correct preference domain (*com.microsoft.wdav*), otherwise the preferences will not be recognized by the product.
+
+### Intune deployment
+
+1. Open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+
+2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select Configure.
+
+3. Save the .plist produced earlier as **com.microsoft.wdav.xml**.
+
+4. Enter **com.microsoft.wdav** as the **custom configuration profile name**.
+
+5. Open the configuration profile and upload **com.microsoft.wdav.xml**. This file was created in step 3.
+
+6. Select **OK**.
+
+7. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
+
+>[!CAUTION]
+>You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
+
+## Resources
+
+- [Configuration Profile Reference (Apple developer documentation)](https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md
new file mode 100644
index 0000000000..eb3359531d
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md
@@ -0,0 +1,264 @@
+---
+title: Privacy for Microsoft Defender ATP for Mac
+ms.reviewer:
+description: Describes privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Mac.
+keywords: microsoft, defender, atp, mac, privacy, diagnostic
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Privacy for Microsoft Defender ATP for Mac
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Microsoft Defender ATP for Mac.
+
+This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected.
+
+## Overview of privacy controls in Microsoft Defender ATP for Mac
+
+This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Mac.
+
+### Diagnostic data
+
+Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements.
+
+Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations.
+
+There are two levels of diagnostic data for Microsoft Defender ATP client software that you can choose from:
+
+* **Required**: The minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and performing as expected on the device it’s installed on.
+
+* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.
+
+By default, both optional and required diagnostic data are sent to Microsoft.
+
+### Cloud delivered protection data
+
+Cloud delivered protection is used to provide increased and faster protection with access to the latest protection data in the cloud.
+
+Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.
+
+### Sample data
+
+Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples so they can be analyzed. Enabling automatic sample submission is optional.
+
+When this feature is enabled and the sample that is collected is likely to contain personal information, the user is prompted for consent.
+
+## Manage privacy controls with policy settings
+
+If you're an IT administrator, you might want to configure these controls at the enterprise level.
+
+The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md).
+
+As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization.
+
+## Diagnostic data events
+
+This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected.
+
+### Data fields that are common for all events
+There is some information about events that is common to all events, regardless of category or data subtype.
+
+The following fields are considered common for all events:
+
+| Field | Description |
+| ----------------------- | ----------- |
+| platform | The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized. |
+| machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
+| sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
+| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. |
+| hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
+| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. |
+| app_version | Version of the Microsoft Defender ATP for Mac application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.|
+| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. |
+| supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. |
+| release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. |
+
+
+### Required diagnostic data
+
+**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and perform as expected on the device it’s installed on.
+
+Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender ATP feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender ATP features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced.
+
+#### Software setup and inventory data events
+
+**Microsoft Defender ATP installation / uninstallation**
+
+The following fields are collected:
+
+| Field | Description |
+| ---------------- | ----------- |
+| correlation_id | Unique identifier associated with the installation. |
+| version | Version of the package. |
+| severity | Severity of the message (for example Informational). |
+| code | Code that describes the operation. |
+| text | Additional information associated with the product installation. |
+
+**Microsoft Defender ATP configuration**
+
+The following fields are collected:
+
+| Field | Description |
+| --------------------------------------------------- | ----------- |
+| antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. |
+| cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. |
+| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. |
+| cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. |
+| cloud_service.service_uri | URI used to communicate with the cloud. |
+| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). |
+| cloud_service.automatic_sample_submission | Whether automatic sample submission is turned on or not. |
+| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. |
+
+#### Product and service performance data events
+
+**Kernel extension statistics**
+
+The following fields are collected:
+
+| Field | Description |
+| ---------------- | ----------- |
+| version | Version of Microsoft Defender ATP for Mac. |
+| instance_id | Unique identifier generated on kernel extension startup. |
+| trace_level | Trace level of the kernel extension. |
+| ipc.connects | Number of connection requests received by the kernel extension. |
+| ipc.rejects | Number of connection requests rejected by the kernel extension. |
+| ipc.connected | Whether there is any active connection to the kernel extension. |
+
+#### Support data
+
+**Diagnostic logs**
+
+Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs:
+
+- All files under */Library/Logs/Microsoft/mdatp/*
+- Subset of files under */Library/Application Support/Microsoft/Defender/* that are created and used by Microsoft Defender ATP for Mac
+- Subset of files under */Library/Managed Preferences* that are used by Microsoft Defender ATP for Mac
+
+### Optional diagnostic data
+
+**Optional diagnostic data** is additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and fix issues.
