diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index e430c553a4..52d9c0b701 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -19360,6 +19360,136 @@
"redirect_url": "/windows/deployment/do/waas-optimize-windows-10",
"redirect_document_id": false
},
+ {
+ "source_path": "windows/security/threat-protection/intelligence/coinminer-malware.md",
+ "redirect_url": "/microsoft-365/security/intelligence/coinminer-malware",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/coordinated-malware-eradication.md",
+ "redirect_url": "/microsoft-365/security/intelligence/coordinated-malware-eradication",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/criteria.md",
+ "redirect_url": "/microsoft-365/security/intelligence/criteria",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md",
+ "redirect_url": "/microsoft-365/security/intelligence/cybersecurity-industry-partners",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/developer-faq.yml",
+ "redirect_url": "/microsoft-365/security/intelligence/developer-faq",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/developer-resources.md",
+ "redirect_url": "/microsoft-365/security/intelligence/developer-resources",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/exploits-malware.md",
+ "redirect_url": "/microsoft-365/security/intelligence/exploits-malware",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/fileless-threats.md",
+ "redirect_url": "/microsoft-365/security/intelligence/fileless-threats",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/macro-malware.md",
+ "redirect_url": "/microsoft-365/security/intelligence/macro-malware",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/malware-naming.md",
+ "redirect_url": "/microsoft-365/security/intelligence/malware-naming",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/phishing-trends.md",
+ "redirect_url": "/microsoft-365/security/intelligence/phishing-trends",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/phishing.md",
+ "redirect_url": "/microsoft-365/security/intelligence/phishing",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md",
+ "redirect_url": "/microsoft-365/security/intelligence/portal-submission-troubleshooting",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/prevent-malware-infection.md",
+ "redirect_url": "/microsoft-365/security/intelligence/prevent-malware-infection",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/rootkits-malware.md",
+ "redirect_url": "/microsoft-365/security/intelligence/rootkits-malware.md",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/safety-scanner-download.md",
+ "redirect_url": "/microsoft-365/security/intelligence/safety-scanner-download",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/submission-guide.md",
+ "redirect_url": "/microsoft-365/security/intelligence/submission-guide",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/supply-chain-malware.md",
+ "redirect_url": "/microsoft-365/security/intelligence/supply-chain-malware.md",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/support-scams.md",
+ "redirect_url": "/microsoft-365/security/intelligence/support-scams",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/trojans-malware.md",
+ "redirect_url": "/microsoft-365/security/intelligence/trojans-malware",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/understanding-malware.md",
+ "redirect_url": "/microsoft-365/security/intelligence/understanding-malware",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/unwanted-software.md",
+ "redirect_url": "/microsoft-365/security/intelligence/unwanted-software",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md",
+ "redirect_url": "/microsoft-365/security/intelligence/virus-information-alliance-criteria",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/virus-initiative-criteria.md",
+ "redirect_url": "/microsoft-365/security/intelligence/virus-initiative-criteria",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/intelligence/worms-malware.md",
+ "redirect_url": "/microsoft-365/security/intelligence/worms-malware",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/microsoft-bug-bounty-program.md",
+ "redirect_url": "/microsoft-365/security/intelligence/microsoft-bug-bounty-program",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/deployment/update/waas-microsoft-connected-cache.md",
"redirect_url": "/windows/deployment/do/waas-microsoft-connected-cache",
diff --git a/browsers/edge/microsoft-edge-faq.yml b/browsers/edge/microsoft-edge-faq.yml
index bfb48a3544..41ba94ebb6 100644
--- a/browsers/edge/microsoft-edge-faq.yml
+++ b/browsers/edge/microsoft-edge-faq.yml
@@ -8,11 +8,10 @@ metadata:
author: dansimp
ms.author: dansimp
ms.prod: edge
- ms.topic: article
+ ms.topic: faq
ms.mktglfcycl: general
ms.sitesec: library
ms.localizationpriority: medium
-
title: Frequently Asked Questions (FAQ) for IT Pros
summary: |
Applies to: Microsoft Edge on Windows 10
@@ -70,4 +69,4 @@ sections:
- question: What is Microsoft EdgeHTML?
answer: |
- Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform (as opposed to *Microsoft Edge, based on Chromium*).
\ No newline at end of file
+ Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform (as opposed to *Microsoft Edge, based on Chromium*).
diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml
index 4f545f92d9..0a4a146634 100644
--- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml
+++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml
@@ -13,7 +13,7 @@ metadata:
title: Internet Explorer 11 - FAQ for IT Pros (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 10/16/2017
-
+ ms.topic: faq
title: Internet Explorer 11 - FAQ for IT Pros
summary: |
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml
index 217b48f990..178595abf4 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml
+++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml
@@ -13,7 +13,7 @@ metadata:
title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
ms.sitesec: library
ms.date: 05/10/2018
-
+ ms.topic: faq
title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
summary: |
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.yml b/browsers/internet-explorer/ie11-faq/faq-ieak11.yml
index e2400b19af..20e3889f45 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ieak11.yml
+++ b/browsers/internet-explorer/ie11-faq/faq-ieak11.yml
@@ -15,7 +15,7 @@ metadata:
title: IEAK 11 - Frequently Asked Questions
ms.sitesec: library
ms.date: 05/10/2018
-
+ ms.topic: faq
title: IEAK 11 - Frequently Asked Questions
summary: |
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
@@ -137,4 +137,4 @@ additionalContent: |
-[Download IEAK 11](../ie11-ieak/ieak-information-and-downloads.md)
-[IEAK 11 overview](../ie11-ieak/index.md)
-[IEAK 11 product documentation](../ie11-ieak/index.md)
- -[IEAK 11 licensing guidelines](../ie11-ieak/licensing-version-and-features-ieak11.md)
\ No newline at end of file
+ -[IEAK 11 licensing guidelines](../ie11-ieak/licensing-version-and-features-ieak11.md)
diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml
index f7f8874d78..ea499a1774 100644
--- a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml
+++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml
@@ -9,11 +9,10 @@ metadata:
ms.reviewer: ramakoni, DEV_Triage
ms.prod: internet-explorer
ms.technology:
- ms.topic: kb-support
+ ms.topic: faq
ms.custom: CI=111020
ms.localizationpriority: medium
ms.date: 01/23/2020
-
title: Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros
summary: |
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index 1c5a8d3904..6a7469a644 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,31 +2,12 @@
-## Week of December 13, 2021
+## Week of March 14, 2022
| Published On |Topic title | Change |
|------|------------|--------|
-| 12/13/2021 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | modified |
-| 12/13/2021 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified |
-
-
-## Week of November 29, 2021
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 11/29/2021 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | added |
-| 11/29/2021 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | added |
-
-
-## Week of November 15, 2021
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 11/16/2021 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
-| 11/16/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
-| 11/18/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
-| 11/18/2021 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
-| 11/18/2021 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
+| 3/18/2022 | Educator Trial in a Box Guide | removed |
+| 3/18/2022 | Microsoft Education Trial in a Box | removed |
+| 3/18/2022 | IT Admin Trial in a Box Guide | removed |
+| 3/18/2022 | Microsoft Education Trial in a Box Support | removed |
diff --git a/education/trial-in-a-box/TOC.yml b/education/trial-in-a-box/TOC.yml
deleted file mode 100644
index 6050d91b67..0000000000
--- a/education/trial-in-a-box/TOC.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-- name: Microsoft Education Trial in a Box
- href: index.md
- items:
- - name: Educator Trial in a Box Guide
- href: educator-tib-get-started.md
- - name: IT Admin Trial in a Box Guide
- href: itadmin-tib-get-started.md
- - name: Microsoft Education Trial in a Box Support
- href: support-options.md
diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md
deleted file mode 100644
index 92cf989109..0000000000
--- a/education/trial-in-a-box/educator-tib-get-started.md
+++ /dev/null
@@ -1,350 +0,0 @@
----
-title: Educator Trial in a Box Guide
-description: Need help or have a question about using Microsoft Education? Start here.
-keywords: support, troubleshooting, education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Set up School PCs
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.topic: article
-ms.localizationpriority: medium
-ms.pagetype: edu
-ROBOTS: noindex,nofollow
-author: dansimp
-ms.author: dansimp
-ms.date: 03/18/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Educator Trial in a Box Guide
-
-
-
-This guide shows you how to quickly and easily try a few transformational tools from Microsoft Education in 5 quick steps.
-
-| Tool | Description |
-| :---: |:--- |
-| [](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. |
-| [](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?[1](#footnote1)** Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. |
-| [](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?** Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. |
-| [](#edu-task4) | **Trying to expand classroom creativity and interaction between students?** Open [OneNote](#edu-task4) and create an example group project for your class. |
-| [](#edu-task5) | **Curious about telling stories through video?** Try the [Photos app](#edu-task5) to make your own example video. |
-| [](#edu-task6) | **Want to teach kids to further collaborate and problem solve?** Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. |
-| [](#edu-task7) | **Want to provide a personal math tutor for your students?** Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. |
-
-
-
-
-> [!VIDEO https://www.youtube.com/embed/3nqooY9Iqq4]
-
-
-
-
-
-
-## 1. Log in and connect to the school network
-To try out the educator tasks, start by logging in as a teacher.
-
-1. Turn on **Device A** and ensure you plug in the PC to an electrical outlet.
-2. Connect **Device A** to your school's Wi-Fi network or connect with a local Ethernet connection using the Ethernet adapter included in this kit.
- >**Note**: If your Wi-Fi network requires a web browser login page to connect to the Internet, connect using the Ethernet port. If your Wi-Fi network has additional restrictions that will prevent the device from connecting to the internet without registration, consider connecting **Device A** to a different network.
-
-3. Log in to **Device A** using the **Teacher Username** and **Teacher Password** included in the **Credentials Sheet** located in your kit.
-
-
-
-
-
-
-## 2. Significantly improve student reading speed and comprehension
-
-> [!VIDEO https://www.youtube.com/embed/GCzSAslq_2Y]
-
-
-
-
-Learning Tools and the Immersive Reader can be used in the Microsoft Edge browser, Microsoft Word, and Microsoft OneNote to:
-* Increase fluency for English language learners
-* Build confidence for emerging readers
-* Provide text decoding solutions for students with learning differences such as dyslexia
-
-**Try this!**
-
-1. On the **Start** menu, click the Word document titled **Design Think**.
-
-2. Click **Edit Document** and select **Edit in Browser**.
-
-3. Select the **View** menu.
-
-4. Select the **Immersive Reader** button.
-
- 
-
-5. Press the **Play** button to hear text read aloud.
-
-6. Select these various settings to see different ways to configure Immersive Reader for your students.
-
- | Text to Speech | Text Preferences | Grammar Options | Line Focus |
- | :------------: | :--------------: | :-------------: | :--------: |
- |  |  |  |  |
-
-
-
-
-
-
-
-## 3. Spark communication, critical thinking, and creativity in the classroom
-
-> [!VIDEO https://www.youtube.com/embed/riQr4Dqb8B8]
-
-
-
-
-Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. This guided tour walks you through the essential teaching features of the app. Then, through interactive prompts, experience how you can use this tool in your own classroom to spark digital classroom discussions, respond to student questions, organize content, and more!
-
-Take a guided tour of Microsoft Teams and test drive this digital hub.
-
-**Try this!**
-
-1. Take a guided tour of Microsoft Teams and test drive some teaching tasks. Open the Microsoft Edge browser and navigate to https://msteamsdemo.azurewebsites.net.
-
-2. Use your school credentials provided in the **Credentials Sheet**.
-
-
-
-
-
-## 4. Expand classroom collaboration and interaction between students
-
-> [!VIDEO https://www.youtube.com/embed/dzDSWMb_fIE]
-
-
-
-
-Microsoft OneNote organizes curriculum and lesson plans for teachers and students to work together and at their own pace. It provides a digital canvas to store text, images, handwritten drawings, attachments, links, voice, and video.
-
-**Try this!**
-See how a group project comes together with opportunities to interact with other students and collaborate with peers. This one works best with the digital pen, included with your Trial in a Box.
-When you're not using the pen, just use the magnet to stick it to the left side of the screen until you need it again.
-
-1. On the **Start** menu, click the OneNote shortcut named **Imagine Giza** to open the **Reimagine the Great Pyramid of Giza project**.
-
-2. Take the digital pen out of the box and make notes or draw.
-
-3. Follow the instructions for the project. Look for the **Try this!** callouts to experiment with these engaging activities.
- - Discover the power of digital ink by selecting the Draw tab. Choose your pen and get scribbling.
-
- 
-
- - Type anywhere on the page! Just click your cursor where you want to place text.
- - Use the checkmark in the **Home** tab to keep track of completed tasks.
-
- 
-
- - To find information without leaving OneNote, use the Researcher tool found under the Insert tab.
-
- 
-
-
-
-
-
-## 5. Engage with students by creating videos
-
-> [!VIDEO https://www.youtube.com/embed/Ko7XLM1VBRE]
-
-
-
-The Photos app now has a built-in video editor, making it easy for you and your students to create movies using photos, video clips, music, 3D models, and special effects. Improve comprehension, unleash creativity, and capture your student’s imagination through video.
-
-**Try this!**
-Use video to create a project summary.
-
-1. Check you have the latest version of Microsoft Photos. Open the **Start** menu and search for **Store**. Select the **See more** button (**…**) and select **Downloads and updates**. Select **Get updates**.
-
-2. Open Microsoft Edge and visit https://aka.ms/PhotosTIB to download a zip file of the project media.
-
-3. Once the download has completed, open the zip file and select **Extract** > **Extract all**. Select **Browse** and choose the **Pictures** folder as the destination, and then select **Extract**.
-
-4. In the **Start** menu, search for **Photos** or select the Photos tile to launch the app.
-
-5. Select the first video to preview it full screen. Select **Edit & Create**, then select **Create a video with text**.
- 1. If you don't see the **Edit & Create** menu, select the video and the menu will appear at the top of the screen.
-
-6. Name your project “Laser Maze Project.” Hit Enter to continue.
-
-7. Select **Add photos and videos** and then **From my collection**. Scroll to select the 6 additional videos and select **Add**.
-
-8. Drag the videos to the Storyboard, one by one. Your project should look roughly like this:
-
- 
-
-9. Select the first card in the Storyboard (the video of the project materials) and select **Text**, type a title in, a text style, a layout, and select **Done**.
-
-10. Select the third card in the Storyboard (the video of the children assembling the maze) and select **Trim**. Drag the trim handle on the left to shorten the duration of the clip and select **Done**.
-
-11. Select the last card on the Storyboard and select **3D effects**.
- 1. Position the playback indicator to be roughly 1 second into the video clip, or when the boy moves down to examine the laser.
- 2. Find the **lightning bolt** effect and click or drag to add it to the scene. Rotate, scale, and position the effect so it looks like the lightning is coming out of the laser beam and hitting the black back of the mirror.
- 3. Position the blue anchor over the end of the laser pointer in the video and toggle on **Attach to a point** for the lightning bolt effect to anchor the effect in the scene.
- 4. Play back your effect.
- 5. Select **Done** when you have it where you want it.
-
- 
-
-12. Select **Music** and select a track from the **Recommended** music collection.
- 1. The music will update automatically to match the length of your video project, even as you make changes.
- 2. If you don’t see more than a few music options, confirm that you’re connected to Wi-Fi and then close and re-open Microsoft Photos (returning to your project via the **Albums** tab). Additional music files should download in the background.
-
-13. You can adjust the volume for the background music using the **Music volume** button.
-
-14. Preview your video to see how it all came together.
-
-15. Select **Export or share** and select either the **Small** or **Medium** file size. You can share your video to social media, email, or another apps.
-
-Check out this use case video of the Photos team partnering with the Bureau Of Fearless Ideas in Seattle to bring the Photos app to local middle school students: https://www.youtube.com/watch?v=0dFFAu6XwPg
-
-
-
-
-
-## 6. Get kids to further collaborate and problem solve
-
-> [!VIDEO https://www.youtube.com/embed/QI_bRNUugog]
-
-
-
-Minecraft: Education Edition provides an immersive environment to develop creativity, collaboration, and problem-solving in an immersive environment where the only limit is your imagination.
-
-**Try this!**
-Today, we'll explore a Minecraft world through the eyes of a student.
-
-1. Connect the included mouse to your computer for optimal interaction.
-
-2. Open Microsoft Edge and visit https://aka.ms/lessonhub.
-
-3. Scroll down to the **Details** section and select **Download World**.
-
- 
-
-4. When prompted, save the world.
-
-5. Enter your same teacher username and password and click **Accept**.
-
-6. Click **OK** on the **Minecraft: Education Edition Free Trial** box.
-
-7. Click **Play**.
-
-8. Click **Lesson Hub Vol 1** to enter the downloaded world.
-
-9. Explore the world by using the keys on your keyboard.
- * **W** moves forward.
- * **A** moves left.
- * **S** moves right.
- * **D** moves backward.
-
-10. Use your mouse as your "eyes". Just move it to look around.
-
-11. For a bird's eye view, double-tap the SPACE BAR. Now press the SPACE BAR to fly higher. And then hold the SHIFT key to safely land.
-
- To try more advanced movements or building within Minecraft, use the Minecraft Controls Diagram.
-
- 
-
-12. Access and adapt over 300 lesson plans, spanning all grades and subjects, to meet your needs. Enjoy exploring new worlds and happy crafting.
-
- **Try this!**
-
- 1. Go to education.minecraft.net/.
- 2. Click **Class Resources**.
- 3. Click **Find a Lesson**.
-
- 
-
-
-
-
-
-
-## 7. Use Windows Ink to provide a personal math tutor for your students
-
-The **Math Assistant** and **Ink Replay** features available in the OneNote app give your students step-by-step instructions on how to solve their math problems and help them visualize math functions on an interactive 2D graph.
-
-**Let's solve 3x+4=7 in OneNote using the pen!**
-To get started:
-1. Open the OneNote app for Windows 10 (not OneNote 2016).
-
- 
-
-2. In the top left corner, click on the **<** arrow to access your notebooks and pages.
-
- 
-
-3. Click **Add Page** to launch a blank work space.
-
- 
-
-4. Make sure your pen is paired to the device. To pair, see Connect to Bluetooth devices.
-
-To solve the equation 3x+4=7, follow these instructions:
-1. Write the equation 3x+4=7 in ink using the pen or type it in as text.
-
-2. If you wrote the equation using digital ink, use the **Lasso tool** to circle the equation. If you typed the equation, highlight it using your mouse.
-
- 
-
-3. On the **Draw** tab, click the **Math** button.
-
- 
-
-4. From the drop-down menu in the **Math** pane, select the option to **Solve for x**. You can now see the final solution of the equation.
-
- 
-
-5. From the second drop-down below, choose **Steps for Solving Linear Formula**, which shows you the step-by-step solution of this equation.
-
-6. On the **View** tab, click the **Replay** button. Use your mouse to select the written equation and watch your text in replay. Replay is great for students to review how the teacher solved the equation and for teachers to review how students approached a problem.
-
- 
-
-To graph the equation 3x+4=7, follow these instructions:
-1. From the drop-down menu in the **Math** pane, select the option to **Graph Both Sides in 2D**. You can play with the interactive graph of your equation - use a single finger to move the graph position or two fingers to change the **zoom** level.
-
- 
-
-2. Click the **Insert on Page** button below the graph to add a screenshot of the graph to your page.
-
-
-
-**Watch what Educators say about Microsoft Education delivering better learning outcomes**
-Bring out the best in students by providing a platform for collaborating, exploring, personalized learning, and getting things done across all devices.
-
-| | |
-|:--- |:--- |
-| See how one school improves reading skills using Learning Tools Immersive Reader | Here's how Microsoft Teams creates more robust classroom experiences at all ages. |
-| Watch teachers elevate the education of students using OneNote. | Here what other teachers say about using Minecraft: Education Edition in their classrooms. |
-
-
-## Update your apps
-
-Microsoft Education works hard to bring you the most current Trial in a Box program experience. As a result, you may need to update your apps to get our latest innovations.
-
-For more information about checking for updates, and how to optionally turn on automatic app updates, see the following articles:
-
-- [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/help/4026259/microsoft-store-check-updates-for-apps-and-games)
-
-- [Turn on automatic app updates](https://support.microsoft.com/help/15081/windows-turn-on-automatic-app-updates)
-
-## Get more info
-* Learn more at microsoft.com/education
-* Find out if your school is eligible for a device trial at aka.ms/EDUTrialInABox
-* Buy Windows 10 devices
-
-
-
-
-
-
-
-1 OneNote in Education Learning Tools transform the student experience.
diff --git a/education/trial-in-a-box/images/Bug.png b/education/trial-in-a-box/images/Bug.png
deleted file mode 100644
index 3199821631..0000000000
Binary files a/education/trial-in-a-box/images/Bug.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/Inking.png b/education/trial-in-a-box/images/Inking.png
deleted file mode 100644
index b6dcb58920..0000000000
Binary files a/education/trial-in-a-box/images/Inking.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/Math1.png b/education/trial-in-a-box/images/Math1.png
deleted file mode 100644
index 70891c9c29..0000000000
Binary files a/education/trial-in-a-box/images/Math1.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/Math2.png b/education/trial-in-a-box/images/Math2.png
deleted file mode 100644
index 9ffd2638ac..0000000000
Binary files a/education/trial-in-a-box/images/Math2.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/OneNote_logo.png b/education/trial-in-a-box/images/OneNote_logo.png
deleted file mode 100644
index 9adca44e69..0000000000
Binary files a/education/trial-in-a-box/images/OneNote_logo.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/TrialInABox_Header_Map_Graphic-01.png b/education/trial-in-a-box/images/TrialInABox_Header_Map_Graphic-01.png
deleted file mode 100644
index 07dae4fa9a..0000000000
Binary files a/education/trial-in-a-box/images/TrialInABox_Header_Map_Graphic-01.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/Unlock-Limitless-Learning.png b/education/trial-in-a-box/images/Unlock-Limitless-Learning.png
deleted file mode 100644
index 5697eee7bb..0000000000
Binary files a/education/trial-in-a-box/images/Unlock-Limitless-Learning.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/Welcome-IT-Admins.png b/education/trial-in-a-box/images/Welcome-IT-Admins.png
deleted file mode 100644
index e1bc425bb1..0000000000
Binary files a/education/trial-in-a-box/images/Welcome-IT-Admins.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/Welocme-Educators.png b/education/trial-in-a-box/images/Welocme-Educators.png
deleted file mode 100644
index 5906fd82bb..0000000000
Binary files a/education/trial-in-a-box/images/Welocme-Educators.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/activate_21st_learning.png b/education/trial-in-a-box/images/activate_21st_learning.png
deleted file mode 100644
index 750846f38e..0000000000
Binary files a/education/trial-in-a-box/images/activate_21st_learning.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/admin-TIB-setp-1-jump.png b/education/trial-in-a-box/images/admin-TIB-setp-1-jump.png
deleted file mode 100644
index 7a4ae9b645..0000000000
Binary files a/education/trial-in-a-box/images/admin-TIB-setp-1-jump.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/admin-TIB-setp-1-v3.png b/education/trial-in-a-box/images/admin-TIB-setp-1-v3.png
deleted file mode 100644
index 00dd5bbb40..0000000000
Binary files a/education/trial-in-a-box/images/admin-TIB-setp-1-v3.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/admin-TIB-setp-2-jump.png b/education/trial-in-a-box/images/admin-TIB-setp-2-jump.png
deleted file mode 100644
index 3bb2096f07..0000000000
Binary files a/education/trial-in-a-box/images/admin-TIB-setp-2-jump.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/admin-TIB-setp-2-v3.png b/education/trial-in-a-box/images/admin-TIB-setp-2-v3.png
deleted file mode 100644
index 66f0d899df..0000000000
Binary files a/education/trial-in-a-box/images/admin-TIB-setp-2-v3.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/admin-TIB-setp-3-jump.png b/education/trial-in-a-box/images/admin-TIB-setp-3-jump.png
deleted file mode 100644
index 801a858422..0000000000
Binary files a/education/trial-in-a-box/images/admin-TIB-setp-3-jump.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/admin-TIB-setp-3-v3.png b/education/trial-in-a-box/images/admin-TIB-setp-3-v3.png
deleted file mode 100644
index 228e0fe52e..0000000000
Binary files a/education/trial-in-a-box/images/admin-TIB-setp-3-v3.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/admin-TIB-setp-4-jump.png b/education/trial-in-a-box/images/admin-TIB-setp-4-jump.png
deleted file mode 100644
index 291f41f4b3..0000000000
Binary files a/education/trial-in-a-box/images/admin-TIB-setp-4-jump.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/admin-TIB-setp-4-v3.png b/education/trial-in-a-box/images/admin-TIB-setp-4-v3.png
deleted file mode 100644
index da700a5321..0000000000
Binary files a/education/trial-in-a-box/images/admin-TIB-setp-4-v3.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/admin-TIB-setp-5-jump.png b/education/trial-in-a-box/images/admin-TIB-setp-5-jump.png
deleted file mode 100644
index 5b0e1230b2..0000000000
Binary files a/education/trial-in-a-box/images/admin-TIB-setp-5-jump.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/admin-TIB-setp-5-v3.png b/education/trial-in-a-box/images/admin-TIB-setp-5-v3.png
deleted file mode 100644
index 5a11f7c057..0000000000
Binary files a/education/trial-in-a-box/images/admin-TIB-setp-5-v3.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-TIB-setp-1-jump.png b/education/trial-in-a-box/images/edu-TIB-setp-1-jump.png
deleted file mode 100644
index ab75a4c733..0000000000
Binary files a/education/trial-in-a-box/images/edu-TIB-setp-1-jump.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-TIB-setp-1-v3.png b/education/trial-in-a-box/images/edu-TIB-setp-1-v3.png
deleted file mode 100644
index 3763d04261..0000000000
Binary files a/education/trial-in-a-box/images/edu-TIB-setp-1-v3.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-TIB-setp-2-jump.png b/education/trial-in-a-box/images/edu-TIB-setp-2-jump.png
deleted file mode 100644
index 1064f06843..0000000000
Binary files a/education/trial-in-a-box/images/edu-TIB-setp-2-jump.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-TIB-setp-2-v3.png b/education/trial-in-a-box/images/edu-TIB-setp-2-v3.png
deleted file mode 100644
index a0c6d57d22..0000000000
Binary files a/education/trial-in-a-box/images/edu-TIB-setp-2-v3.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-TIB-setp-3-jump.png b/education/trial-in-a-box/images/edu-TIB-setp-3-jump.png
deleted file mode 100644
index 8383abf0f7..0000000000
Binary files a/education/trial-in-a-box/images/edu-TIB-setp-3-jump.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-TIB-setp-3-v3.png b/education/trial-in-a-box/images/edu-TIB-setp-3-v3.png
deleted file mode 100644
index 2ca24538db..0000000000
Binary files a/education/trial-in-a-box/images/edu-TIB-setp-3-v3.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-TIB-setp-4-jump.png b/education/trial-in-a-box/images/edu-TIB-setp-4-jump.png
deleted file mode 100644
index 5b8b8751a7..0000000000
Binary files a/education/trial-in-a-box/images/edu-TIB-setp-4-jump.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-TIB-setp-4-v3.png b/education/trial-in-a-box/images/edu-TIB-setp-4-v3.png
deleted file mode 100644
index 7ed0026dd3..0000000000
Binary files a/education/trial-in-a-box/images/edu-TIB-setp-4-v3.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-TIB-setp-5-jump.png b/education/trial-in-a-box/images/edu-TIB-setp-5-jump.png
deleted file mode 100644
index 3703de260f..0000000000
Binary files a/education/trial-in-a-box/images/edu-TIB-setp-5-jump.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-TIB-setp-5-v3.png b/education/trial-in-a-box/images/edu-TIB-setp-5-v3.png
deleted file mode 100644
index e6a165980b..0000000000
Binary files a/education/trial-in-a-box/images/edu-TIB-setp-5-v3.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-TIB-setp-6-jump.png b/education/trial-in-a-box/images/edu-TIB-setp-6-jump.png
deleted file mode 100644
index ef787873bf..0000000000
Binary files a/education/trial-in-a-box/images/edu-TIB-setp-6-jump.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-tib-setp-5-jump2.png b/education/trial-in-a-box/images/edu-tib-setp-5-jump2.png
deleted file mode 100644
index 684bc59a50..0000000000
Binary files a/education/trial-in-a-box/images/edu-tib-setp-5-jump2.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-tib-setp-5-v4.png b/education/trial-in-a-box/images/edu-tib-setp-5-v4.png
deleted file mode 100644
index d1d3f51fb8..0000000000
Binary files a/education/trial-in-a-box/images/edu-tib-setp-5-v4.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-tib-setp-6-v4.png b/education/trial-in-a-box/images/edu-tib-setp-6-v4.png
deleted file mode 100644
index 72393bc1ea..0000000000
Binary files a/education/trial-in-a-box/images/edu-tib-setp-6-v4.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-tib-setp-7-jump.png b/education/trial-in-a-box/images/edu-tib-setp-7-jump.png
deleted file mode 100644
index 1287f292b8..0000000000
Binary files a/education/trial-in-a-box/images/edu-tib-setp-7-jump.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/edu-tib-setp-7-v1.png b/education/trial-in-a-box/images/edu-tib-setp-7-v1.png
deleted file mode 100644
index 78b755cf3a..0000000000
Binary files a/education/trial-in-a-box/images/edu-tib-setp-7-v1.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/educator_getstarted_banner.png b/education/trial-in-a-box/images/educator_getstarted_banner.png
deleted file mode 100644
index 6262a6f28e..0000000000
Binary files a/education/trial-in-a-box/images/educator_getstarted_banner.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/educator_priority.png b/education/trial-in-a-box/images/educator_priority.png
deleted file mode 100644
index abd0995fff..0000000000
Binary files a/education/trial-in-a-box/images/educator_priority.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/foster_prof_collab.png b/education/trial-in-a-box/images/foster_prof_collab.png
deleted file mode 100644
index 4e6a86df97..0000000000
Binary files a/education/trial-in-a-box/images/foster_prof_collab.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/graph-for-x.png b/education/trial-in-a-box/images/graph-for-x.png
deleted file mode 100644
index 66d1d49621..0000000000
Binary files a/education/trial-in-a-box/images/graph-for-x.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/i4e_dashboard.PNG b/education/trial-in-a-box/images/i4e_dashboard.PNG
deleted file mode 100644
index 41304ad303..0000000000
Binary files a/education/trial-in-a-box/images/i4e_dashboard.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/i4e_dashboard_expressconfig.png b/education/trial-in-a-box/images/i4e_dashboard_expressconfig.png
deleted file mode 100644
index 41304ad303..0000000000
Binary files a/education/trial-in-a-box/images/i4e_dashboard_expressconfig.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/i4e_expressconfig_chooseapps.PNG b/education/trial-in-a-box/images/i4e_expressconfig_chooseapps.PNG
deleted file mode 100644
index b58d1f0da7..0000000000
Binary files a/education/trial-in-a-box/images/i4e_expressconfig_chooseapps.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/i4e_groups_alldevices_newfolders.PNG b/education/trial-in-a-box/images/i4e_groups_alldevices_newfolders.PNG
deleted file mode 100644
index 6e5a5661a9..0000000000
Binary files a/education/trial-in-a-box/images/i4e_groups_alldevices_newfolders.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/i4e_groups_allusers.PNG b/education/trial-in-a-box/images/i4e_groups_allusers.PNG
deleted file mode 100644
index 925ff9664a..0000000000
Binary files a/education/trial-in-a-box/images/i4e_groups_allusers.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/i4e_groups_allusers_apps.PNG b/education/trial-in-a-box/images/i4e_groups_allusers_apps.PNG
deleted file mode 100644
index 24e4110abc..0000000000
Binary files a/education/trial-in-a-box/images/i4e_groups_allusers_apps.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/i4e_groups_allusers_editapps.PNG b/education/trial-in-a-box/images/i4e_groups_allusers_editapps.PNG
deleted file mode 100644
index debf56ef03..0000000000
Binary files a/education/trial-in-a-box/images/i4e_groups_allusers_editapps.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/i4e_groups_settings_wincustomizations.PNG b/education/trial-in-a-box/images/i4e_groups_settings_wincustomizations.PNG
deleted file mode 100644
index bf081dec43..0000000000
Binary files a/education/trial-in-a-box/images/i4e_groups_settings_wincustomizations.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/inspire_innovation.png b/education/trial-in-a-box/images/inspire_innovation.png
deleted file mode 100644
index 0a55e5923a..0000000000
Binary files a/education/trial-in-a-box/images/inspire_innovation.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/it-admin.png b/education/trial-in-a-box/images/it-admin.png
deleted file mode 100644
index 83a69022cc..0000000000
Binary files a/education/trial-in-a-box/images/it-admin.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/it-admin1.svg b/education/trial-in-a-box/images/it-admin1.svg
deleted file mode 100644
index 695337f601..0000000000
--- a/education/trial-in-a-box/images/it-admin1.svg
+++ /dev/null
@@ -1,260 +0,0 @@
-
-
-
-
diff --git a/education/trial-in-a-box/images/itadmin_rotated.png b/education/trial-in-a-box/images/itadmin_rotated.png
deleted file mode 100644
index 2494b2db66..0000000000
Binary files a/education/trial-in-a-box/images/itadmin_rotated.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/itadmin_rotated_resized.png b/education/trial-in-a-box/images/itadmin_rotated_resized.png
deleted file mode 100644
index d7e805eadb..0000000000
Binary files a/education/trial-in-a-box/images/itadmin_rotated_resized.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/lasso.png b/education/trial-in-a-box/images/lasso.png
deleted file mode 100644
index 99da81e620..0000000000
Binary files a/education/trial-in-a-box/images/lasso.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/left_arrow.png b/education/trial-in-a-box/images/left_arrow.png
deleted file mode 100644
index 5521199254..0000000000
Binary files a/education/trial-in-a-box/images/left_arrow.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/m365edu_tib_itadminsteps.PNG b/education/trial-in-a-box/images/m365edu_tib_itadminsteps.PNG
deleted file mode 100644
index 5ab4c44f60..0000000000
Binary files a/education/trial-in-a-box/images/m365edu_tib_itadminsteps.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/m365edu_tib_itadminsteps_2.PNG b/education/trial-in-a-box/images/m365edu_tib_itadminsteps_2.PNG
deleted file mode 100644
index 536d78c8da..0000000000
Binary files a/education/trial-in-a-box/images/m365edu_tib_itadminsteps_2.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/m365edu_trialinabox_adminsteps.PNG b/education/trial-in-a-box/images/m365edu_trialinabox_adminsteps.PNG
deleted file mode 100644
index f9a565f3c5..0000000000
Binary files a/education/trial-in-a-box/images/m365edu_trialinabox_adminsteps.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/math-button.png b/education/trial-in-a-box/images/math-button.png
deleted file mode 100644
index a01e92e09a..0000000000
Binary files a/education/trial-in-a-box/images/math-button.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/mcee_downloadworld.PNG b/education/trial-in-a-box/images/mcee_downloadworld.PNG
deleted file mode 100644
index b81d4d94af..0000000000
Binary files a/education/trial-in-a-box/images/mcee_downloadworld.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/mcee_keyboard_controls.png b/education/trial-in-a-box/images/mcee_keyboard_controls.png
deleted file mode 100644
index 86428815a6..0000000000
Binary files a/education/trial-in-a-box/images/mcee_keyboard_controls.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/mcee_keyboard_mouse_controls.png b/education/trial-in-a-box/images/mcee_keyboard_mouse_controls.png
deleted file mode 100644
index f76c6951b2..0000000000
Binary files a/education/trial-in-a-box/images/mcee_keyboard_mouse_controls.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/meet_diverse_needs.png b/education/trial-in-a-box/images/meet_diverse_needs.png
deleted file mode 100644
index 5726b761af..0000000000
Binary files a/education/trial-in-a-box/images/meet_diverse_needs.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/microsoft_store_suspc_install.PNG b/education/trial-in-a-box/images/microsoft_store_suspc_install.PNG
deleted file mode 100644
index 80a6466b33..0000000000
Binary files a/education/trial-in-a-box/images/microsoft_store_suspc_install.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/minecraft_lesson_plans.png b/education/trial-in-a-box/images/minecraft_lesson_plans.png
deleted file mode 100644
index 69b430f910..0000000000
Binary files a/education/trial-in-a-box/images/minecraft_lesson_plans.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/msedu_tib_adminsteps.PNG b/education/trial-in-a-box/images/msedu_tib_adminsteps.PNG
deleted file mode 100644
index 512da71d05..0000000000
Binary files a/education/trial-in-a-box/images/msedu_tib_adminsteps.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/msedu_tib_adminsteps_nologo.png b/education/trial-in-a-box/images/msedu_tib_adminsteps_nologo.png
deleted file mode 100644
index 0a16a63350..0000000000
Binary files a/education/trial-in-a-box/images/msedu_tib_adminsteps_nologo.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/msedu_tib_teachersteps_nologo.png b/education/trial-in-a-box/images/msedu_tib_teachersteps_nologo.png
deleted file mode 100644
index 3b4115374f..0000000000
Binary files a/education/trial-in-a-box/images/msedu_tib_teachersteps_nologo.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/mses_getstarted_banner.png b/education/trial-in-a-box/images/mses_getstarted_banner.png
deleted file mode 100644
index 48dde0456c..0000000000
Binary files a/education/trial-in-a-box/images/mses_getstarted_banner.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/msfe_boughtapps.PNG b/education/trial-in-a-box/images/msfe_boughtapps.PNG
deleted file mode 100644
index 72de644cf4..0000000000
Binary files a/education/trial-in-a-box/images/msfe_boughtapps.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/msfe_portal.PNG b/education/trial-in-a-box/images/msfe_portal.PNG
deleted file mode 100644
index aac1c78f43..0000000000
Binary files a/education/trial-in-a-box/images/msfe_portal.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/o365_adminaccountinfo.PNG b/education/trial-in-a-box/images/o365_adminaccountinfo.PNG
deleted file mode 100644
index 30ab5e5c8e..0000000000
Binary files a/education/trial-in-a-box/images/o365_adminaccountinfo.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/o365_needhelp.PNG b/education/trial-in-a-box/images/o365_needhelp.PNG
deleted file mode 100644
index 72689ee2bf..0000000000
Binary files a/education/trial-in-a-box/images/o365_needhelp.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/o365_needhelp_callingoption.PNG b/education/trial-in-a-box/images/o365_needhelp_callingoption.PNG
deleted file mode 100644
index beb77f970a..0000000000
Binary files a/education/trial-in-a-box/images/o365_needhelp_callingoption.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/o365_needhelp_questionbutton.png b/education/trial-in-a-box/images/o365_needhelp_questionbutton.png
deleted file mode 100644
index 8c7a6aeeaa..0000000000
Binary files a/education/trial-in-a-box/images/o365_needhelp_questionbutton.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/o365_needhelp_supporttickets.PNG b/education/trial-in-a-box/images/o365_needhelp_supporttickets.PNG
deleted file mode 100644
index f9414da09a..0000000000
Binary files a/education/trial-in-a-box/images/o365_needhelp_supporttickets.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/o365_support_options.PNG b/education/trial-in-a-box/images/o365_support_options.PNG
deleted file mode 100644
index dfb3182c72..0000000000
Binary files a/education/trial-in-a-box/images/o365_support_options.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/o365_users_password.PNG b/education/trial-in-a-box/images/o365_users_password.PNG
deleted file mode 100644
index 4c423e670c..0000000000
Binary files a/education/trial-in-a-box/images/o365_users_password.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/o365_users_password_reset.PNG b/education/trial-in-a-box/images/o365_users_password_reset.PNG
deleted file mode 100644
index 02528706fe..0000000000
Binary files a/education/trial-in-a-box/images/o365_users_password_reset.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/o365_users_resetpassword.PNG b/education/trial-in-a-box/images/o365_users_resetpassword.PNG