+
+If you choose to send us optional diagnostic data, required diagnostic data is also included.
+
+Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product).
+
+#### Software setup and inventory data events
+
+**Microsoft Defender ATP configuration**
+
+The following fields are collected:
+
+| Field | Description |
+| -------------------------------------------------- | ----------- |
+| connection_retry_timeout | Connection retry time out when communication with the cloud. |
+| file_hash_cache_maximum | Size of the product cache. |
+| crash_upload_daily_limit | Limit of crash logs uploaded daily. |
+| antivirus_engine.exclusions[].is_directory | Whether the exclusion from scanning is a directory or not. |
+| antivirus_engine.exclusions[].path | Path that was excluded from scanning. |
+| antivirus_engine.exclusions[].extension | Extension excluded from scanning. |
+| antivirus_engine.exclusions[].name | Name of the file excluded from scanning. |
+| antivirus_engine.scan_cache_maximum | Size of the product cache. |
+| antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. |
+| antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. |
+| filesystem_scanner.full_scan_directory | Full scan directory. |
+| filesystem_scanner.quick_scan_directories | List of directories used in quick scan. |
+| edr.latency_mode | Latency mode used by the detection and response component. |
+| edr.proxy_address | Proxy address used by the detection and response component. |
+
+**Microsoft Auto-Update configuration**
+
+The following fields are collected:
+
+| Field | Description |
+| --------------------------- | ----------- |
+| how_to_check | Determines how product updates are checked (for example automatic or manual). |
+| channel_name | Update channel associated with the device. |
+| manifest_server | Server used for downloading updates. |
+| update_cache | Location of the cache used to store updates. |
+
+### Product and service usage
+
+#### Diagnostic log upload started report
+
+The following fields are collected:
+
+| Field | Description |
+| ---------------- | ----------- |
+| sha256 | SHA256 identifier of the support log. |
+| size | Size of the support log. |
+| original_path | Path to the support log (always under */Library/Application Support/Microsoft/Defender/wdavdiag/*). |
+| format | Format of the support log. |
+
+#### Diagnostic log upload completed report
+
+The following fields are collected:
+
+| Field | Description |
+| ---------------- | ----------- |
+| request_id | Correlation ID for the support log upload request. |
+| sha256 | SHA256 identifier of the support log. |
+| blob_sas_uri | URI used by the application to upload the support log. |
+
+#### Product and service performance data events
+
+**Unexpected application exit (crash)**
+
+Unexpected application exits and the state of the application when that happens.
+
+**Kernel extension statistics**
+
+The following fields are collected:
+
+| Field | Description |
+| ------------------------------ | ----------- |
+| pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. |
+| pkt_ack_conn_timeout | |
+| ipc.ack_pkts | |
+| ipc.nack_pkts | |
+| ipc.send.ack_no_conn | |
+| ipc.send.nack_no_conn | |
+| ipc.send.ack_no_qsq | |
+| ipc.send.nack_no_qsq | |
+| ipc.ack.no_space | |
+| ipc.ack.timeout | |
+| ipc.ack.ackd_fast | |
+| ipc.ack.ackd | |
+| ipc.recv.bad_pkt_len | |
+| ipc.recv.bad_reply_len | |
+| ipc.recv.no_waiter | |
+| ipc.recv.copy_failed | |
+| ipc.kauth.vnode.mask | |
+| ipc.kauth.vnode.read | |
+| ipc.kauth.vnode.write | |
+| ipc.kauth.vnode.exec | |
+| ipc.kauth.vnode.del | |
+| ipc.kauth.vnode.read_attr | |
+| ipc.kauth.vnode.write_attr | |
+| ipc.kauth.vnode.read_ex_attr | |
+| ipc.kauth.vnode.write_ex_attr | |
+| ipc.kauth.vnode.read_sec | |
+| ipc.kauth.vnode.write_sec | |
+| ipc.kauth.vnode.take_own | |
+| ipc.kauth.vnode.denied | |
+| ipc.kauth.file_op.mask | |
+| ipc.kauth_file_op.open | |
+| ipc.kauth.file_op.close | |
+
+## Resources
+
+- [Privacy at Microsoft](https://privacy.microsoft.com/)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
index 8341a2e601..59485467ff 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
@@ -22,10 +22,7 @@ ms.topic: conceptual
**Applies to:**
-[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
-
->[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
## Collecting diagnostic information
@@ -64,23 +61,13 @@ If you can reproduce a problem, please increase the logging level, run the syste
If an error occurs during installation, the installer will only report a general failure.
-The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
-
-## Upgrade
-
-We distribute our updates via Microsoft Auto Update (MAU). You can check for MAU settings in main application's menu (Help => Check For Product Updates...):
-
- 
-
-**Q**: Can MDATP for Mac be updated without MAU?
-
-**A**: In the current release, MDATP for Mac product updates are done via MAU. While advanced manageability experts may be able to set up the product updates without MAU, this scenario is not explicitly supported. We will monitor customer interest in this scenario to evaluate its importance relative to other product advancements.
+The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
## Uninstalling
There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune.
-### Within the GUI
+### Interactive uninstallation
- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**.
@@ -114,7 +101,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
In the Microsoft Defender ATP portal, you'll see two categories of information:
-- AV alerts, including:
+- Antivirus alerts, including:
- Severity
- Scan type
- Device information (hostname, machine identifier, tenant identifier, app version, and OS type)
@@ -133,7 +120,5 @@ In the Microsoft Defender ATP portal, you'll see two categories of information:
## Known issues
-- Not fully optimized for performance or disk space yet.
- Full Microsoft Defender ATP integration is not available yet.
-- Mac devices that switch networks may appear multiple times in the Microsoft Defender ATP portal.
- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md
new file mode 100644
index 0000000000..92ee617ff5
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md
@@ -0,0 +1,144 @@
+---
+title: Deploy updates for Microsoft Defender ATP for Mac
+ms.reviewer:
+description: Describes how to control updates for Microsoft Defender ATP for Mac in enterprise environments.
+keywords: microsoft, defender, atp, mac, updates, deploy
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Deploy updates for Microsoft Defender ATP for Mac
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+Microsoft regularly publishes software updates to improve performance, security, and to deliver new features.
+
+To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. By default, MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually.
+
+
+
+If you decide to deploy updates by using your software distribution tools, you should configure MAU to manually check for software updates. You can deploy preferences to configure how and when MAU checks for updates for the Macs in your organization.
+
+## Use msupdate
+
+MAU includes a command line tool, called *msupdate*, that is designed for IT administrators so that they have more precise control over when updates are applied. Instructions for how to use this tool can be found in [Update Office for Mac by using msupdate](https://docs.microsoft.com/en-us/deployoffice/mac/update-office-for-mac-using-msupdate).
+
+In MAU, the application identifier for Microsoft Defender ATP for Mac is *WDAV00*. To download and install the latest updates for Microsoft Defender ATP for Mac, execute the following command from a Terminal window:
+
+```
+./msupdate --install --apps wdav00
+```
+
+## Set preferences for Microsoft AutoUpdate
+
+This section describes the most common preferences that can be used to configure MAU. These settings can be deployed as a configuration profile through the management console that your enterprise is using. An example of a configuration profile is shown in the following sections.