deleted file mode 100644
index e32ff5b6bd..0000000000
Binary files a/education/trial-in-a-box/images/o365_users_resetpassword.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/officeportal_cantaccessaccount.PNG b/education/trial-in-a-box/images/officeportal_cantaccessaccount.PNG
deleted file mode 100644
index 79fcae5d8f..0000000000
Binary files a/education/trial-in-a-box/images/officeportal_cantaccessaccount.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/onenote_checkmark.png b/education/trial-in-a-box/images/onenote_checkmark.png
deleted file mode 100644
index 1d276b4c1d..0000000000
Binary files a/education/trial-in-a-box/images/onenote_checkmark.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/onenote_draw.PNG b/education/trial-in-a-box/images/onenote_draw.PNG
deleted file mode 100644
index 48c49e6e84..0000000000
Binary files a/education/trial-in-a-box/images/onenote_draw.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/onenote_researcher.png b/education/trial-in-a-box/images/onenote_researcher.png
deleted file mode 100644
index a03b00c820..0000000000
Binary files a/education/trial-in-a-box/images/onenote_researcher.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/photo_app_1.png b/education/trial-in-a-box/images/photo_app_1.png
deleted file mode 100644
index b5e6a59f63..0000000000
Binary files a/education/trial-in-a-box/images/photo_app_1.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/photo_app_2.png b/education/trial-in-a-box/images/photo_app_2.png
deleted file mode 100644
index 69ec9b01dd..0000000000
Binary files a/education/trial-in-a-box/images/photo_app_2.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/plus-page.png b/education/trial-in-a-box/images/plus-page.png
deleted file mode 100644
index b10bde2383..0000000000
Binary files a/education/trial-in-a-box/images/plus-page.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/replay.png b/education/trial-in-a-box/images/replay.png
deleted file mode 100644
index 9826112c50..0000000000
Binary files a/education/trial-in-a-box/images/replay.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/screenshot-bug.png b/education/trial-in-a-box/images/screenshot-bug.png
deleted file mode 100644
index 3199821631..0000000000
Binary files a/education/trial-in-a-box/images/screenshot-bug.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/solve-for-x.png b/education/trial-in-a-box/images/solve-for-x.png
deleted file mode 100644
index f0abd1379f..0000000000
Binary files a/education/trial-in-a-box/images/solve-for-x.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/start_microsoft_store.png b/education/trial-in-a-box/images/start_microsoft_store.png
deleted file mode 100644
index 083bae842a..0000000000
Binary files a/education/trial-in-a-box/images/start_microsoft_store.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/student.png b/education/trial-in-a-box/images/student.png
deleted file mode 100644
index 8349a0f5dc..0000000000
Binary files a/education/trial-in-a-box/images/student.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/student1.svg b/education/trial-in-a-box/images/student1.svg
deleted file mode 100644
index 25c267bae9..0000000000
--- a/education/trial-in-a-box/images/student1.svg
+++ /dev/null
@@ -1,168 +0,0 @@
-
-
-
-
diff --git a/education/trial-in-a-box/images/student2.svg b/education/trial-in-a-box/images/student2.svg
deleted file mode 100644
index 5d473d1baf..0000000000
--- a/education/trial-in-a-box/images/student2.svg
+++ /dev/null
@@ -1,176 +0,0 @@
-
-
-
-
diff --git a/education/trial-in-a-box/images/suspc_configure_pc2.jpg b/education/trial-in-a-box/images/suspc_configure_pc2.jpg
deleted file mode 100644
index 68c0080b22..0000000000
Binary files a/education/trial-in-a-box/images/suspc_configure_pc2.jpg and /dev/null differ
diff --git a/education/trial-in-a-box/images/suspc_configure_pcsettings.PNG b/education/trial-in-a-box/images/suspc_configure_pcsettings.PNG
deleted file mode 100644
index 9dc6298c43..0000000000
Binary files a/education/trial-in-a-box/images/suspc_configure_pcsettings.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/suspc_configure_pcsettings2.png b/education/trial-in-a-box/images/suspc_configure_pcsettings2.png
deleted file mode 100644
index 2dba596ef9..0000000000
Binary files a/education/trial-in-a-box/images/suspc_configure_pcsettings2.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/suspc_configure_pcsettings_selected.png b/education/trial-in-a-box/images/suspc_configure_pcsettings_selected.png
deleted file mode 100644
index b0204e110a..0000000000
Binary files a/education/trial-in-a-box/images/suspc_configure_pcsettings_selected.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/suspc_configure_recommended_apps.png b/education/trial-in-a-box/images/suspc_configure_recommended_apps.png
deleted file mode 100644
index 4a75409f34..0000000000
Binary files a/education/trial-in-a-box/images/suspc_configure_recommended_apps.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/suspc_configure_recommendedapps.png b/education/trial-in-a-box/images/suspc_configure_recommendedapps.png
deleted file mode 100644
index 126cf46911..0000000000
Binary files a/education/trial-in-a-box/images/suspc_configure_recommendedapps.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/suspc_configure_recommendedapps_v2.png b/education/trial-in-a-box/images/suspc_configure_recommendedapps_v2.png
deleted file mode 100644
index 7fa7b7a190..0000000000
Binary files a/education/trial-in-a-box/images/suspc_configure_recommendedapps_v2.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/suspc_review_summary.PNG b/education/trial-in-a-box/images/suspc_review_summary.PNG
deleted file mode 100644
index e515809d8f..0000000000
Binary files a/education/trial-in-a-box/images/suspc_review_summary.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/suspc_start.PNG b/education/trial-in-a-box/images/suspc_start.PNG
deleted file mode 100644
index 4fef71992d..0000000000
Binary files a/education/trial-in-a-box/images/suspc_start.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/suspc_takeatest.PNG b/education/trial-in-a-box/images/suspc_takeatest.PNG
deleted file mode 100644
index 282720e66f..0000000000
Binary files a/education/trial-in-a-box/images/suspc_takeatest.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/teacher.png b/education/trial-in-a-box/images/teacher.png
deleted file mode 100644
index e3b89bb7a7..0000000000
Binary files a/education/trial-in-a-box/images/teacher.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/teacher1.svg b/education/trial-in-a-box/images/teacher1.svg
deleted file mode 100644
index 00feb1e22a..0000000000
--- a/education/trial-in-a-box/images/teacher1.svg
+++ /dev/null
@@ -1,155 +0,0 @@
-
-
-
-
diff --git a/education/trial-in-a-box/images/teacher2.svg b/education/trial-in-a-box/images/teacher2.svg
deleted file mode 100644
index 592c516120..0000000000
--- a/education/trial-in-a-box/images/teacher2.svg
+++ /dev/null
@@ -1,163 +0,0 @@
-
-
-
-
diff --git a/education/trial-in-a-box/images/teacher_rotated.png b/education/trial-in-a-box/images/teacher_rotated.png
deleted file mode 100644
index ccca16f0e2..0000000000
Binary files a/education/trial-in-a-box/images/teacher_rotated.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/teacher_rotated_resized.png b/education/trial-in-a-box/images/teacher_rotated_resized.png
deleted file mode 100644
index 4e9f0e03f8..0000000000
Binary files a/education/trial-in-a-box/images/teacher_rotated_resized.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/trial-in-a-box.png b/education/trial-in-a-box/images/trial-in-a-box.png
deleted file mode 100644
index ca9b031f24..0000000000
Binary files a/education/trial-in-a-box/images/trial-in-a-box.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/win10_oobe_firstscreen.png b/education/trial-in-a-box/images/win10_oobe_firstscreen.png
deleted file mode 100644
index 0d5343d0b4..0000000000
Binary files a/education/trial-in-a-box/images/win10_oobe_firstscreen.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/windows_start.png b/education/trial-in-a-box/images/windows_start.png
deleted file mode 100644
index 08a2568c83..0000000000
Binary files a/education/trial-in-a-box/images/windows_start.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/word_online_grammar_options.png b/education/trial-in-a-box/images/word_online_grammar_options.png
deleted file mode 100644
index 8d6eec92db..0000000000
Binary files a/education/trial-in-a-box/images/word_online_grammar_options.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/word_online_immersive_reader.png b/education/trial-in-a-box/images/word_online_immersive_reader.png
deleted file mode 100644
index 74340efca5..0000000000
Binary files a/education/trial-in-a-box/images/word_online_immersive_reader.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/word_online_line_focus.png b/education/trial-in-a-box/images/word_online_line_focus.png
deleted file mode 100644
index ee9db0ca08..0000000000
Binary files a/education/trial-in-a-box/images/word_online_line_focus.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/word_online_text_preferences.png b/education/trial-in-a-box/images/word_online_text_preferences.png
deleted file mode 100644
index 1eec52893f..0000000000
Binary files a/education/trial-in-a-box/images/word_online_text_preferences.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/word_online_tts.png b/education/trial-in-a-box/images/word_online_tts.png
deleted file mode 100644
index 96e04f35f9..0000000000
Binary files a/education/trial-in-a-box/images/word_online_tts.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/wordonline_grammar_options.png b/education/trial-in-a-box/images/wordonline_grammar_options.png
deleted file mode 100644
index aef5976456..0000000000
Binary files a/education/trial-in-a-box/images/wordonline_grammar_options.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/wordonline_line_focus.png b/education/trial-in-a-box/images/wordonline_line_focus.png
deleted file mode 100644
index fcb39edd26..0000000000
Binary files a/education/trial-in-a-box/images/wordonline_line_focus.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/wordonline_text_preferences.png b/education/trial-in-a-box/images/wordonline_text_preferences.png
deleted file mode 100644
index a336c2356d..0000000000
Binary files a/education/trial-in-a-box/images/wordonline_text_preferences.png and /dev/null differ
diff --git a/education/trial-in-a-box/images/wordonline_tts.png b/education/trial-in-a-box/images/wordonline_tts.png
deleted file mode 100644
index 973a7dd031..0000000000
Binary files a/education/trial-in-a-box/images/wordonline_tts.png and /dev/null differ
diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md
deleted file mode 100644
index 2ea43581c9..0000000000
--- a/education/trial-in-a-box/index.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-title: Microsoft Education Trial in a Box
-description: For IT admins, educators, and students, discover what you can do with Microsoft 365 Education. Try it out with our Trial in a Box program.
-keywords: education, Microsoft 365 Education, trial, full cloud IT solution, school, deploy, setup, IT admin, educator, student, explore, Trial in a Box
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.topic: article
-ms.localizationpriority: medium
-ms.pagetype: edu
-ROBOTS: noindex,nofollow
-author: dansimp
-ms.author: dansimp
-ms.date: 12/11/2017
----
-
-# Microsoft Education Trial in a Box
-
-
-
-
-
-> [!VIDEO https://www.youtube.com/embed/azoxUYWbeGg]
-
-
-
-Welcome to Microsoft Education Trial in a Box. We built this trial to make it easy to try our latest classroom technologies. We have two scenarios for you to try: one for educators and one for IT. We recommend starting with Educators. To begin, click **Get started** below.
-
-
-
-| [](educator-tib-get-started.md) | [](itadmin-tib-get-started.md) |
-| :---: | :---: |
-| **Educator**Enhance students of all abilities by unleashing their creativity, collaboration, and improving problem-solving skills. [Get started](educator-tib-get-started.md) | **IT Admin**Quickly implement and deploy a full cloud infrastructure that's secure and easy to manage. [Get started](itadmin-tib-get-started.md) |
-
-
-
diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md
deleted file mode 100644
index 911f893986..0000000000
--- a/education/trial-in-a-box/itadmin-tib-get-started.md
+++ /dev/null
@@ -1,281 +0,0 @@
----
-title: IT Admin Trial in a Box Guide
-description: Try out Microsoft 365 Education to implement a full cloud infrastructure for your school, manage devices and apps, and configure and deploy policies to your Windows 10 devices.
-keywords: education, Microsoft 365 Education, trial, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.topic: quickstart
-ms.localizationpriority: medium
-ms.pagetype: edu
-ROBOTS: noindex,nofollow
-author: dansimp
-ms.author: dansimp
-ms.date: 03/18/2018
-ms.reviewer:
-manager: dansimp
----
-
-# IT Admin Trial in a Box Guide
-
-
-
-Learn how to quickly deploy and manage devices for your school in 5 quick steps.
-
-| | |
-| :---: |:--- |
-| [](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. |
-| [](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. |
-| [](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. |
-| [](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. |
-| [](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. |
-
-
-
-To get the most out of Microsoft Education, we've pre-configured your tenant for you so you don't need to set it up. A tenant is representative of an organization. It is a dedicated instance of the Azure AD service that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure, Microsoft Intune, or Office 365. We've also pre-populated the tenant with fictitious Student Information System (SIS) data so you can work with this as you follow the guide.
-
-If you run into any problems while following the steps in this guide, or you have questions about Trial in a Box or Microsoft Education, see [Microsoft Education Trial in a Box Support](support-options.md).
-
-
-
-> [!VIDEO https://www.youtube.com/embed/cVVKCpO2tyI]
-
-
-
-
-## 1. Log in to Device A with your IT Admin credentials and connect to the school network
-To try out the IT admin tasks, start by logging in as an IT admin.
-
-1. Set up **Device A** first, then set up **Device B**.
-2. Turn on **Device A** and ensure you plug in the PC to an electrical outlet.
-3. Connect **Device A** to your school's Wi-Fi network or connect with a local Ethernet connection using the Ethernet adapter included in this kit.
- >**Note**: If your Wi-Fi network requires a web browser login page to connect to the Internet, connect using the Ethernet port. If your Wi-Fi network has additional restrictions that will prevent the device from connecting to the internet without registration, consider connecting **Device A** to a different network.
-
-4. Log in to **Device A** using the **Administrator Username** and **Administrator Password** included in the **Credentials Sheet** located in your kit.
-5. Note the serial numbers on the Trial in a Box devices and register both devices with the hardware manufacturer to activate the manufacturer's warranty.
-
-
-
-
-## 2. Configure Device B with Set up School PCs
-Now you're ready to learn how to configure a brand new device. You will start on **Device A** by downloading and running the Set up School PCs app. Then, you will configure **Device B**.
-
-If you've previously used Set up School PCs to provision student devices, you can follow the instructions in this section to quickly configure **Device B**. Otherwise, we recommend you follow the instructions in [Use the Set up School PCs app](../windows/use-set-up-school-pcs-app.md) for more detailed information, including tips for successfully running Set up School PCs.
-
-### Download, install, and get ready
-
-1. From the **Start** menu, find and then click **Microsoft Store** to launch the Store.
-
- 
-
-2. Search for the **Set up School PCs** app.
-
- 
-
-3. Click **Install**.
-
-### Create the provisioning package
-
-1. On **Device A**, launch the Set up School PCs app.
-
- 
-
-2. Click **Get started**.
-3. Select **Sign-in**.
-4. In **Let's get you signed in**, choose your Trial in a Box admin account. If you don't see it on the list, follow these steps:
- 1. Select **Work or school account > Use another account** and then enter your Trial in a Box admin account email and password.
- 2. Click **Accept**.
-
-5. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through Intune for Education.
-
- > [!NOTE]
- > The name must be five (5) characters or less. Set up School PCs automatically appends `_%SERIAL%` to the prefix that you specify. `_%SERIAL%` ensures that all device names are unique. For example, if you add *Math4* as the prefix, the device names will be *Math4* followed by a random string of letters and numbers.
-
-6. In **Configure student PC settings**, you can specify other settings for the student PC.
-
- We recommend checking the highlighted settings below:
-
- 
-
- - **Remove apps pre-installed by the device manufacturer** - If you select this option, this will reset the machine and the provisioning process will take longer (about 30 minutes).
- - **Allow local storage (not recommended for shared devices)** lets students save files to the **Desktop** and **Documents** folder on the student PC.
- - **Optimize device for a single student, instead of a shared cart or lab** optimizes the device for use by a single student (1:1).
- - Set up School PCs will change some account management logic so that it sets the expiration time for an account to 180 days (without requiring sign-in).
- - This setting also increases the maximum storage to 100% of the available disk space. This prevents the student's account from being erased if the student stores a lot of files or data or if the student doesn't use the PC over a prolonged period.
- - **Let guests sign-in to these PCs** allows guests to use student PCs without a school account. If you select this option, a **Guest** account button will be added in the PC's sign-in screen to allow anyone to use the PC.
- - **Enable Windows 10 Autopilot Reset** enables IT admins to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment the student PC is returned to a fully configured or known approved state. For more info, see [Autopilot Reset](../windows/autopilot-reset.md).
- - **Lock screen background** shows the default background used for student PCs provisioned by Set up School PCs. Select **Browse** to change the default.
-
-7. **Set up the Take a Test app** configures the device for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. Windows will lock down the student PC so that students can't access anything else while taking the test.
-
- 
-
- 1. Specify if you want to create a Take a Test button on the students' sign-in screens.
- 2. Select **Advanced settings** to allow keyboard text suggestions to appear and to allow teachers to monitor online tests.
-
- > [!NOTE]
- > The Take a Test app doesn't provide monitoring capabilities, but it allows tools like AssistX ClassPolicy to see what is going on in the app.
-
- 3. Enter the assessment URL.
-
-8. **Add recommended apps** lets you choose from a set of recommended Microsoft Store apps to provision.
-
- 
-
- The recommended apps include the following:
- * **Office 365 for Windows 10 S (Education Preview)** - Optional. This works well for the Trial in a Box PCs running Windows 10 S. However, if you try to install this app on other editions of Windows 10, setup will fail. Also note that if you select **Office 365 for Windows 10 S (Education Preview)**, it will take about 30-45 minutes longer for Set up School PCs to create the provisioning package as the app downloads Office 365 for Windows 10 S (Education Preview) from the Microsoft Store.
- * **Minecraft: Education Edition** - This is pre-provisioned in your tenant's app catalog, but it's not yet installed on a device. Select this option now to include it in the provisioning package.
- * **Other apps fit for the classroom** - Optional. You can choose other recommended apps to install on the PC.
-
-9. **Review package summary**.
-
- To change any of the settings, select the page or section (such as **Sign-in** or **Settings**) to go back to that page and make your changes.
-
- 
-
-10. Accept the summary and then insert a USB drive in **Device A**. Use the USB drive that came in the Trial in a Box accessories box to save the provisioning package.
-11. Select the drive and then **Save** to create the provisioning package.
-
- The provisioning package on your USB drive will be named SetUpSchoolPCs_*ABCDE* (Expires *MM-DD-YYYY*).ppkg, where *ABCDE* is the device name you added (if any), and *MM-DD-YYYY* is the month, day, and year when the package will expire.
-
- > [!NOTE]
- > If you selected **Office 365 for Windows 10 S (Education Preview)**, this step will take about 30-45 minutes. You can jump ahead to task 3, [Express configure Intune for Education to manage devices, users, and policies](#it-task3), and then finish the rest of task 2 afterwards.
-
-12. Follow the instructions in the **Get the student PCs ready** page to start setting up **Device B**.
-13. Follow the instructions in the **Install the package** page to apply the provisioning package to **Device B**. For more guidance, you can follow the steps in [Apply the provisioning package](#apply-the-provisioning-package).