+
+### Set the channel name
+
+The channel determines the type and frequency of updates that are offered through MAU. Devices in `InsiderFast` (corresponding to the Insider Fast channel) can try out new features before devices in `External` (corresponding to the Insider Slow channel) and `Production`.
+
+The `Production` channel contains the most stable version of the product.
+
+>[!TIP]
+>In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `InsiderFast` or `External`.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.autoupdate2 |
+| **Key** | ChannelName |
+| **Data type** | String |
+| **Possible values** | InsiderFast
External
Production |
+
+### Set update check frequency
+
+Change how often MAU searches for updates.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.autoupdate2 |
+| **Key** | UpdateCheckFrequency |
+| **Data type** | Integer |
+| **Default value** | 720 (minutes) |
+| **Comment** | This value is set in minutes. |
+
+### Change how MAU interacts with updates
+
+Change how MAU searches for updates.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.autoupdate2 |
+| **Key** | HowToCheck |
+| **Data type** | String |
+| **Possible values** | Manual
AutomaticCheck
AutomaticDownload |
+| **Comment** | Note that AutomaticDownload will do a download and install silently if possible. |
+
+### Disable Insider checkbox
+
+Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.autoupdate2 |
+| **Key** | DisableInsiderCheckbox |
+| **Data type** | Boolean |
+| **Possible values** | False (default)
True |
+
+### Limit the telemetry that is sent from MAU
+
+Set to false to send minimal heartbeat data, no application usage, and no environment details.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.autoupdate2 |
+| **Key** | SendAllTelemetryEnabled |
+| **Data type** | Boolean |
+| **Possible values** | True (default)
False |
+
+## Example configuration profile
+
+The following configuration profile is used to:
+- Place the device in the Insider Fast channel
+- Automatically download and install updates
+- Enable the "Check for updates" button in the user interface
+- Allow users on the device to enroll into the Insider channels
+
+```XML
+
+
+
+
+ ChannelName
+ InsiderFast
+ HowToCheck
+ AutomaticDownload
+ EnableCheckForUpdatesButton
+
+ DisableInsiderCheckbox
+
+ SendAllTelemetryEnabled
+
+
+
+```
+
+To configure MAU, you can deploy this configuration profile from the management tool that your enterprise is using:
+- From JAMF, upload this configuration profile and set the Preference Domain to *com.microsoft.autoupdate2*.
+- From Intune, upload this configuration profile and set the custom configuration profile name to *com.microsoft.autoupdate2*.
+
+## Resources
+
+- [msupdate reference](https://docs.microsoft.com/en-us/deployoffice/mac/update-office-for-mac-using-msupdate)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
index 6794868296..0510dc864b 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
@@ -20,60 +20,36 @@ ms.topic: conceptual
# Microsoft Defender Advanced Threat Protection for Mac
->[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac.
-This topic describes how to install and use Microsoft Defender ATP for Mac.
+> [!CAUTION]
+> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to lead to performance problems and unpredictable side effects.
-## What’s new in the public preview
+## What’s new in the latest release
-Since opening the limited preview, we've been working non-stop to enhance the product, by listening to customer feedback. We've reduced the time it takes for devices to appear in Microsoft Defender Security Center, immediately following deployment. We've improved threat handling, enhanced the user experience, and fixed bugs. Other updates to Microsoft Defender ATP for Mac include:
+Since the announcement of the public preview, Microsoft has been working non-stop to enhance the product, by listening to customer feedback. We've added management features and more granular controls for diagnostic data collection, refined the user experience, and fixed bugs.
-- Enhanced accessibility
-- Improved performance
-- improved client product health monitoring
-- Localization into 37 languages
-- Improved anti-tampering protections
-- Feedback and samples can now be submitted via the interface.
-- Product health can be queried with JAMF or the command line.
-- Admins can set their cloud preference for any location, not just for those in the US.
+If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to **Help** > **Send feedback**.
-## Installing and configuring
-
-There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
-
-In general you'll need to take the following steps:
-
-- Ensure you have a Microsoft Defender ATP subscription and have access to the Microsoft Defender ATP Portal
-- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
- - Via the command line tool:
- - [Manual deployment](microsoft-defender-atp-mac-install-manually.md)
- - Via third party tools:
- - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md)
- - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md)
- - [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md)
-
-Whichever method you choose, you will first need to visit the onboarding page in the Microsoft Defender ATP portal.
+## How to install Microsoft Defender ATP for Mac
### Prerequisites
-You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine.
+- Access to the Microsoft Defender Security Center portal
+- Beginner-level experience in macOS and BASH scripting
+- Administrative privileges on the device (in case of manual deployment)
-You should also have access to Microsoft Defender Security Center.
-
-### System Requirements
-
-- macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra)
-- Disk space during preview: 1GB
-
-Beta versions of macOS are not supported.
+### System requirements
> [!CAUTION]
-> Running other third-party endpoint protection alongside Microsoft Defender ATP for Mac may lead to performance problems and unpredictable side effects.
+> The three most recent major releases of macOS are supported. Beta versions of macOS are not supported.
+
+- Supported macOS versions: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra)
+- Disk space: 650 MB
After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
-The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them:
+The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them:
| Service | Description | URL |
| -------------- | ------------------------------------ | -------------------------------------------------------------------- |
@@ -84,18 +60,45 @@ To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/ap
If you prefer the command line, you can also check the connection by running the following command in Terminal:
```bash
-testuser$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
-The output from this command should look like this:
+The output from this command should be similar to the following:
> `OK https://x.cp.wd.microsoft.com/api/report`
>
> `OK https://cdn.x.cp.wd.microsoft.com/ping`
+> [!CAUTION]
+> We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
-We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
+### Installation instructions
+
+There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
+
+In general you need to take the following steps:
+
+- Ensure that you have a Microsoft Defender ATP subscription and have access to the Microsoft Defender ATP Portal
+- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
+ - Via third-party management tools:
+ - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md)
+ - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md)
+ - [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md)
+ - Via the command-line tool:
+ - [Manual deployment](microsoft-defender-atp-mac-install-manually.md)
+
+## How to update Microsoft Defender ATP for Mac
+
+Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used.
+
+To read more on how to configure MAU in enterprise environments, refer to [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md)
+
+## How to configure Microsoft Defender ATP for Mac
+
+Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md).
## Resources
-For additional information about logging, uninstalling, or known issues, see our [Resources](microsoft-defender-atp-mac-resources.md) page.
+- For more information about logging, uninstalling, or known issues, see the [Resources](microsoft-defender-atp-mac-resources.md) page.
+
+- [Privacy for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-privacy.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
index 81599231f8..a194696c88 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
@@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
@@ -22,7 +21,9 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you may encounter problems or issues.
+You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx).
+
+When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you might encounter problems or issues.
Typically, the most common indicators of a problem are:
- You only see a small number or subset of all the devices you were expecting to see
@@ -52,7 +53,9 @@ In order for devices to properly show up in Update Compliance, you have to meet
> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level).
> - It has been 3 days since all requirements have been met
-If the above pre-requisites have all been met, you may need to proceed to the next step to collect diagnostic information and send it to us.
+“You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
+
+If the above pre-requisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
> [!div class="nextstepaction"]
> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data-update-compliance.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index a4c209b5bd..52e8586de1 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -57,8 +57,7 @@ The table in this section lists the main Windows Defender Antivirus event IDs an
-
-
+
| Event ID: 1000 |
@@ -1687,7 +1686,7 @@ The Windows Defender Antivirus client attempted to download and install the late
To troubleshoot this event:
- Restart the computer and try again.