-
- Select **Create new package** if you need to create a new provisioning package. Otherwise, remove the USB drive.
-
-### Apply the provisioning package
-A provisioning package is a method for applying settings to Windows 10 without needing to reimage the device.
-
-**Set up Device B using the Set up School PCs provisioning package**
-
-1. Start with **Device B** turned off or with the PC on the first-run setup screen. In Windows 10 S Fall Creators Update, the first-run setup screen says **Let's start with region. Is this right?**.
-
- 
-
- If you go past the region selection screen, select **Ctrl + Shift + F3** which will prompt the "System Preparation Tool." Select **Okay** in the tool to return to the region selection screen. If this doesn't work, reset the PC by going to **Settings > Update & Security > Recovery > Reset this PC.**
-
-2. Insert the USB drive into **Device B**. Windows will recognize the drive and automatically install the provisioning package.
-3. When prompted, remove the USB drive. You can then use the USB drive to start provisioning another student PC.
-
- After provisioning **Device B**, wait 1-2 minutes to allow the device to fully connect to the tenant. You can then select any one of the teacher or student accounts from the **User name and passwords** sheet provided in your Trial in a Box to test **Device B** and the Microsoft Education tools and services that are part of your 1-year trial.
-
-You can complete the rest of the IT admin tasks using **Device A**.
-
-
-
-
-## 3. Express configure Intune for Education to manage devices, users, and policies
-Intune for Education provides an **Express configuration** option so you can get going right away. We'll use that option here.
-
-1. Log into the Intune for Education console.
-2. On the Intune for Education dashboard, click **Launch Express Configuration** or select the **Express configuration**.
-
- 
-
-3. In the **Welcome to Intune for Education** screen, click **Get started** and follow the prompts until you get to the **Choose group** screen.
-4. In the **Choose group** screen, select **All Users** so that all apps and settings that we select during express setup will apply to this group.
-5. In the **Choose apps** screen, you will see a selection of desktop (Win32) apps, Web apps, and Microsoft Store apps.
-
- 
-
-6. Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in step 5.
-
- > [!TIP]
- > Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**.
-
-7. In the **Choose settings** screen, set the settings to apply to the group. Expand each settings group to see all the configurable settings.
-
- For example, set these settings:
- - In the **Basic device settings** group, change the **Block changing language settings** and **Block changing device region settings** to **Block**.
- - In the **Microsoft Edge settings** group, change the **Block pop-ups** setting to **Block**.
-
-8. Click **Next** and review the list of apps and settings you selected to apply.
-9. Click **Save** and then click **All done** to go back to the dashboard.
-
-
-
-
-## 4. Find apps from the Microsoft Store for Education and deploy them to managed devices in your tenant
-The Microsoft Store for Education is where you can shop for more apps for your school.
-
-1. In Intune for Education, select **Apps**.
-2. In the **Store apps** section, select **+ New app** to go to the Microsoft Store for Education.
-3. Select **Sign in** and start shopping for apps for your school.
-
- 
-
-4. Check some of the categories for suggested apps or search the Store for a free educational or reference app. Find ones that you haven't already installed during express configuration for Intune for Education. For example, these apps are free:
- - Duolingo - Learn Languages for Free
- - Khan Academy
- - My Study Life
- - Arduino IDE
-
-5. Find or select the app you want to install and click **Get the app**.
-6. In the app's Store page, click the **...** button and select **Add to private store**.
-
- Repeat steps 3-5 to install another app or go to the next step.
-
-7. Select **Manage > Products & services** to verify that the apps you purchased appear in your inventory.
-
- The apps will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
-
- 
-
- In the **Private store** column of the **Products & services** page, the status for some apps will indicate that it's "In private store" while others will say "Adding to private store" or "Not applicable". Learn more about this in Distribute apps using your private store.
-
- > [!NOTE]
- > Sync happens automatically, but it may take up to 36 hours for your organization's private store and 12 hours for Intune for Education to sync all your purchased apps.
-
-
-
-
-## 5. Create custom folders that will appear on each managed device's Start menu
-Update settings for all devices in your tenant by adding the **Documents** and **Downloads** folders to all devices managed in Intune for Education.
-
-1. Go to the Intune for Education console.
-2. Select **Group > All Devices > Settings** and expand **Windows interface settings**.
-3. In **Choose folders that appear in the Start menu**, select **Documents** and **Downloads**.
-
- 
-
-4. **Save** your changes.
-
-## Verify correct device setup and other IT admin tasks
-Follow these instructions to confirm if you configured your tenant correctly and the right apps and settings were applied to all users or devices on your tenant:
-
-* [Verify correct device setup](/microsoft-365/education/deploy/#verify-correct-device-setup)
-
- 1. Confirm that the apps you bought from the Microsoft Store for Education appear in the Windows Start screen's **Recently added** section.
-
- > [!NOTE]
- > It may take some time before the apps appear on your devices. When you select **Start**, some apps may show up under **Recently added** while others may say that **Add is in progress**. Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune for Education to sync all your purchased apps down to your devices.
-
- 2. Confirm that the folders you added, if you chose to customize the Windows interface from Intune for Education, appear in the Start menu.
- 3. If you added **Office 365 for Windows 10 S (Education Preview)** to the package and provisioned **Device B** with it, you need to click on one of the Office apps in the **Start** menu to complete app registration.
-
-* [Verify the device is Azure AD joined](/microsoft-365/education/deploy/#verify-the-device-is-azure-ad-joined) - Confirm that your devices are being managed in Intune for Education.
-* [Add more users](/microsoft-365/education/deploy/#add-more-users) - Go to the Microsoft 365 admin center to add more users.
-* Get app updates (including updates for Office 365 for Windows 10 S)
- 1. Open the **Start** menu and go to the **Microsoft Store**.
- 2. From the **Microsoft Store**, click **...** (See more) and select **Downloads and updates**.
- 3. In the **Downloads and updates** page, click **Get updates**.
-* [Try the BYOD scenario](/microsoft-365/education/deploy/#connect-other-devices-to-your-cloud-infrastructure)
-
-## Update your apps
-
-Microsoft Education works hard to bring you the most current Trial in a Box program experience. As a result, you may need to update your apps to get our latest innovations.
-
-For more information about checking for updates, and how to optionally turn on automatic app updates, see the following articles:
-
-- [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/help/4026259/microsoft-store-check-updates-for-apps-and-games)
-
-- [Turn on automatic app updates](https://support.microsoft.com/help/15081/windows-turn-on-automatic-app-updates)
-
-
-## Get more info
-* Learn more at microsoft.com/education
-* Find out if your school is eligible for a device trial at aka.ms/EDUTrialInABox
-* Buy Windows 10 devices
\ No newline at end of file
diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md
deleted file mode 100644
index 627a78c9ef..0000000000
--- a/education/trial-in-a-box/support-options.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-title: Microsoft Education Trial in a Box Support
-description: Need help or have a question about using Microsoft Education Trial in a Box? Start here.
-keywords: support, troubleshooting, education, Microsoft 365 Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Set up School PCs
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.topic: article
-ms.localizationpriority: medium
-ms.pagetype: edu
-ROBOTS: noindex,nofollow
-author: dansimp
-ms.author: dansimp
-ms.date: 03/18/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Microsoft Education Trial in a Box Support
-Need help or have a question about using Microsoft Education? Start here.
-
-## 1. Update your apps
-
-Microsoft Education works hard to bring you the most current Trial in a Box program experience. As a result, you may need to update your apps to get our latest innovations.
-
-For more information about checking for updates, and how to optionally turn on automatic app updates, see the following articles:
-
-- [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/help/4026259/microsoft-store-check-updates-for-apps-and-games)
-
-- [Turn on automatic app updates](https://support.microsoft.com/help/15081/windows-turn-on-automatic-app-updates)
-
-## 2. Confirm your admin contact information is current
-
-1. Go to the admin center and sign in with your Office 365 admin credentials.
-2. In the admin center dashboard, select your profile on the upper righthand corner and select **My account** from the options.
-3. Select **Personal info** and then edit **Contact details** to update your phone, primary email address, and alternate email address.
-
- > [!NOTE]
- > For the alternate email address, make sure you use a different address from your Office 365 email address.
-
- 
-
-4. Click **Save**.
-
-## 3. Request a call back
-
-1. Click the **Need help?** button in the lower right-hand corner of the Office 365 console.
-
- 
-
- You will see a sidebar window open up on the right-hand side of the screen.
-
- 
-
- If you chose to have a support representative call you, a new support ticket will be opened and you can track these in **Support tickets**.
-
- 
-
-2. Click the **question button**  in the top navigation of the sidebar window.
-3. In the field below **Need help?**, enter a description of your help request.
-4. Click the **Get help button**.
-5. In the **Let us call you** section, enter a phone number where you can be reached.
-6. Click the **Call me** button.
-7. A Microsoft Education support representative will call you back.
-
-## Forgot your password?
-Forget your password? Follow these steps to recover it.
-
-1. Go to https://portal.office.com
-2. Select **Can't access your account** and follow the prompts to get back into your account.
-
- 
-
-
-
-
-## Get more info
-[Microsoft Education Trial in a Box](index.md)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 5cfdf4faa9..f514676cbe 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -229,6 +229,14 @@ Information about the execution status of the threat.
The data type is integer.
+The following list shows the supported values:
+
+- 0 = Unknown
+- 1 = Blocked
+- 2 = Allowed
+- 3 = Running
+- 4 = Not running
+
Supported operation is Get.
**Detections/*ThreatId*/InitialDetectionTime**
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index db53557678..88bfae707f 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -70,7 +70,7 @@ Policy
Supported operation is Get.
**Policy/Config**
-
Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value.
+
Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value) the configuration source can use the Policy/Result path to retrieve the resulting value.
Supported operation is Get.
@@ -8360,6 +8360,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
@@ -629,6 +632,58 @@ The following list shows the supported values:
+
+**Search/DisableSearch**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting completely disables Search UI and all its entry points such as keyboard shortcuts and touch-pad gestures.
+
+It removes the Search button from the Taskbar and the corresponding option in the Settings. It also disables type-to-search in the Start menu and removes the Start menu's search box.
+
+
+
+ADMX Info:
+
+- GP Friendly name: *Fully disable Search UI*
+- GP name: *DisableSearch*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
+
+The following list shows the supported values:
+
+- 0 (default) – Do not disable search.
+- 1 – Disable search.
+
+
+
+
+
+
+
**Search/DoNotUseWebResults**
@@ -761,7 +816,7 @@ The following list shows the supported values:
-If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
+If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index cf2fac211d..7b40a61a6b 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
-ms.date: 01/11/2022
+ms.date: 03/18/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
@@ -1693,7 +1693,7 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) -Do not enforce certificate pinning
+- 0 (default) - Enforce certificate pinning
- 1 - Do not enforce certificate pinning
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
index 4a431a22d2..2db0fd7296 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
@@ -13,8 +13,7 @@ metadata:
ms.author: aaroncz
manager: dougeby
audience: itpro
- ms.topic: article
-
+ ms.topic: faq
title: 'Windows 10 Enterprise: FAQ for IT professionals'
summary: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
index 460351c799..41ea0c40ca 100644
--- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
+++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
@@ -13,8 +13,7 @@ metadata:
ms.pagetype: mobility
ms.sitesec: library
audience: itpro
- ms.topic: article
-
+ ms.topic: faq
title: 'Windows To Go: frequently asked questions'
summary: |
**Applies to**
@@ -451,4 +450,4 @@ additionalContent: |
- [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
- [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
- [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-
\ No newline at end of file
+
diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml
index a63be25fdb..024d9e89be 100644
--- a/windows/deployment/usmt/usmt-faq.yml
+++ b/windows/deployment/usmt/usmt-faq.yml
@@ -12,8 +12,7 @@ metadata:
ms.sitesec: library
audience: itpro
ms.date: 04/19/2017
- ms.topic: article
-
+ ms.topic: faq
title: Frequently Asked Questions
summary: |
The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.
@@ -140,4 +139,4 @@ additionalContent: |
[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)
- [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
\ No newline at end of file
+ [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index d150e02df0..7d7f56a09d 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -205,61 +205,6 @@
href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection
- name: Microsoft Defender for Endpoint
href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint
- - name: Security intelligence
- href: threat-protection/intelligence/index.md
- items:
- - name: Understand malware & other threats
- href: threat-protection/intelligence/understanding-malware.md
- items:
- - name: Prevent malware infection
- href: threat-protection/intelligence/prevent-malware-infection.md
- - name: Malware names
- href: threat-protection/intelligence/malware-naming.md
- - name: Coin miners
- href: threat-protection/intelligence/coinminer-malware.md
- - name: Exploits and exploit kits
- href: threat-protection/intelligence/exploits-malware.md
- - name: Fileless threats
- href: threat-protection/intelligence/fileless-threats.md
- - name: Macro malware
- href: threat-protection/intelligence/macro-malware.md
- - name: Phishing
- href: threat-protection/intelligence/phishing.md
- - name: Ransomware
- href: /security/compass/human-operated-ransomware
- - name: Rootkits
- href: threat-protection/intelligence/rootkits-malware.md
- - name: Supply chain attacks
- href: threat-protection/intelligence/supply-chain-malware.md
- - name: Tech support scams
- href: threat-protection/intelligence/support-scams.md
- - name: Trojans
- href: threat-protection/intelligence/trojans-malware.md
- - name: Unwanted software
- href: threat-protection/intelligence/unwanted-software.md
- - name: Worms
- href: threat-protection/intelligence/worms-malware.md
- - name: How Microsoft identifies malware and PUA
- href: threat-protection/intelligence/criteria.md
- - name: Submit files for analysis
- href: threat-protection/intelligence/submission-guide.md
- - name: Safety Scanner download
- href: threat-protection/intelligence/safety-scanner-download.md
- - name: Industry collaboration programs
- href: threat-protection/intelligence/cybersecurity-industry-partners.md
- items:
- - name: Virus information alliance
- href: threat-protection/intelligence/virus-information-alliance-criteria.md
- - name: Microsoft virus initiative
- href: threat-protection/intelligence/virus-initiative-criteria.md
- - name: Coordinated malware eradication
- href: threat-protection/intelligence/coordinated-malware-eradication.md
- - name: Information for developers
- items:
- - name: Software developer FAQ
- href: threat-protection/intelligence/developer-faq.yml
- - name: Software developer resources
- href: threat-protection/intelligence/developer-resources.md
- name: More Windows security
items:
- name: Override Process Mitigation Options to help enforce app-related security policies
@@ -460,8 +405,6 @@
href: security-foundations.md
- name: Microsoft Security Development Lifecycle
href: threat-protection/msft-security-dev-lifecycle.md
- - name: Microsoft Bug Bounty Program
- href: threat-protection/microsoft-bug-bounty-program.md
- name: FIPS 140-2 Validation
href: threat-protection/fips-140-validation.md
- name: Common Criteria Certifications
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index a6f347396d..7081a2b5d6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -14,10 +14,10 @@ metadata:
ms.collection:
- M365-identity-device-management
- highpri
- ms.topic: article
+ ms.topic: faq
localizationpriority: medium
ms.date: 02/21/2022
-
+
title: Windows Hello for Business Frequently Asked Questions (FAQ)
summary: |
Applies to: Windows 10
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 9acb0672a7..5e7b974b0d 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -156,7 +156,7 @@ landingContent:
- text: Microsoft Security Development Lifecycle
url: threat-protection/msft-security-dev-lifecycle.md
- text: Microsoft Bug Bounty
- url: threat-protection/microsoft-bug-bounty-program.md
+ url: /microsoft-365/security/intelligence/microsoft-bug-bounty-program.md
- text: Common Criteria Certifications
url: threat-protection/windows-platform-common-criteria.md
- text: Federal Information Processing Standard (FIPS) 140 Validation
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
index cb7895bee9..279702c109 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
@@ -16,10 +16,9 @@ metadata:
ms.collection:
- M365-security-compliance
- highpri
- ms.topic: conceptual
+ ms.topic: faq
ms.date: 02/28/2019
ms.custom: bitlocker
-
title: BitLocker and Active Directory Domain Services (AD DS) FAQ
summary: |
**Applies to**
@@ -82,4 +81,4 @@ sections:
When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored.
-
\ No newline at end of file
+
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
index 85b7bbb000..9ae7897062 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
@@ -14,10 +14,9 @@ metadata:
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
- ms.topic: conceptual
+ ms.topic: faq
ms.date: 02/28/2019
ms.custom: bitlocker
-
title: BitLocker frequently asked questions (FAQ)
summary: |
**Applies to**
@@ -93,4 +92,4 @@ sections:
answer: Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
- question: What type of disk configurations are supported by BitLocker?
- answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
\ No newline at end of file
+ answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
index fd752a06bd..db16f5e272 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
@@ -16,10 +16,9 @@ metadata:
ms.collection:
- M365-security-compliance
- highpri
- ms.topic: conceptual
+ ms.topic: faq
ms.date: 02/28/2019
ms.custom: bitlocker
-
title: BitLocker frequently asked questions (FAQ) resources
summary: |
**Applies to**
@@ -52,4 +51,4 @@ sections:
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
- [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
- - [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true)
\ No newline at end of file
+ - [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
index eba6835e4f..09d144f684 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
@@ -14,10 +14,9 @@ metadata:
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
- ms.topic: conceptual
+ ms.topic: faq
ms.date: 02/28/2019
ms.custom: bitlocker
-
title: BitLocker Key Management FAQ
summary: |
**Applies to**
diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
index c909c07339..92acc08a12 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
@@ -12,11 +12,10 @@ metadata:
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
- ms.topic: conceptual
+ ms.topic: faq
ms.date: 02/28/2019
ms.reviewer:
ms.custom: bitlocker
-
title: BitLocker Network Unlock FAQ
summary: |
**Applies to**
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
index 9836d4e902..2b8382dfa8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
@@ -16,10 +16,9 @@ metadata:
ms.collection:
- M365-security-compliance
- highpri
- ms.topic: conceptual
+ ms.topic: faq
ms.date: 07/27/2021
ms.custom: bitlocker
-
title: BitLocker Overview and Requirements FAQ
summary: |
**Applies to**
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
index 75d0561ae3..34a96db5ad 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
@@ -14,10 +14,9 @@ metadata:
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
- ms.topic: conceptual
+ ms.topic: faq
ms.date: 03/14/2022
ms.custom: bitlocker
-
title: BitLocker Security FAQ
summary: |
**Applies to**
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
index c9d6d649c1..256644a535 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
@@ -14,10 +14,9 @@ metadata:
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
- ms.topic: conceptual
+ ms.topic: faq
ms.date: 07/10/2018
ms.custom: bitlocker
-
title: BitLocker To Go FAQ
summary: |
**Applies to**
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
index 84f82e3483..05f79c3d7c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
@@ -12,11 +12,10 @@ metadata:
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
- ms.topic: conceptual
+ ms.topic: faq
ms.date: 02/28/2019
ms.reviewer:
ms.custom: bitlocker
-
title: BitLocker Upgrading FAQ
summary: |
**Applies to**
@@ -52,4 +51,4 @@ sections:
> [!NOTE]
- > If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
\ No newline at end of file
+ > If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
index 52150c7455..c79641be85 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
@@ -14,10 +14,9 @@ metadata:
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
- ms.topic: conceptual
+ ms.topic: faq
ms.date: 02/28/2019
ms.custom: bitlocker
-
title: Using BitLocker with other programs FAQ
summary: |
**Applies to**
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
index 9308046bcd..aa92e85a9c 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
@@ -14,10 +14,9 @@ metadata:
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
- ms.topic: conceptual
+ ms.topic: faq
ms.date: 11/10/2021
ms.technology: mde
-
title: Advanced security auditing FAQ
summary: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md
deleted file mode 100644
index 5e3a895186..0000000000
--- a/windows/security/threat-protection/intelligence/coinminer-malware.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-title: Coin miners
-ms.reviewer:
-description: Learn about coin miners, how they can infect devices, and what you can do to protect yourself.
-keywords: security, malware, coin miners, protection, cryptocurrencies
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-# Coin miners
-
-Cybercriminals are always looking for new ways to make money. With the rise of digital currencies, also known as cryptocurrencies, criminals see a unique opportunity to infiltrate an organization and secretly mine for coins by reconfiguring malware.
-
-## How coin miners work
-
-Many infections start with:
-
-- Email messages with attachments that try to install malware.
-
-- Websites hosting exploit kits that attempt to use vulnerabilities in web browsers and other software to install coin miners.
-
-- Websites taking advantage of computer processing power by running scripts while users browse the website.
-
-Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process generates coins but requires significant computing resources.
-
-Coin miners aren't inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others look for alternative sources of computing power and try to find their way into corporate networks. These coin miners aren't wanted in enterprise environments because they eat up precious computing resources.
-
-Cybercriminals see an opportunity to make money by running malware campaigns that distribute, install, and run trojanized miners at the expense of other people’s computing resources.
-
-### Examples
-
-DDE exploits, which have been known to distribute ransomware, are now delivering miners.
-
-For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256: 7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit.
-
-The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A). It downloads the trojanized miner, a modified version of the miner XMRig, which then mines Monero cryptocurrency.
-
-## How to protect against coin miners
-
-**Enable potentially unwanted applications (PUA) detection**. Some coin mining tools aren't considered malware but are detected as PUA. Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection.
-
-Since coin miners are becoming a popular payload in many different kinds of attacks, see general tips on how to [prevent malware infection](prevent-malware-infection.md).
-
-For more information on coin miners, see the blog post [Invisible resource thieves: The increasing threat of cryptocurrency miners](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/).
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
deleted file mode 100644
index d765694f94..0000000000
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Coordinated Malware Eradication
-ms.reviewer:
-description: The Coordinated Malware Eradication program aims to unite security organizations to disrupt the malware ecosystem.
-keywords: security, malware, malware eradication, Microsoft Malware Protection Center, MMPC
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: windows-sec
----
-# Coordinated Malware Eradication
-
-
-
-Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries together to change the game against malware. While the cybersecurity industry today is effective at disrupting malware families through individual efforts, those disruptions rarely lead to eradication since malware authors quickly adapt their tactics to survive.
-
-CME calls for organizations to pool their tools, information, and actions to drive coordinated campaigns against malware. The goal is to drive efficient and long-lasting results to better protect our communities, customers, and businesses.
-
-## Combining our tools, information, and actions
-
-Diversity of participation across industries and disciplines, extending beyond cybersecurity, makes eradication campaigns even stronger across the malware lifecycle. Security vendors, computer emergency response/readiness teams (CERTs), and Internet service providers (ISPs) can contribute with malware telemetry. Online businesses can identify fraudulent behavior and law enforcement agencies can drive legal action.
-
-Microsoft is planning to contribute telemetry and analysis data to these campaigns. It will also provide cloud-based scalable storage and computing horsepower with the necessary big data analysis tools built-in.
-
-## Coordinated campaigns for lasting results
-
-Organizations participating in the CME effort work together to help eradicate selected malware families by contributing their own telemetry data, expertise, tools, and other resources. These organizations operate under a campaign umbrella with clearly defined end goals and metrics. Any organization or member can start a campaign and invite others to join it. The members can then accept or decline the invitations they receive.
-
-## Join the effort
-
-Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). Everyone agrees to use the available information and tools for their intended purpose (that is, the eradication of malware).
-
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For any questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md
deleted file mode 100644
index 12e405077b..0000000000
--- a/windows/security/threat-protection/intelligence/criteria.md
+++ /dev/null
@@ -1,189 +0,0 @@
----
-title: How Microsoft identifies malware and potentially unwanted applications
-ms.reviewer:
-description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it's malware or a potentially unwanted application.
-keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 12/13/2021
-search.appverid: met150
-ms.technology: windows-sec
----
-
-# How Microsoft identifies malware and potentially unwanted applications
-
-Microsoft aims to provide a delightful and productive Windows experience by working to ensure you're safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you're protected against known threats. You are also warned about software that is unknown to us.
-
-You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). This will help ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md)
-
-The next sections provide an overview of the classifications we use for applications and the types of behaviors that lead to that classification.
-
->[!NOTE]
-> New forms of malware and potentially unwanted applications are being developed and distributed rapidly. The following list may not be comprehensive, and Microsoft reserves the right to adjust, expand, and update these without prior notice or announcement.
-
-## Unknown – Unrecognized software
-
-No antivirus or protection technology is perfect. It takes time to identify and block malicious sites and applications, or trust newly released programs and certificates. With almost 2 billion websites on the internet and software continuously updated and released, it's impossible to have information about every single site and program.
-
-Think of Unknown/Uncommonly downloaded warnings as an early warning system for potentially undetected malware. There's generally a delay from the time new malware is released until it's identified. Not all uncommon programs are malicious, but the risk in the unknown category is much higher for the typical user. Warnings for unknown software aren't blocks. Users can choose to download and run the application normally if they wish to.
-
-Once enough data is gathered, Microsoft's security solutions can make a determination. Either no threats are found, or an application or software is categorized as malware or potentially unwanted software.
-
-## Malware
-
-Malware is the overarching name for applications and other code, like software, that Microsoft classifies more granularly as *malicious software* or *unwanted software*.
-
-### Malicious software
-
-Malicious software is an application or code that compromises user security. Malicious software may steal your personal information, lock your device until you pay a ransom, use your device to send spam, or download other malicious software. In general, malicious software wants to trick, cheat, or defrauds users, placing them in vulnerable states.
-
-Microsoft classifies most malicious software into one of the following categories:
-
-* **Backdoor:** A type of malware that gives malicious hackers remote access to and control of your device.
-
-* **Command and Control:** A type of malware that infects your device and establishes communication with the hackers’ command-and-control server to receive instructions. Once communication is established, hackers can send commands that can steal data, shut down and reboot the device, and disrupt web services.
-
-* **Downloader:** A type of malware that downloads other malware onto your device. It must connect to the internet to download files.
-
-* **Dropper:** A type of malware that installs other malware files onto your device. Unlike a downloader, a dropper doesn't have to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself.
-
-* **Exploit:** A piece of code that uses software vulnerabilities to gain access to your device and perform other tasks, such as installing malware. [See more information about exploits](exploits-malware.md).
-
-* **Hacktool:** A type of tool that can be used to gain unauthorized access to your device.
-
-* **Macro virus:** A type of malware that spreads through infected documents, such as Microsoft Word or Excel documents. The virus is run when you open an infected document.
-
-* **Obfuscator:** A type of malware that hides its code and purpose, making it more difficult for security software to detect or remove.
-
-* **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.
-
-* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [See more information about ransomware](/security/compass/human-operated-ransomware).
-
-* **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your device. It also tries to convince you to pay for its services.
-
-* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate to tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device.
-
-* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device.
-
-* **Worm:** A type of malware that spreads to other devices. Worms can spread through email, instant messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take advantage of software vulnerabilities to propagate.
-
-### Unwanted software
-
-Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your device through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that doesn't fully demonstrate these behaviors as "unwanted software".
-
-#### Lack of choice
-
-You must be notified about what is happening on your device, including what software does and whether it's active.
-
-Software that exhibits lack of choice might:
-
-* Fail to provide prominent notice about the behavior of the software and its purpose and intent.
-
-* Fail to clearly indicate when the software is active. It might also attempt to hide or disguise its presence.
-
-* Install, reinstall, or remove software without your permission, interaction, or consent.
-
-* Install other software without a clear indication of its relationship to the primary software.
-
-* Circumvent user consent dialogs from the browser or operating system.
-
-* Falsely claim to be software from Microsoft.
-
-Software must not mislead or coerce you into making decisions about your device. It is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
-
-* Display exaggerated claims about your device's health.
-
-* Make misleading or inaccurate claims about files, registry entries, or other items on your device.
-
-* Display claims in an alarming manner about your device's health and require payment or certain actions in exchange for fixing the purported issues.
-
-Software that stores or transmits your activities or data must:
-
-* Give you notice and get consent to do so. Software shouldn't include an option that configures it to hide activities associated with storing or transmitting your data.
-
-#### Lack of control
-
-You must be able to control software on your device. You must be able to start, stop, or otherwise revoke authorization to software.
-
-Software that exhibits lack of control might:
-
-* Prevent or limit you from viewing or modifying browser features or settings.
-
-* Open browser windows without authorization.
-
-* Redirect web traffic without giving notice and getting consent.
-
-* Modify or manipulate webpage content without your consent.
-
-Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that don't provide supported extensibility models are considered non-extensible and shouldn't be modified.
-
-#### Installation and removal
-
-You must be able to start, stop, or otherwise revoke authorization given to software. Software should obtain your consent before installing, and it must provide a clear and straightforward way for you to install, uninstall, or disable it.
-
-Software that delivers *poor installation experience* might bundle or download other "unwanted software" as classified by Microsoft.
-
-Software that delivers *poor removal experience* might:
-
-* Present confusing or misleading prompts or pop-ups when you try to uninstall it.
-
-* Fail to use standard install/uninstall features, such as Add/Remove Programs.
-
-#### Advertising and advertisements
-
-Software that promotes a product or service outside of the software itself can interfere with your computing experience. You should have clear choice and control when installing software that presents advertisements.
-
-The advertisements that are presented by software must:
-
-* Include an obvious way for users to close the advertisement. The act of closing the advertisement must not open another advertisement.
-
-* Include the name of the software that presented the advertisement.
-
-The software that presents these advertisements must:
-
-* Provide a standard uninstall method for the software using the same name as shown in the advertisement it presents.
-
-Advertisements shown to you must:
-
-* Be distinguishable from website content.
-
-* Not mislead, deceive, or confuse.
-
-* Not contain malicious code.
-
-* Not invoke a file download.
-
-#### Consumer opinion
-
-Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Microsoft Defender Antivirus and other Microsoft antimalware solutions.
-
-## Potentially unwanted application (PUA)
-
-Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Microsoft Defender Antivirus, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
-
-*PUAs are not considered malware.*
-
-Microsoft uses specific categories and the category definitions to classify software as a PUA.
-
-* **Advertising software:** Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages.
-
-* **Torrent software (Enterprise only):** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.
-
-* **Cryptomining software (Enterprise only):** Software that uses your device resources to mine cryptocurrencies.
-
-* **Bundling software:** Software that offers to install other software that is not developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document.
-
-* **Marketing software:** Software that monitors and transmits the activities of users to applications or services other than itself for marketing research.
-
-* **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.
-
-* **Poor industry reputation:** Software that trusted security providers detect with their security products. The security industry is dedicated to protecting customers and improving their experiences. Microsoft and other organizations in the security industry continuously exchange knowledge about files we have analyzed to provide users with the best possible protection.
-
diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
deleted file mode 100644
index 86d39e9fb3..0000000000
--- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Industry collaboration programs
-ms.reviewer:
-description: There are various collaborative programs regarding Microsoft industry-wide anti-malware - Virus Information Alliance (VIA), Microsoft Virus Initiative (MVI), and Coordinated Malware Eradication (CME)
-keywords: security, malware, antivirus industry, anti-malware Industry, collaboration programs, alliances, Virus Information Alliance, Microsoft Virus Initiative, Coordinated Malware Eradication, WDSI, MMPC, Microsoft Malware Protection Center, partnerships
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: windows-sec
----
-# Industry collaboration programs
-
-There are various industry-wide collaboration programs with different objectives and requirements, provided by Microsoft. Enrolling in the right program can help you protect your customers, gain more insight into the current threat landscape, or help disrupting the malware ecosystem.
-
-## Virus Information Alliance (VIA)
-
-The VIA program gives members access to information that will help improve protection for Microsoft customers. Malware telemetry and samples can be provided to security teams to help identify gaps in their protection, prioritize new threat coverage, or better respond to threats.
-
-**You must be a member of VIA if you want to apply for membership to the other programs.**
-
-Go to the [VIA program page](virus-information-alliance-criteria.md) for more information.
-
-## Microsoft Virus Initiative (MVI)
-
-MVI is open to organizations who build and own a Real Time Protection (RTP) anti-malware product of their own design, or one developed using a third-party Antivirus SDK.
-
-Members get access to Microsoft client APIs for the Microsoft Defender Security Center, IOAV, AMSI, and Cloud Files, along with health data and other telemetry to help their customers stay protected. Anti-malware products are submitted to Microsoft for performance testing regularly.
-
-Go to the [MVI program page](virus-initiative-criteria.md) for more information.
-
-## Coordinated Malware Eradication (CME)
-
-CME is open to organizations who are involved in cybersecurity and anti-malware or interested in fighting cybercrime.
-
-The program aims to bring organizations in cybersecurity and other industries together to pool tools, information, and actions to drive coordinated campaigns against malware. The ultimate goal is to create efficient and long-lasting results for better protection of our communities, customers, and businesses.
-
-Go to the [CME program page](coordinated-malware-eradication.md) for more information.
diff --git a/windows/security/threat-protection/intelligence/developer-faq.yml b/windows/security/threat-protection/intelligence/developer-faq.yml
deleted file mode 100644
index 27ece7ec39..0000000000
--- a/windows/security/threat-protection/intelligence/developer-faq.yml
+++ /dev/null
@@ -1,60 +0,0 @@
-### YamlMime:FAQ
-metadata:
- title: Software developer FAQ
- ms.reviewer:
- description: This page provides answers to common questions we receive from software developers
- keywords: wdsi, software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking
- search.product: eADQiWindows 10XVcnh
- ms.prod: m365-security
- ms.mktglfcycl: deploy
- ms.sitesec: library
- ms.pagetype: security
- ms.author: dansimp
- author: dansimp
- ms.localizationpriority: medium
- manager: dansimp
- audience: ITPro
- ms.collection: M365-security-compliance
- ms.topic: article
- ms.technology: windows-sec
-
-title: Software developer FAQ
-summary: This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide.
-
-
-sections:
- - name: Ignored
- questions:
- - question: |
- Does Microsoft accept files for a known list or false-positive prevention program?
- answer: |
- No. We don't accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list. Far less frequently, in will add your digital certificate to a list of trusted publishers.
-
- - question: |
- How do I dispute the detection of my program?
- answer: |
- Submit the file in question as a software developer. Wait until your submission has a final determination.
-
- If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We'll use the information you provide to investigate further if necessary.
-
- We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md).
-
- - question: |
- Why is Microsoft asking for a copy of my program?
- answer: |
- Providing copies can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
-
- - question: |
- Why does Microsoft classify my installer as a software bundler?
- answer: |
- It contains instructions to offer a program classified as unwanted software. You can review the [criteria](criteria.md) we use to check applications for behaviors that are considered unwanted.
-
- - question: |
- Why is the Windows Defender Firewall blocking my program?
- answer: |
- Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
-
- - question: |
- Why does the Microsoft Defender SmartScreen say my program isn't commonly downloaded?
- answer: |
- This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md)
diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md
deleted file mode 100644
index 4f489bae80..0000000000
--- a/windows/security/threat-protection/intelligence/developer-resources.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Software developer resources
-ms.reviewer:
-description: This page provides information for developers such as detection criteria, developer questions, and how to check your software against Security intelligence.
-keywords: wdsi, software, developer, resources, detection, criteria, questions, scan, software, definitions, cloud, protection, security intelligence
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: windows-sec
----
-
-# Software developer resources
-
-Concerned about the detection of your software?
-If you believe that your application or program has been incorrectly detected by Microsoft security software, submit the relevant files for analysis.
-
-Check out the following resources for information on how to submit and view submissions:
-
-- [Submit files](https://www.microsoft.com/wdsi/filesubmission)
-
-- [View your submissions](https://www.microsoft.com/wdsi/submissionhistory)
-
-## Additional resources
-
-### Detection criteria
-
-To objectively identify malware and unidentified software, Microsoft applies a [set of criteria](criteria.md) for evaluating malicious or potentially harmful code.
-
-### Developer questions
-
-Find more guidance about the file submission and detection dispute process in our [FAQ for software developers](developer-faq.yml).
-
-### Scan your software
-
-Use [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft.
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md
deleted file mode 100644
index 41086f1308..0000000000
--- a/windows/security/threat-protection/intelligence/exploits-malware.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: Exploits and exploit kits
-ms.reviewer:
-description: Learn about how exploits use vulnerabilities in common software to give attackers access to your computer and install other malware.
-keywords: security, malware, exploits, exploit kits, prevention, vulnerabilities, Microsoft, Exploit malware family, exploits, java, flash, adobe, update software, prevent exploits, exploit pack, vulnerability, 0-day, holes, weaknesses, attack, Flash, Adobe, out-of-date software, out of date software, update, update software, reinfection, Java cache, reinfected, won't remove, won't clean, still detects, full scan, MSE, Defender, WDSI, MMPC, Microsoft Malware Protection Center
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-# Exploits and exploit kits
-
-Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security safeguards to infect your device.
-
-## How exploits and exploit kits work
-
-Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include shellcode, which is a small malware payload used to download additional malware from attacker-controlled networks. Shellcode allows hackers to infect devices and infiltrate organizations.
-
-Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploy additional malware to further infect a device. Kits can use exploits targeting a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java, and Sun Java.
-
-The most common method used by attackers to distribute exploits and exploit kits is through webpages, but exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in their ads.
-
-The infographic below shows how an exploit kit might attempt to exploit a device after you visit a compromised webpage.
-
-
-
-*Figure 1. Example of how to exploit kits work*
-
-Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware.
-
-Examples of exploit kits:
-
-- Angler / [Axpergle](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Axpergle)
-
-- [Neutrino](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/NeutrinoEK)
-
-- [Nuclear](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Neclu)
-
-To learn more about exploits, read this blog post on [taking apart a double zero-day sample discovered in joint hunt with ESET.](https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/)
-
-## How we name exploits
-
-We categorize exploits in our Malware encyclopedia by the "platform" they target. For example, Exploit:Java/CVE-2013-1489.A is an exploit that targets a vulnerability in Java.
-
-A project called "Common Vulnerabilities and Exposures (CVE)" is used by many security software vendors. The project gives each vulnerability a unique number, for example, CVE-2016-0778.
-The portion "2016" refers to the year the vulnerability was discovered. The "0778" is a unique ID for this specific vulnerability.
-
-You can read more on the [CVE website](https://cve.mitre.org/).
-
-## How to protect against exploits
-
-The best prevention for exploits is to keep your organization's [software up to date](https://portal.msrc.microsoft.com/). Software vendors provide updates for many known vulnerabilities, so make sure these updates are applied to all devices.
-
-For more general tips, see [prevent malware infection](prevent-malware-infection.md).
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
deleted file mode 100644
index 7f84b0446c..0000000000
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ /dev/null
@@ -1,108 +0,0 @@
----
-title: Fileless threats
-ms.reviewer:
-description: Learn about the categories of fileless threats and malware that live off the land
-keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next-generation protection
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-
-# Fileless threats
-
-What exactly are fileless threats? The term "fileless" suggests that a threat doesn't come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no one definition for fileless malware. The term is used broadly, and sometimes to describe malware families that do rely on files to operate.
-
-Attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft. Some parts of the attack chain may be fileless, while others may involve the file system in some form.
-
-For clarity, fileless threats are grouped into different categories.
-
-
-*Figure 1. Comprehensive diagram of fileless malware*
-
-Fileless threats can be classified by their entry point, which indicates how fileless malware can arrive on a machine. They can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts.
-
-Next, list the form of entry point. For example, exploits can be based on files or network data, PCI peripherals are a type of hardware vector, and scripts and executables are subcategories of the execution vector.