-- Download the latest definitions from the Windows Defender Security Intelligence site.
+
- Download the latest definitions from the Microsoft Security Intelligence site.
Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.
- Contact Microsoft Technical Support.
@@ -2716,7 +2715,7 @@ This section provides the following information about Windows Defender Antivirus
Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.
-
+
| Error code: 0x80508007 |
@@ -2758,7 +2757,7 @@ This error indicates that there might be a problem with your security product.
- Update the definitions. Either:
- Click the Update definitions button on the Update tab in Windows Defender Antivirus.
Or,
-- Download the latest definitions from the Windows Defender Security Intelligence site.
+
- Download the latest definitions from the Microsoft Security Intelligence site.
Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.
@@ -2916,7 +2915,7 @@ The following error codes are used during internal testing of Windows Defender A
If you see these errors, you can try to [update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
-
+
| Internal error codes |
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index c33eca6f6f..294b63f287 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -26,6 +26,14 @@ The [Microsoft Component Object Model (COM)](https://docs.microsoft.com/windows/
Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+**NOTE**: To add this functionality to other versions of Windows 10, you can install the following or later updates:
+
+- Windows 10, 1809 June 18, 2019—KB4501371 (OS Build 17763.592) (https://support.microsoft.com/help/4501371/windows-10-update-kb4501371)
+- Windows 10, 1803 June 18, 2019—KB4503288 (OS Build 17134.858) (https://support.microsoft.com/help/4503288/windows-10-update-kb4503288)
+- Windows 10, 1709 June 18, 2019—KB4503281 (OS Build 16299.1237) (https://support.microsoft.com/help/4503281/windows-10-update-kb4503281)
+- Windows 10, 1703 June 18, 2019—KB4503289 (OS Build 15063.1897) (https://support.microsoft.com/help/4503289/windows-10-update-kb4503289
+- Windows 10, 1607 June 18, 2019—KB4503294 (OS Build 14393.3053) (https://support.microsoft.com/help/4503294/windows-10-update-kb4503294)
+
### Get COM object GUID
Get GUID of application to allow in one of the following ways:
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 6df51f6694..abc8820fab 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -75,5 +75,19 @@ Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and re
### Merging policies
-When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID , then regardless of what the GUIDS and types are for any subsequent policies, the merged policy will be a base policy with ID .
+When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDS and types are for any subsequent policies, the merged policy will be a base policy with ID \.
+### Deploying policies
+
+In order to deploy policies using the new multiple policy format you will need to:
+
+1. Ensure policies are copied to the right location
+ - Policies must be copied to this directory: C:\Windows\System32\CodeIntegrity\CiPolicies\Active
+2. Binary policy files must have the correct name which takes the format {PolicyGUID}.cip
+ - Ensure that the name of the binary policy file is exactly the same as the PolicyID in the policy
+ - For example if the policy XML had the ID as {A6D7FBBF-9F6B-4072-BF37-693741E1D745} the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip
+3. Reboot the system or use WMI to rebootlessly refresh the policy
+
+```powershell
+Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = 'C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip'}
+```
diff --git a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
index 693cce1792..b00e9c0154 100644
--- a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
+++ b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
@@ -65,7 +65,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code
` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update`
> [!NOTE]
- > should be the full path to the certificate that you exported in step 3.
+ > \ should be the full path to the certificate that you exported in step 3.
Also, adding update signers is crucial to being able to modify or disable this policy in the future.
6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
index 18738ef4ec..8d7885f549 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
@@ -27,7 +27,7 @@ Dynamic Code Security is not enabled by default because existing policies may no
Additionally, a small number of .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled.
Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy.
-To enable Dynamic Code Security, add the following option to the section of your policy:
+To enable Dynamic Code Security, add the following option to the `
+ 
+ 
+ 
+ 
+ 
+ 