-
-Finally, classify the host of the infection. For example, a Flash application may contain a variety of threats such as an exploit, a simple executable, and malicious firmware from a hardware device.
-
-Classifying helps you divide and categorize the various kinds of fileless threats. Some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced.
-
-From this categorization, you can glean three main types of fileless threats based on how much fingerprint they may leave on infected machines.
-
-## Type I: No file activity performed
-
-A fully fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? One example is where a target machine receives malicious network packets that exploit the EternalBlue vulnerability. The vulnerability allows the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there's no file or any data written on a file.
-
-A compromised device may also have malicious code hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or in the firmware of a network card. All these examples don't require a file on the disk to run, and can theoretically live only in memory. The malicious code would survive reboots, disk reformats, and OS reinstalls.
-
-Infections of this type can be particularly difficult to detect because most antivirus products don’t have the capability to inspect firmware. In cases where a product does have the ability to inspect and detect malicious firmware, there are still significant challenges associated with remediation of threats at this level. This type of fileless malware requires high levels of sophistication and often depends on particular hardware or software configuration. It’s not an attack vector that can be exploited easily and reliably. While dangerous, threats of this type are uncommon and not practical for most attacks.
-
-## Type II: Indirect file activity
-
-There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type doesn't directly write files on the file system, but they can end up using files indirectly. For example, with the [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run the command periodically.
-
-It’s possible to carry out such installation via command line without requiring a backdoor to already be on the file. The malware can be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file in a central storage area managed by the CIM Object Manager, and usually contains legitimate data. Even though the infection chain does technically use a physical file, it’s considered a fileless attack because the WMI repository is a multi-purpose data container that can't be detected and removed.
-
-## Type III: Files required to operate
-
-Some malware can have a sort of fileless persistence, but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. Opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe.
-
-
-*Figure 2. Kovter’s registry key*
-
-When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an autorun key configured to open such file when the machine starts.
-
-Kovter is considered a fileless threat because the file system is of no practical use. The files with random extensions contain junk data that isn't usable in verifying the presence of the threat. The files that store the registry are containers that can't be detected and deleted if malicious content is present.
-
-## Categorizing fileless threats by infection host
-
-Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware doesn't get the upper hand in the arms race.
-
-### Exploits
-
-**File-based** (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the browser, the Java engine, the Flash engine, etc. to execute a shellcode and deliver a payload in memory. While the payload is fileless, the initial entry vector is a file.
-
-**Network-based** (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory.
-
-### Hardware
-
-**Device-based** (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. Software residing and running in the chipset of a device is called firmware. Although a complex task, the firmware can be infected by malware, as the [Equation espionage group has been caught doing](https://www.kaspersky.com/blog/equation-hdd-malware/7623/).
-
-**CPU-based** (Type I): Modern CPUs are complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/), bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies’ purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off.
-
-Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been [researched and proved possible](https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2015/03/19/beckerStealthyExtended.pdf) in the past. It has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution.
-
-**USB-based** (Type I): USB devices of all kinds can be reprogrammed with malicious firmware capable of interacting with the operating system in nefarious ways. For example, the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/) allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will.
-
-**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. The BIOS is an important component that operates at a low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/).
-
-**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although few are known to date.
-
-### Execution and injection
-
-**File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory, or injected into other legitimate running processes.
-
-**Macro-based** (Type III: Office documents): The [VBA language](/office/vba/Library-Reference/Concepts/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe) and implemented in a scripting language. There's no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute.
-
-**Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros, they are textual files (not binary executables) and run within the context of the interpreter (like wscript.exe, powershell.exe), which is a clean and legitimate component. Scripts are versatile and can be run from a file (by double-clicking them) or executed directly on the command line of an interpreter. Running on the command line allows malware to encode malicious scripts as autostart services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt.
-
-**Disk-based** (Type II: Boot Record): The Boot Record is the first sector of a disk or volume, and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code. When the machine is booted, the malware immediately gains control. The Boot Record resides outside the file system, but it’s accessible by the operating system. Modern antivirus products have the capability to scan and restore it.
-
-## Defeating fileless malware
-
-At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
-
-To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)
-
-## Additional resources and information
-
-Learn how to [deploy threat protection capabilities across Microsoft 365 E5](/microsoft-365/solutions/deploy-threat-protection).
diff --git a/windows/security/threat-protection/intelligence/images/CoordinatedMalware.png b/windows/security/threat-protection/intelligence/images/CoordinatedMalware.png
deleted file mode 100644
index fb4ba80cec..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/CoordinatedMalware.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/ExploitKit.png b/windows/security/threat-protection/intelligence/images/ExploitKit.png
deleted file mode 100644
index 9d0bb2f96a..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/ExploitKit.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/MITRE-Microsoft-Defender-ATP.png b/windows/security/threat-protection/intelligence/images/MITRE-Microsoft-Defender-ATP.png
deleted file mode 100644
index 446ad19d77..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/MITRE-Microsoft-Defender-ATP.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/NamingMalware1.png b/windows/security/threat-protection/intelligence/images/NamingMalware1.png
deleted file mode 100644
index 8d1e936879..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/NamingMalware1.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/SupplyChain.png b/windows/security/threat-protection/intelligence/images/SupplyChain.png
deleted file mode 100644
index 491b55a690..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/SupplyChain.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/Transparency-report-November1.png b/windows/security/threat-protection/intelligence/images/Transparency-report-November1.png
deleted file mode 100644
index 8d50120c1e..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/Transparency-report-November1.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/URLhover.png b/windows/security/threat-protection/intelligence/images/URLhover.png
deleted file mode 100644
index d307a154e0..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/URLhover.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/WormUSB-flight.png b/windows/security/threat-protection/intelligence/images/WormUSB-flight.png
deleted file mode 100644
index b1ad7c994f..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/WormUSB-flight.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/fileless-malware.png b/windows/security/threat-protection/intelligence/images/fileless-malware.png
deleted file mode 100644
index 2aa502e144..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/fileless-malware.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/kovter-reg-key.png b/windows/security/threat-protection/intelligence/images/kovter-reg-key.png
deleted file mode 100644
index 456f0956fa..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/kovter-reg-key.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/msi-contoso-approval-required.png b/windows/security/threat-protection/intelligence/images/msi-contoso-approval-required.png
deleted file mode 100644
index 90bc4428f9..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/msi-contoso-approval-required.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/msi-enterprise-app-user-setting.jpg b/windows/security/threat-protection/intelligence/images/msi-enterprise-app-user-setting.jpg
deleted file mode 100644
index e68ffa40aa..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/msi-enterprise-app-user-setting.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/msi-grant-admin-consent.jpg b/windows/security/threat-protection/intelligence/images/msi-grant-admin-consent.jpg
deleted file mode 100644
index 2bb2627bc2..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/msi-grant-admin-consent.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/msi-microsoft-permission-requested-your-organization.png b/windows/security/threat-protection/intelligence/images/msi-microsoft-permission-requested-your-organization.png
deleted file mode 100644
index e423857bff..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/msi-microsoft-permission-requested-your-organization.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/msi-microsoft-permission-required.jpg b/windows/security/threat-protection/intelligence/images/msi-microsoft-permission-required.jpg
deleted file mode 100644
index fdac1cd4be..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/msi-microsoft-permission-required.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/msi-permissions.jpg b/windows/security/threat-protection/intelligence/images/msi-permissions.jpg
deleted file mode 100644
index 957c78aac1..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/msi-permissions.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/msi-properties.png b/windows/security/threat-protection/intelligence/images/msi-properties.png
deleted file mode 100644
index 196a5fce92..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/msi-properties.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/netflix.png b/windows/security/threat-protection/intelligence/images/netflix.png
deleted file mode 100644
index 446542e62a..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/netflix.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/index.md b/windows/security/threat-protection/intelligence/index.md
deleted file mode 100644
index 48b0faad6b..0000000000
--- a/windows/security/threat-protection/intelligence/index.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: Security intelligence
-description: Learn about different types of malware, safety tips on how you can protect your organization, and resources for industry collaboration programs.
-keywords: security, malware
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: windows-sec
----
-# Security intelligence
-
-Here you will find information about different types of malware, safety tips on how you can protect your organization, and resources for industry collaboration programs.
-
-* [Understand malware & other threats](understanding-malware.md)
-* [Prevent malware infection](prevent-malware-infection.md)
-* [Malware naming convention](malware-naming.md)
-* [How Microsoft identifies malware and PUA](criteria.md)
-* [Submit files for analysis](submission-guide.md)
-* [Safety Scanner download](safety-scanner-download.md)
-
-Keep up with the latest malware news and research. Check out our [Microsoft Security blogs](https://www.microsoft.com/security/blog/product/windows/) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
-
-Learn more about [Windows security](../../index.yml).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md
deleted file mode 100644
index 4421309156..0000000000
--- a/windows/security/threat-protection/intelligence/macro-malware.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Macro malware
-ms.reviewer:
-description: Learn about macro viruses and malware, which are embedded in documents and are used to drop malicious payloads and distribute other threats.
-keywords: security, malware, macro, protection, WDSI, MMPC, Microsoft Malware Protection Center, macro virus, macro malware, documents, viruses in Office, viruses in Word
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-# Macro malware
-
-Macros are a powerful way to automate common tasks in Microsoft Office and can make people more productive. However, macro malware uses this functionality to infect your device.
-
-## How macro malware works
-
-Macro malware hides in Microsoft Office files and is delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more.
-
-Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened. In recent versions of Microsoft Office, macros are disabled by default. Now, malware authors need to convince users to turn on macros so that their malware can run. They try to scare users by showing fake warnings when a malicious document is opened.
-
-We've seen macro malware download threats from the following families:
-
-* [Ransom:MSIL/Swappa](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A)
-* [Ransom:Win32/Teerac](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Teerac&threatId=-2147277789)
-* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A)
-* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif)
-* [Win32/Fynloski](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski)
-* [Worm:Win32/Gamarue](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue)
-
-## How to protect against macro malware
-
-* Make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the default setting for macros:
- * [Enable or disable macros](https://support.office.com/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12) in Office documents
-
-* Don’t open suspicious emails or suspicious attachments.
-
-* Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads.
-
-* Enterprises can prevent macro malware from running executable content using [ASR rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)
-
-For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md).
-
-For more general tips, see [prevent malware infection](prevent-malware-infection.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md
deleted file mode 100644
index 2174fb9d8d..0000000000
--- a/windows/security/threat-protection/intelligence/malware-naming.md
+++ /dev/null
@@ -1,182 +0,0 @@
----
-title: Malware names
-ms.reviewer:
-description: Understand the malware naming convention used by Microsoft Defender Antivirus and other Microsoft antimalware.
-keywords: security, malware, names, Microsoft, MMPC, Microsoft Malware Protection Center, WDSI, malware name, malware prefix, malware type, virus name
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-# Malware names
-
-We name the malware and unwanted software that we detect according to the Computer Antivirus Research Organization (CARO) malware naming scheme. The scheme uses the following format:
-
-
-
-When our analysts research a particular threat, they'll determine what each of the components of the name will be.
-
-## Type
-
-Describes what the malware does on your computer. Worms, viruses, trojans, backdoors, and ransomware are some of the most common types of malware.
-
-* Adware
-* Backdoor
-* Behavior
-* BrowserModifier
-* Constructor
-* DDoS
-* Exploit
-* HackTool
-* Joke
-* Misleading
-* MonitoringTool
-* Program
-* Personal Web Server (PWS)
-* Ransom
-* RemoteAccess
-* Rogue
-* SettingsModifier
-* SoftwareBundler
-* Spammer
-* Spoofer
-* Spyware
-* Tool
-* Trojan
-* TrojanClicker
-* TrojanDownloader
-* TrojanNotifier
-* TrojanProxy
-* TrojanSpy
-* VirTool
-* Virus
-* Worm
-
-## Platforms
-
-Platforms guide the malware to its compatible operating system (such as Windows, masOS X, and Android). The platform's guidance is also used for programming languages and file formats.
-
-### Operating systems
-
-* AndroidOS: Android operating system
-* DOS: MS-DOS platform
-* EPOC: Psion devices
-* FreeBSD: FreeBSD platform
-* iPhoneOS: iPhone operating system
-* Linux: Linux platform
-* macOS: MAC 9.x platform or earlier
-* macOS_X: MacOS X or later
-* OS2: OS2 platform
-* Palm: Palm operating system
-* Solaris: System V-based Unix platforms
-* SunOS: Unix platforms 4.1.3 or lower
-* SymbOS: Symbian operating system
-* Unix: general Unix platforms
-* Win16: Win16 (3.1) platform
-* Win2K: Windows 2000 platform
-* Win32: Windows 32-bit platform
-* Win64: Windows 64-bit platform
-* Win95: Windows 95, 98 and ME platforms
-* Win98: Windows 98 platform only
-* WinCE: Windows CE platform
-* WinNT: WinNT
-
-### Scripting languages
-
-* ABAP: Advanced Business Application Programming scripts
-* ALisp: ALisp scripts
-* AmiPro: AmiPro script
-* ANSI: American National Standards Institute scripts
-* AppleScript: compiled Apple scripts
-* ASP: Active Server Pages scripts
-* AutoIt: AutoIT scripts
-* BAS: Basic scripts
-* BAT: Basic scripts
-* CorelScript: Corelscript scripts
-* HTA: HTML Application scripts
-* HTML: HTML Application scripts
-* INF: Install scripts
-* IRC: mIRC/pIRC scripts
-* Java: Java binaries (classes)
-* JS: JavaScript scripts
-* LOGO: LOGO scripts
-* MPB: MapBasic scripts
-* MSH: Monad shell scripts
-* MSIL: .NET intermediate language scripts
-* Perl: Perl scripts
-* PHP: Hypertext Preprocessor scripts
-* Python: Python scripts
-* SAP: SAP platform scripts
-* SH: Shell scripts
-* VBA: Visual Basic for Applications scripts
-* VBS: Visual Basic scripts
-* WinBAT: Winbatch scripts
-* WinHlp: Windows Help scripts
-* WinREG: Windows registry scripts
-
-### Macros
-
-* A97M: Access 97, 2000, XP, 2003, 2007, and 2010 macros
-* HE: macro scripting
-* O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and PowerPoint
-* PP97M: PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros
-* V5M: Visio5 macros
-* W1M: Word1Macro
-* W2M: Word2Macro
-* W97M: Word 97, 2000, XP, 2003, 2007, and 2010 macros
-* WM: Word 95 macros
-* X97M: Excel 97, 2000, XP, 2003, 2007, and 2010 macros
-* XF: Excel formulas
-* XM: Excel 95 macros
-
-### Other file types
-
-* ASX: XML metafile of Windows Media .asf files
-* HC: HyperCard Apple scripts
-* MIME: MIME packets
-* Netware: Novell Netware files
-* QT: Quicktime files
-* SB: StarBasic (StarOffice XML) files
-* SWF: Shockwave Flash files
-* TSQL: MS SQL server files
-* XML: XML files
-
-## Family
-
-Grouping of malware based on common characteristics, including attribution to the same authors. Security software providers sometimes use different names for the same malware family.
-
-## Variant letter
-
-Used sequentially for every distinct version of a malware family. For example, the detection for the variant ".AF" would have been created after the detection for the variant ".AE".
-
-## Suffixes
-
-Provides extra detail about the malware, including how it's used as part of a multicomponent threat. In the preceding example, "!lnk" indicates that the threat component is a shortcut file used by Trojan:Win32/Reveton.T.
-
-* .dam: damaged malware
-* .dll: Dynamic Link Library component of a malware
-* .dr: dropper component of a malware
-* .gen: malware that is detected using a generic signature
-* .kit: virus constructor
-* .ldr: loader component of a malware
-* .pak: compressed malware
-* .plugin: plug-in component
-* .remnants: remnants of a virus
-* .worm: worm component of that malware
-* !bit: an internal category used to refer to some threats
-* !cl: an internal category used to refer to some threats
-* !dha: an internal category used to refer to some threats
-* !pfn: an internal category used to refer to some threats
-* !plock: an internal category used to refer to some threats
-* !rfn: an internal category used to refer to some threats
-* !rootkit: rootkit component of that malware
-* @m: worm mailers
-* @mm: mass mailer worm
diff --git a/windows/security/threat-protection/intelligence/phishing-trends.md b/windows/security/threat-protection/intelligence/phishing-trends.md
deleted file mode 100644
index 097dbd3120..0000000000
--- a/windows/security/threat-protection/intelligence/phishing-trends.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Phishing trends and techniques
-ms.reviewer:
-description: Learn about how to spot phishing techniques
-keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack, spear phishing, whaling
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-
-# Phishing trends and techniques
-
-Phishing attacks are scams that often use social engineering bait or lure content. Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign in pages that require users to input credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information.
-
-Below are some of the most common phishing techniques attackers will employ to try to steal information or gain access to your devices.
-
-## Invoice phishing
-
-In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company. They then provide a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds.
-
-## Payment/delivery scam
-
-You're asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past. However, you aren't aware of any items you have recently purchased from them.
-
-## Tax-themed phishing scams
-
-A common IRS phishing scam is receiving an urgent email letter indicating that you owe money to the IRS. Often the email threatens legal action if you don't access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts.
-
-## Downloads
-
-An attacker sends a fraudulent email requesting you to open or download a document attachment, such as a PDF. The attachment often contains a message asking you to sign in to another site, such as email or file sharing websites, to open the document. When you access these phishing sites using your sign-in credentials, the attacker now has access to your information and can gain additional personal information about you.
-
-## Phishing emails that deliver other threats
-
-Phishing emails are often effective, so attackers sometimes use them to distribute [ransomware](/security/compass/human-operated-ransomware) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files.
-
-We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems.
-
-## Spear phishing
-
-Spear phishing is a targeted phishing attack that involves highly customized lure content. Attackers will typically do reconnaissance work by surveying social media and other information sources about their intended target.
-
-Spear phishing may involve tricking you into logging into fake sites and divulging credentials. I may also lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer.
-
-The implanted malware serves as the point of entry for a more sophisticated attack, known as an advanced persistent threat (APT). APTs are designed to establish control and steal data over extended periods. Attackers may try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.
-
-## Whaling
-
-Whaling is a form of phishing directed at high-level or senior executives within specific companies to gain access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization.
-
-## Business email compromise
-
-Business email compromise (BEC) is a sophisticated scam that targets businesses who frequently work with foreign suppliers or do money wire transfers. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack. The attacker creates a domain similar to the company they're targeting, or spoofs their email to scam users into releasing personal account information for money transfers.
-
-## More information about phishing attacks
-
-For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/):
-
-- [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc)
-- [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc)
-- [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc)
diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md
deleted file mode 100644
index 960336ca09..0000000000
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ /dev/null
@@ -1,97 +0,0 @@
----
-title: How to protect against phishing attacks
-ms.reviewer:
-description: Learn about how phishing work, deliver malware do your devices, and what you can do to protect yourself
-keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-
-# How to protect against phishing attacks
-
-Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication. They try to look like official communication from legitimate companies or individuals.
-
-Cybercriminals often attempt to steal usernames, passwords, credit card details, bank account information, or other credentials. They use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. The information can also be sold in cybercriminal underground markets.
-
-Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. Be aware and never provide sensitive or personal information through email or unknown websites, or over the phone. Remember, phishing emails are designed to appear legitimate.
-
-## Learn the signs of a phishing scam
-
-The best protection is awareness and education. Don’t open attachments or links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL.
-
-Enterprises should educate and train their employees to be wary of any communication that requests personal or financial information. They should also instruct employees to report the threat to the company’s security operations team immediately.
-
-Here are several telltale signs of a phishing scam:
-
-* The links or URLs provided in emails are **not pointing to the correct location** or are pointing to a third-party site not affiliated with the sender of the email. For example, in the image below the URL provided doesn't match the URL that you'll be taken to.
-
- 
-
-* There's a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email.
-
-* **Items in the email address will be changed** so that it is similar enough to a legitimate email address, but has added numbers or changed letters.
-
-* The message is **unexpected and unsolicited**. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect.
-
-* The message or the attachment asks you to **enable macros, adjust security settings, or install applications**. Normal emails won't ask you to do this.
-
-* The message contains **errors**. Legitimate corporate messages are less likely to have typographic or grammatical errors or contain wrong information.
-
-* The **sender address doesn't match the signature** on the message itself. For example, an email is purported to be from Mary of Contoso Corp, but the sender address is john@example.com.
-
-* There are **multiple recipients** in the “To” field and they appear to be random addresses. Corporate messages are normally sent directly to individual recipients.
-
-* The greeting on the message itself **doesn't personally address you**. Apart from messages that mistakenly address a different person, greetings that misuse your name or pull your name directly from your email address tend to be malicious.
-
-* The website looks familiar but there are **inconsistencies or things that aren't quite right**. Warning signs include outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in websites.
-
-* The page that opens is **not a live page**, but rather an image that is designed to look like the site you are familiar with. A pop-up may appear that requests credentials.
-
-If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate.
-
-## Software solutions for organizations
-
-* [Microsoft Edge](/microsoft-edge/deploy/index) and [Windows Defender Application Guard](../microsoft-defender-application-guard/md-app-guard-overview.md) offer protection from the increasing threat of targeted attacks using Microsoft's industry-leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data.
-
-* [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies. Using various layers of filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international spam, that will further enhance your protection services.
-
-* Use [Microsoft Defender for Office 365](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection.
-
-## What to do if you've been a victim of a phishing scam
-
-If you feel you've been a victim of a phishing attack:
-
-1. Contact your IT admin if you are on a work computer
-2. Immediately change all passwords associated with the accounts
-3. Report any fraudulent activity to your bank and credit card company
-
-### Reporting spam
-
-- **Outlook.com**: If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to **Junk**, and then select **Phishing**.
-
-- **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**.
-
-- **Microsoft 365**: Use the [Submissions portal in Microsoft 365 Defender](/microsoft-365/security/office-365-security/report-junk-email-messages-to-microsoft) to submit the junk or phishing sample to Microsoft for analysis. For more information, see [Report messages and files to Microsoft](/microsoft-365/security/office-365-security/report-junk-email-messages-to-microsoft).
-
-- **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved.
-
-### If you’re on a suspicious website
-
-- **Microsoft Edge**: While you’re on a suspicious site, select the **More (…) icon** > **Help and feedback** > **Report Unsafe site**. Follow the instructions on the webpage that displays to report the website.
-
-- **Internet Explorer**: While you’re on a suspicious site, select the gear icon, point to **Safety**, and then select **Report Unsafe Website**. Follow the instructions on the webpage that displays to report the website.
-
-## More information about phishing attacks
-
-- [Protect yourself from phishing](https://support.microsoft.com/help/4033787/windows-protect-yourself-from-phishing)
-- [Phishing trends](phishing-trends.md)
diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
deleted file mode 100644
index ebccd09195..0000000000
--- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-title: Troubleshoot MSI portal errors caused by admin block
-description: Troubleshoot MSI portal errors
-ms.reviewer:
-keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn’t detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn’t detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-
-# Troubleshooting malware submission errors caused by administrator block
-In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this problem.
-
-## Review your settings
-Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under **Enterprise Applications** > **Users can consent to apps accessing company data on their behalf**, check whether Yes or No is selected.
-
-- If **No** is selected, an Azure AD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with Azure AD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their Azure AD admin. Go to the following section for more information.
-
-- If **Yes** is selected, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If **No** is selected, you'll need to request an Azure AD admin enable it.
-
-## Implement Required Enterprise Application permissions
-This process requires a global or application admin in the tenant.
- 1. Open [Enterprise Application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d).
- 2. Select **Grant admin consent for organization**.
- 3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant.
-
- 
-
- 4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.
-
-## Option 1 Approve enterprise application permissions by user request
-> [!Note]
-> This is currently a preview feature.
-
-Azure Active Directory admins will need to allow for users to request admin consent to apps. Verify the setting is configured to **Yes** in [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/).
-
-
-
-More information is available in [Configure Admin consent workflow](/azure/active-directory/manage-apps/configure-admin-consent-workflow).
-
-Once this setting is verified, users can go through the enterprise customer sign-in at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission), and submit a request for admin consent, including justification.
-
-
-
-Admin will be able to review and approve the application permissions [Azure admin consent requests](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AccessRequests/menuId/).
-
-After providing consent, all users in the tenant will be able to use the application.
-
-## Option 2 Provide admin consent by authenticating the application as an admin
-This process requires that global admins go through the Enterprise customer sign-in flow at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission).
-
-
-
-Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**.
-
-All users in the tenant will now be able to use this application.
-
-## Option 3: Delete and readd app permissions
-If neither of these options resolve the issue, try the following steps (as an admin):
-
-1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b)
-and select **delete**.
-
- 
-
-2. Capture TenantID from [Properties](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties).
-
-3. Replace {tenant-id} with the specific tenant that needs to grant consent to this application in the URL below. Copy this URL into browser. The rest of the parameters are already completed.
-``https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id=f0cf43e5-8a9b-451c-b2d5-7285c785684d&state=12345&redirect_uri=https%3a%2f%2fwww.microsoft.com%2fwdsi%2ffilesubmission&scope=openid+profile+email+offline_access``
-
- 
-
-4. Review the permissions required by the application, and then select **Accept**.
-
-5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051).
-
- 
-
-6. Sign in to [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission) as an enterprise user with a non-admin account to see if you have access.
-
- If the warning is not resolved after following these troubleshooting steps, call Microsoft support.
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
deleted file mode 100644
index a92433d11c..0000000000
--- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md
+++ /dev/null
@@ -1,123 +0,0 @@
----
-title: Prevent malware infection
-ms.reviewer:
-description: Learn steps you can take to help prevent a malware or potentially unwanted software from infecting your computer.
-keywords: security, malware, prevention, infection, tips, Microsoft, MMPC, Microsoft Malware Protection Center, virus, trojan, worm, stop, prevent, full scan, infection, avoid malware, avoid trojan, avoid virus, infection, how, detection, security software, antivirus, updates, how malware works, how virus works, firewall, turn on, user privileges, limit, prevention, WDSI, MMPC, Microsoft Malware Protection Center
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-# Prevent malware infection
-
-Malware authors are always looking for new ways to infect computers. Follow the tips below to stay protected and minimize threats to your data and accounts.
-
-## Keep software up to date
-
-[Exploits](exploits-malware.md) typically use vulnerabilities in popular software such as web browsers, Java, Adobe Flash Player, and Microsoft Office to infect devices. Software updates patch vulnerabilities so they aren't available to exploits anymore.
-
-To keep Microsoft software up to date, ensure that [automatic Microsoft Updates](https://support.microsoft.com/help/12373/windows-update-faq) are enabled. Also, upgrade to the latest version of Windows to benefit from a host of built-in security enhancements.
-
-## Be wary of links and attachments
-
-Email and other messaging tools are a few of the most common ways your device can get infected. Attachments or links in messages can open malware directly or can stealthily trigger a download. Some emails give instructions to allow macros or other executable content designed to make it easier for malware to infect your devices.
-
-* Use an email service that provides protection against malicious attachments, links, and abusive senders. [Microsoft Office 365](/microsoft-365/security/office-365-security/anti-spam-and-anti-malware-protection) has built-in antimalware, link protection, and spam filtering.
-
-For more information, see [phishing](phishing.md).
-
-## Watch out for malicious or compromised websites
-
-When you visit malicious or compromised sites, your device can get infected with malware automatically or you can get tricked into downloading and installing malware. See [exploits and exploit kits](exploits-malware.md) as an example of how some of these sites can automatically install malware to visiting computers.
-
-To identify potentially harmful websites, keep the following in mind:
-
-* The initial part (domain) of a website address should represent the company that owns the site you are visiting. Check the domain for misspellings. For example, malicious sites commonly use domain names that swap the letter O with a zero (0) or the letters L and I with a one (1). If example.com is spelled examp1e.com, the site you are visiting is suspect.
-
-* Sites that aggressively open popups and display misleading buttons often trick users into accepting content through constant popups or mislabeled buttons.
-
-To block malicious websites, use a modern web browser like [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge?ocid=cx-wdsi-articles) that identifies phishing and malware websites and checks downloads for malware.
-
-If you encounter an unsafe site, click **More […] > Send feedback** on Microsoft Edge. You can also [report unsafe sites directly to Microsoft](https://www.microsoft.com/wdsi/support/report-unsafe-site).
-
-### Pirated material on compromised websites
-
-Using pirated content is not only illegal, it can also expose your device to malware. Sites that offer pirated software and media are also often used to distribute malware when the site is visited. Sometimes pirated software is bundled with malware and other unwanted software when downloaded, including intrusive browser plugins and adware.
-
-Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported.
-
-To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/windows/s-mode), which ensures that only vetted apps from the Windows Store are installed.
-
-## Don't attach unfamiliar removable drives
-
-Some types of malware spread by copying themselves to USB flash drives or other removable drives. There are malicious individuals that intentionally prepare and distribute infected drives by leaving them in public places for unsuspecting individuals.
-
-Only use removable drives that you are familiar with or that come from a trusted source. If a drive has been used in publicly accessible devices, like computers in a café or a library, make sure you have antimalware running on your computer before you use the drive. Avoid opening unfamiliar files you find on suspect drives, including Office and PDF documents and executable files.
-
-## Use a non-administrator account
-
-At the time they are launched, whether inadvertently by a user or automatically, most malware run under the same privileges as the active user. This means that by limiting account privileges, you can prevent malware from making consequential changes any devices.
-
-By default, Windows uses [User Account Control (UAC)](../../identity-protection/user-account-control/user-account-control-overview.md) to provide automatic, granular control of privileges—it temporarily restricts privileges and prompts the active user every time an application attempts to make potentially consequential changes to the system. Although UAC helps limit the privileges of admin users, users can override this restriction when prompted. As a result, it is quite easy for an admin user to inadvertently allow malware to run.
-
-To help ensure that everyday activities do not result in malware infection and other potentially catastrophic changes, it is recommended that you use a non-administrator account for regular use. By using a non-administrator account, you can prevent installation of unauthorized apps and prevent inadvertent changes to system settings. Avoid browsing the web or checking email using an account with administrator privileges.
-
-Whenever necessary, log in as an administrator to install apps or make configuration changes that require admin privileges.
-
-[Read about creating user accounts and giving administrator privileges](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
-
-## Other safety tips
-
-To further ensure that data is protected from malware and other threats:
-
-* Backup files. Follow the 3-2-1 rule: make **3 copies**, store in at least **2 locations**, with at least **1 offline copy**. Use [OneDrive](https://onedrive.live.com/about) for reliable cloud-based copies that allow access to files from multiple devices and helps recover damaged or lost files, including files locked by ransomware.
-
-* Be wary when connecting to public hotspots, particularly those that do not require authentication.
-
-* Use [strong passwords](https://support.microsoft.com/help/12410/microsoft-account-help-protect-account) and enable multi-factor authentication.
-
-* Do not use untrusted devices to log on to email, social media, and corporate accounts.
-
-* Avoid downloading or running older apps. Some of these apps might have vulnerabilities. Also, older file formats for Office 2003 (.doc, .pps, and .xls) allow macros or run. This could be a security risk.
-
-## Software solutions
-
-Microsoft provides comprehensive security capabilities that help protect against threats. We recommend:
-
-* [Automatic Microsoft updates](https://support.microsoft.com/help/12373/windows-update-faq) keeps software up to date to get the latest protections.
-
-* [Controlled folder access](/microsoft-365/security/defender-endpoint/enable-controlled-folders) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
-
-* [Microsoft Edge](/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using [Windows Defender SmartScreen](/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites.
-
-* [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies.
-
-* [Microsoft Safety Scanner](safety-scanner-download.md) helps remove malicious software from computers. NOTE: This tool does not replace your antimalware product.
-
-* [Microsoft 365](/microsoft-365/enterprise/) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data.
-
-* [Microsoft Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders.
-
-* [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection.
-
-* [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender for Endpoint alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender for Endpoint free of charge.
-
-* [Windows Hello for Business](../../identity-protection/hello-for-business/hello-identity-verification.md) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account.
-
-### Earlier than Windows 10 (not recommended)
-
-* [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) provides real-time protection for your home or small business device that guards against viruses, spyware, and other malicious software.
-
-## What to do with a malware infection
-
-Microsoft Defender for Endpoint antivirus capabilities help reduce the chances of infection and will automatically remove threats that it detects.
-
-In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md
deleted file mode 100644
index 250102afa9..0000000000
--- a/windows/security/threat-protection/intelligence/rootkits-malware.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-title: Rootkits
-ms.reviewer:
-description: Rootkits may be used by malware authors to hide malicious code on your computer and make malware or potentially unwanted software harder to remove.
-keywords: security, malware, rootkit, hide, protection, hiding, WDSI, MMPC, Microsoft Malware Protection Center, rootkits, Sirefef, Rustock, Sinowal, Cutwail, malware, virus
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-# Rootkits
-
-Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A successful rootkit can potentially remain in place for years if it's undetected. During this time, it will steal information and resources.
-
-## How rootkits work
-
-Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you can’t trust any information that device reports about itself.
-
-If you were to ask a device to list all of the programs that are running, the rootkit might stealthily remove any programs it doesn’t want you to know about. Rootkits are all about hiding things. They want to hide both themselves and their malicious activity on a device.
-
-Many modern malware families use rootkits to try to avoid detection and removal, including:
-
-* [Alureon](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fAlureon)
-
-* [Cutwail](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fCutwail)
-
-* [Datrahere](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Detrahere) (Zacinlo)
-
-* [Rustock](https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fRustock)
-
-* [Sinowal](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSinowal)
-
-* [Sirefef](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSirefef)
-
-## How to protect against rootkits
-
-Like any other type of malware, the best way to avoid rootkits is to prevent it from being installed in the first place.
-
-* Apply the latest updates to operating systems and apps.
-
-* Educate your employees so they can be wary of suspicious websites and emails.
-
-* Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
-
-For more general tips, see [prevent malware infection](prevent-malware-infection.md).
-
-### What if I think I have a rootkit on my device?
-
-Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you have a rootkit that your antimalware software isn’t detecting, you may need an extra tool that lets you boot to a known trusted environment.
-
-[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from the Windows Security app and has the latest antimalware updates from Microsoft. It’s designed to be used on devices that aren't working correctly because of a possible malware infection.
-
-[System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity.
-
-### What if I can’t remove a rootkit?
-
-If the problem persists, we strongly recommend reinstalling the operating system and security software. Then restore your data from a backup.
diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md
deleted file mode 100644
index 12392ecd4f..0000000000
--- a/windows/security/threat-protection/intelligence/safety-scanner-download.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: Microsoft Safety Scanner Download
-ms.reviewer:
-description: Get the Microsoft Safety Scanner tool to find and remove malware from Windows computers.
-keywords: security, malware
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-# Microsoft Safety Scanner
-
-Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.
-
-- [Download Microsoft Safety Scanner (32-bit)](https://go.microsoft.com/fwlink/?LinkId=212733)
-
-- [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732)
-
-> [!NOTE]
-> Starting November 2019, Safety Scanner will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to run Safety Scanner. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus).
-
-## Important information
-
-- The security intelligence update version of the Microsoft Safety Scanner matches the version described [in this web page](https://www.microsoft.com/wdsi/definitions).
-
-- Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
-
-- Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
-
-- This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Microsoft Defender Antivirus on Windows 11, Windows 10, and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
-
-## System requirements
-
-Safety Scanner helps remove malicious software from computers running Windows 11, Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. For details, refer to the [Microsoft Lifecycle Policy](/lifecycle/).
-
-## How to run a scan
-
-1. Download this tool and open it.
-2. Select the type of scan that you want to run and start the scan.
-3. Review the scan results displayed on screen. For detailed detection results, view the log at **%SYSTEMROOT%\debug\msert.log**.
-
-To remove this tool, delete the executable file (msert.exe by default).
-
-For more information about the Safety Scanner, see the support article on [how to troubleshoot problems using Safety Scanner](https://support.microsoft.com/kb/2520970).
-
-## Related resources
-
-- [Troubleshooting Safety Scanner](https://support.microsoft.com/help/2520970/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner)
-- [Microsoft Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security)
-- [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download)
-- [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware)
-- [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission)
-- [Microsoft antimalware and threat protection solutions](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)
diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md
deleted file mode 100644
index 4033a6633b..0000000000
--- a/windows/security/threat-protection/intelligence/submission-guide.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-title: Submit files for analysis by Microsoft
-description: Learn how to submit files to Microsoft for malware analysis, how to track your submissions, and dispute detections.
-ms.reviewer:
-keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn’t detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn’t detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-
-# Submit files for analysis
-
-If you have a file that you suspect might be malware or is being incorrectly detected, you can submit it to us for analysis. This page has answers to some common questions about submitting a file for analysis.
-
-## How do I send a malware file to Microsoft?
-
-You can send us files that you think might be malware or files that have been incorrectly detected through the [sample submission portal](https://www.microsoft.com/en-us/wdsi/filesubmission).
-
-We receive a large number of samples from many sources. Our analysis is prioritized by the number of file detections and the type of submission. You can help us complete a quick analysis by providing detailed information about the product you were using and what you were doing when you found the file.
-
-After you sign in, you will be able to track your submissions.
-
-## Can I send a sample by email?
-
-No, we only accept submissions through our [sample submission portal](https://www.microsoft.com/en-us/wdsi/filesubmission).
-
-## Can I submit a sample without signing in?
-
-No. If you're an enterprise customer, you need to sign in so that we can prioritize your submission appropriately. If you are currently experiencing a virus outbreak or security-related incident, you should contact your designated Microsoft support professional or go to [Microsoft Support](https://support.microsoft.com/) for immediate assistance.
-
-## What is the Software Assurance ID (SAID)?
-
-The [Software Assurance ID (SAID)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx) is for enterprise customers to track support entitlements. The submission portal accepts and retains SAID information and allows customers with valid SAIDs to make higher priority submissions.
-
-### How do I dispute the detection of my program?
-
-[Submit the file](https://www.microsoft.com/en-us/wdsi/filesubmission) in question as a software developer. Wait until your submission has a final determination.
-
-If you’re not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
-
-We encourage all software vendors and developers to read about [how Microsoft identifies malware and unwanted software](criteria.md).
-
-## How do I track or view past sample submissions?
-
-You can track your submissions through the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory).
-
-## What does the submission status mean?
-
-Each submission is shown to be in one of the following status types:
-
-* Submitted—the file has been received
-
-* In progress—an analyst has started checking the file
-
-* Closed—a final determination has been given by an analyst
-
-You can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory).
-
-## How does Microsoft prioritize submissions
-
-Processing submissions take dedicated analyst resource. Because we regularly receive a large number of submissions, we handle them based on a priority. The following factors affect how we prioritize submissions:
-
-* Prevalent files with the potential to impact large numbers of computers are prioritized.
-
-* Authenticated customers, especially enterprise customers with valid [Software Assurance IDs (SAIDs)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx), are given priority.
-
-* Submissions flagged as high priority by SAID holders are given immediate attention.
-
-Your submission is immediately scanned by our systems to give you the latest determination even before an analyst starts handling your case. Note that the same file may have already been processed by an analyst. To check for updates to the determination, select rescan on the submission details page.
diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md
deleted file mode 100644
index 69f77af00f..0000000000
--- a/windows/security/threat-protection/intelligence/supply-chain-malware.md
+++ /dev/null
@@ -1,67 +0,0 @@
----
-title: Supply chain attacks
-ms.reviewer:
-description: Learn about how supply chain attacks work, deliver malware do your devices, and what you can do to protect yourself
-keywords: security, malware, protection, supply chain, hide, distribute, trust, compromised
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-
-# Supply chain attacks
-
-Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.
-
-## How supply chain attacks work
-
-> [!video https://www.youtube.com/embed/uXm2XNSavwo]
-
-Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes.
-
-Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they’re released to the public. The malicious code then runs with the same trust and permissions as the app.
-
-The number of potential victims is significant, given the popularity of some apps. A case occurred where a free file compression app was poisoned and deployed to customers in a country where it was the top utility app.
-
-### Types of supply chain attacks
-
-* Compromised software building tools or updated infrastructure
-
-* Stolen code-sign certificates or signed malicious apps using the identity of dev company
-
-* Compromised specialized code shipped into hardware or firmware components
-
-* Pre-installed malware on devices (cameras, USB, phones, etc.)
-
-To learn more about supply chain attacks, read this blog post called [attack inception: compromised supply chain within a supply chain poses new risks](https://cloudblogs.microsoft.com/microsoftsecure/2018/07/26/attack-inception-compromised-supply-chain-within-a-supply-chain-poses-new-risks/).
-
-## How to protect against supply chain attacks
-
-* Deploy strong code integrity policies to allow only authorized apps to run.
-
-* Use endpoint detection and response solutions that can automatically detect and remediate suspicious activities.
-
-### For software vendors and developers
-
-* Maintain a highly secure build and update infrastructure.
- * Immediately apply security patches for OS and software.
- * Implement mandatory integrity controls to ensure only trusted tools run.
- * Require multi-factor authentication for admins.
-
-* Build secure software updaters as part of the software development lifecycle.
- * Require SSL for update channels and implement certificate pinning.
- * Sign everything, including configuration files, scripts, XML files, and packages.
- * Check for digital signatures, and don’t let the software updater accept generic input and commands.
-
-* Develop an incident response process for supply chain attacks.
- * Disclose supply chain incidents and notify customers with accurate and timely information
-
-For more general tips on protecting your systems and devices, see [prevent malware infection](prevent-malware-infection.md).
diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md
deleted file mode 100644
index 07250bbc9c..0000000000
--- a/windows/security/threat-protection/intelligence/support-scams.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-title: Tech Support Scams
-ms.reviewer:
-description: Microsoft security software can protect you from tech support scams that claims to scan for malware or viruses and then shows you fake detections and warnings.
-keywords: security, malware, tech support, scam, protection, trick, spoof, fake, error messages, report, rogue security software, fake, antivirus, fake software, rogue, threats, fee, removal fee, upgrade, pay for removal, install full version, trial, lots of threats, scanner, scan, clean, computer, security, program, XP home security, fake microsoft, activate, activate scan, activate antivirus, warnings, pop-ups, security warnings, security pop-ups tech support scams, fake Microsoft error notification, fake virus alert, fake product expiration, fake Windows activation, scam web pages, scam phone numbers, telephone numbers, MMPC, WDSI, Microsoft Malware Protection Center, tech support scam numbers
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-# Tech support scams
-
-Tech support scams are an industry-wide issue where scammers use scare tactics to trick users into paying for unnecessary technical support services that supposedly fix contrived device, platform, or software problems.
-
-## How tech support scams work
-
-Scammers may call you directly on your phone and pretend to be representatives of a software company. They might even spoof the caller ID so that it displays a legitimate support phone number from a trusted company. They can then ask you to install applications that give them remote access to your device. Using remote access, these experienced scammers can misrepresent normal system output as signs of problems.
-
-Scammers might also initiate contact by displaying fake error messages on websites you visit, displaying support numbers and enticing you to call. They can also put your browser on full screen and display pop-up messages that won't go away, essentially locking your browser. These fake error messages aim to trick you into calling an indicated technical support hotline. Note that Microsoft error and warning messages never include phone numbers.
-
-When you engage with the scammers, they can offer fake solutions for your “problems” and ask for payment in the form of a one-time fee or subscription to a purported support service.
-
-**For more information, view [known tech support scam numbers and popular web scams](https://support.microsoft.com/help/4013405/windows-protect-from-tech-support-scams).**
-
-## How to protect against tech support scams
-
-Share and implement the general tips on how to [prevent malware infection](prevent-malware-infection.md).
-
-It is also important to keep the following in mind:
-
-* Microsoft does not send unsolicited email messages or make unsolicited phone calls to request personal or financial information, or to fix your computer.
-
-* Any communication with Microsoft has to be initiated by you.
-
-* Don’t call the number in the pop-ups. Microsoft’s error and warning messages never include a phone number.
-
-* Download software only from official vendor websites or the Microsoft Store. Be wary of downloading software from third-party sites, as some of them might have been modified without the author’s knowledge to bundle support scam malware and other threats.
-
-* Use [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge) when browsing the internet. It blocks known support scam sites using Windows Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop pop-up dialogue loops used by these sites.
-
-* Enable [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware.
-
-## What to do if information has been given to a tech support person
-
-* Uninstall applications that scammers asked to be install. If access has been granted, consider resetting the device
-
-* Run a full scan with Microsoft Defender Antivirus to remove any malware. Apply all security updates as soon as they are available.
-
-* Change passwords.
-
-* Call your credit card provider to reverse the charges, if you have already paid.
-
-* Monitor anomalous logon activity. Use Windows Defender Firewall to block traffic to services that you would not normally access.
-
-### Reporting tech support scams
-
-Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by reporting tech support scams:
-
-www.microsoft.com/reportascam
-
-You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality.
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md
deleted file mode 100644
index 52b3552843..0000000000
--- a/windows/security/threat-protection/intelligence/trojans-malware.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Trojan malware
-ms.reviewer:
-description: Trojans are a type of threat that can infect your device. This page tells you what they are and how to remove them.
-keywords: security, malware, protection, trojan, download, file, infection, trojans, virus, protection, cleanup, removal, antimalware, antivirus, WDSI, MMPC, Microsoft Malware Protection Center, malware types
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-
-# Trojans
-
-Trojans are a common type of malware which, unlike viruses, can’t spread on their own. This means they either have to be downloaded manually or another malware needs to download and install them.
-
-Trojans often use the same file names as real and legitimate apps. It is easy to accidentally download a trojan thinking that it is a legitimate app.
-
-## How trojans work
-
-Trojans can come in many different varieties, but generally they do the following:
-
-- Download and install other malware, such as viruses or [worms](worms-malware.md).
-
-- Use the infected device for click fraud.
-
-- Record keystrokes and websites visited.
-
-- Send information about the infected device to a malicious hacker including passwords, login details for websites, and browsing history.
-
-- Give a malicious hacker control over the infected device.
-
-## How to protect against trojans
-
-Use the following free Microsoft software to detect and remove it:
-
-- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows.
-
-- [Microsoft Safety Scanner](safety-scanner-download.md)
-
-For more general tips, see [prevent malware infection](prevent-malware-infection.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md
deleted file mode 100644
index 04b637d62c..0000000000
--- a/windows/security/threat-protection/intelligence/understanding-malware.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Understanding malware & other threats
-ms.reviewer:
-description: Learn about the most prevalent viruses, malware, and other threats. Understand how they infect systems, how they behave, and how to prevent and remove them.
-keywords: security, malware, virus, malware, threat, analysis, research, encyclopedia, dictionary, glossary, ransomware, support scams, unwanted software, computer infection, virus infection, descriptions, remediation, latest threats, mmpc, microsoft malware protection center, wdsi
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-search.appverid: met150
-ms.technology: windows-sec
----
-# Understanding malware & other threats
-
-Malware is a term used to describe malicious applications and code that can cause damage and disrupt normal use of devices. Malware can allow unauthorized access, use system resources, steal passwords, lock you out of your computer and ask for ransom, and more.
-
-Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims.
-
-As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), businesses can stay protected with next-generation protection and other security capabilities.
-
-For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic.
-
-There are many types of malware, including:
-
-- [Coin miners](coinminer-malware.md)
-- [Exploits and exploit kits](exploits-malware.md)
-- [Macro malware](macro-malware.md)
-- [Phishing](phishing.md)
-- [Ransomware](/security/compass/human-operated-ransomware)
-- [Rootkits](rootkits-malware.md)
-- [Supply chain attacks](supply-chain-malware.md)
-- [Tech support scams](support-scams.md)
-- [Trojans](trojans-malware.md)
-- [Unwanted software](unwanted-software.md)
-- [Worms](worms-malware.md)
-
-## Additional resources and information
-
-- Keep up with the latest malware news and research. Check out our [Microsoft security blogs](https://www.microsoft.com/security/blog/product/windows/) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
-
-- Learn more about [Windows security](../../index.yml).
-
-- Learn how to [deploy threat protection capabilities across Microsoft 365 E5](/microsoft-365/solutions/deploy-threat-protection).
-
diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md
deleted file mode 100644
index 9a26e42972..0000000000
--- a/windows/security/threat-protection/intelligence/unwanted-software.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Unwanted software
-ms.reviewer:
-description: Learn about how unwanted software changes your default settings without your consent and what you can do to protect yourself.
-keywords: security, malware, protection, unwanted, software, alter, infect, unwanted software, software bundlers, browser modifiers, privacy, security, computing experience, prevent infection, solution, WDSI, MMPC, Microsoft Malware Protection Center, virus research threats, research malware, pc protection, computer infection, virus infection, descriptions, remediation, latest threats
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-# Unwanted software
-
-Unwanted software are programs that alter the Windows experience without your consent or control. This can take the form of modified browsing experience, lack of control over downloads and installation, misleading messages, or unauthorized changes to Windows settings.
-
-## How unwanted software works
-
-Unwanted software can be introduced when a user searches for and downloads applications from the internet. Some applications are software bundlers, which means that they are packed with other applications. As a result, other programs can be inadvertently installed when the original application is downloaded.
-
-Here are some indications of unwanted software:
-
-- There are programs that you did not install and that may be difficult to uninstall
-
-- Browser features or settings have changed, and you can’t view or modify them
-
-- There are excessive messages about your device's health or about files and programs
-
-- There are ads that cannot be easily closed
-
-Some indicators are harder to recognize because they are less disruptive, but are still unwanted. For example, unwanted software can modify web pages to display specific ads, monitor browsing activities, or remove control of the browser.
-
-Microsoft uses an extensive [evaluation criteria](criteria.md) to identify unwanted software.
-
-## How to protect against unwanted software
-
-To prevent unwanted software infection, download software only from official websites, or from the Microsoft Store. Be wary of downloading software from third-party sites.
-
-Use [Microsoft Edge](/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [Windows Defender SmartScreen](/microsoft-edge/deploy/index) (also used by Internet Explorer).
-
-Enable [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
-
-Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista.
-
-For more general tips, see [prevent malware infection](prevent-malware-infection.md).
-
-### What should I do if my device is infected?
-
-If you suspect that you have unwanted software, you can [submit files for analysis](https://www.microsoft.com/wdsi/filesubmission).
-
-Some unwanted software adds uninstallation entries, which means that you can **remove them using Settings**.
-1. Select the Start button
-2. Go to **Settings > Apps > Apps & features**.
-3. Select the app you want to uninstall, then click **Uninstall**.
-
-If you only recently noticed symptoms of unwanted software infection, consider sorting the apps by install date, and then uninstall the most recent apps that you did not install.
-
-You may also need to **remove browser add-ons** in your browsers, such as Internet Explorer, Firefox, or Chrome.
-
-In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
deleted file mode 100644
index 0616554f60..0000000000
--- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: Virus Information Alliance
-ms.reviewer:
-description: The Microsoft Virus Information Alliance (VIA) is a collaborative antimalware program for organizations fighting cybercrime.
-keywords: security, malware, Microsoft, MMPC, Microsoft Malware Protection Center, partners, sharing, samples, vendor exchange, CSS, alliance, WDSI
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: windows-sec
----
-# Virus Information Alliance
-
-The Virus Information Alliance (VIA) is a public anti-malware collaboration program for security software providers, security service providers, anti-malware testing organizations, and other organizations involved in fighting cyber crime.
-
-Members of the VIA program collaborate by exchanging technical information on malicious software with Microsoft. The goal is to improve protection for Microsoft customers.
-
-## Better protection for customers against malware
-
-The VIA program gives members access to information that will help them improve protection. For example, the program provides malware telemetry and samples to security teams so they can identify gaps and prioritize new threat coverage.
-
-Malware prevalence data is provided to anti-malware testers to assist them in selecting sample sets. The data also helps set scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage our data to help assess the impact of policy changes or to help shut down malicious activity.
-
-Microsoft is committed to continuous improvement to help reduce the impact of malware on customers. By sharing malware-related information, Microsoft enables members of this community to work towards better protection for customers.
-
-## Becoming a member of VIA
-
-Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of the Virus Information Alliance (VIA).
-
-The criteria is designed to ensure that Microsoft can work with the following groups to protect a broad range of customers:
-
-- Security software providers
-- Security service providers
-- Anti-malware testing organizations
-- Other organizations involved in the fight against cybercrime
-
-Members will receive information to facilitate effective malware detection, deterrence, and eradication. This information includes technical information on malware and metadata on malicious activity. Information shared through VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable.
-
-VIA has an open enrollment for potential members.
-
-### Initial selection criteria
-
-To be eligible for VIA your organization must:
-
-1. Be willing to sign a non-disclosure agreement with Microsoft.
-
-2. Fit into one of the following categories:
-
- - Your organization develops anti-malware technology that can run on Windows and your organization’s product is commercially available.
- - Your organization provides security services to Microsoft customers or for Microsoft products.
- - Your organization publishes anti-malware testing reports regularly.
- - Your organization has a research or response team dedicated to fighting malware to protect your organization, your customers, or the general public.
-
-3. Be willing to sign and adhere to the VIA membership agreement.
-
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
deleted file mode 100644
index 272227666c..0000000000
--- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Microsoft Virus Initiative
-ms.reviewer:
-description: The Microsoft Virus Initiative (MVI) helps organizations that make antivirus or antimalware products integrate with Windows and share telemetry with Microsoft.
-keywords: security, malware, MVI, Microsoft Malware Protection Center, MMPC, alliances, WDSI
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: windows-sec
----
-
-# Microsoft Virus Initiative
-
-The Microsoft Virus Initiative (MVI) helps organizations develop better-together security solutions that are performant, reliable, and aligned with Microsoft technology and strategy.
-
-## Become a member
-
-You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology.
-
-To qualify for the MVI program, your organization must meet all the following requirements:
-
-1) Your security solution either replaces or compliments Microsoft Defender Antivirus.
-
-2) Your organization is responsible for both developing and distributing app updates to end-customers that address compatibility with Windows.
-
-3) Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences or being reviewed in an industry-standard report such as AV-Comparatives, OPSWAT, or Gartner.
-
-4) Your organization must sign a non-disclosure agreement (NDA) with Microsoft.
-
-5) Your organization must sign a program license agreement. Maintaining this license agreement requires that you adhere to all program requirements for antimalware apps. These requirements define the behavior of antimalware apps necessary to ensure proper interaction with Windows.
-
-6) You must submit your app to Microsoft for periodic performance testing and feature review.
-
-7) Your solution must be certified through independent testing by at least one industry-standard organization, and yearly certification must be maintained.
-
-Test Provider | Lab Test Type | Minimum Level / Score
-------------- |---------------|----------------------
-AV-Comparatives | Real-World Protection Test https://www.av-comparatives.org/testmethod/real-world-protection-tests/ |“Approved” rating from AV Comparatives
-AV-Test | Must pass tests for Windows. Certifications for Mac and Linux aren't accepted https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users)
-ICSA Labs | Endpoint Anti-Malware Detection https://www.icsalabs.com/technology-program/anti-virus/criteria |PASS/Certified
-SKD Labs | Certification Requirements Product: Anti-virus or Antimalware http://www.skdlabs.com/html/english/ http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5% with On Demand, On Access and Total Detection tests
-VB 100 | VB100 Certification Test V1.1 https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1/ | VB100 Certification
-West Coast Labs | Checkmark Certified http://www.checkmarkcertified.com/sme/ | “A” Rating on Product Security Performance
-
-## Apply now
-
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbRxusDUkejalGp0OAgRTWC7BUQVRYUEVMNlFZUjFaUDY2T1U1UDVVU1NKVi4u).
diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md
deleted file mode 100644
index 0fb215f6b9..0000000000
--- a/windows/security/threat-protection/intelligence/worms-malware.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Worms
-ms.reviewer:
-description: Learn about how worms replicate and spread to other computers or networks. Read about the most popular worms and steps you can take to stop them.
-keywords: security, malware, protection, worm, vulnerabilities, infect, steal, Jenxcus, Gamarue, Bondat, WannaCrypt, WDSI, MMPC, Microsoft Malware Protection Center, worms, malware types, threat propagation, mass-mailing, IP scanning
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-search.appverid: met150
-ms.technology: windows-sec
----
-
-# Worms
-
-A worm is a type of malware that can copy itself and often spreads through a network by exploiting security vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking sites, network shares, removable drives, and software vulnerabilities.
-
-## How worms work
-
-Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities.
-
-Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infects users running Microsoft software. Although these worms share some commonalities, it's interesting to note that they also have distinct characteristics.
-
-* **Jenxcus** has capabilities of not only infecting removable drives but can also act as a backdoor that connects back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's installed when users just visit a compromised web page.
-
-* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as info stealers, spammers, clickers, downloaders, and rogues.
-
-* **Bondat** typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server.
-
-Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they're doing, they try to avoid detection by security software.
-
-* [**WannaCrypt**](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (like ransomware).
-
-This image shows how a worm can quickly spread through a shared USB drive.
-
-
-
-### *Figure worm spreading from a shared USB drive*
-
-## How to protect against worms
-
-Enable [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
-
-Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista.
-
-In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
-
-For more general tips, see [prevent malware infection](/microsoft-365/security/defender-endpoint/prevent-malware-infection).
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-bug-bounty-program.md b/windows/security/threat-protection/microsoft-bug-bounty-program.md
deleted file mode 100644
index 70acd69970..0000000000
--- a/windows/security/threat-protection/microsoft-bug-bounty-program.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-title: About the Microsoft Bug Bounty Program
-description: If you are a security researcher, you can get a reward for reporting a vulnerability in a Microsoft product, service, or device.
-ms.prod: m365-security
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.reviewer:
-ms.technology: windows-sec
----
-
-# About the Microsoft Bug Bounty Program
-
-Are you a security researcher? Did you find a vulnerability in a Microsoft product, service, or device? If so, we want to hear from you!
-
-If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.
-
-Visit the [Microsoft Bug Bounty Program site](https://www.microsoft.com/en-us/msrc/bounty?rtc=1) for all the details!
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index bb6166a66f..e99bc8205f 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -14,7 +14,7 @@ metadata:
manager: dansimp
ms.custom: asr
ms.technology: windows-sec
-
+ ms.topic: faq
title: Frequently asked questions - Microsoft Defender Application Guard
summary: |
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 93c7ae9224..1e36c9cbac 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -23,14 +23,14 @@ ms.technology: windows-sec
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-When creating policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that can be used, or organizations that use the Device Guard Signing Service can download a starter policy from that service.
+When you create policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that can be used, or organizations that use the Device Guard Signing Service can download a starter policy from that service.
## Example Base Policies
@@ -40,6 +40,6 @@ When creating policies for use with Windows Defender Application Control (WDAC),
| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](/windows/security/threat-protection/device-guard/memory-integrity) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
-| **DenyAllAudit.xml** | Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service NuGet Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) |
| **MEM Configuration Manager** | Customers who use MEM Configuration Manager (MEMCM) can deploy a policy with MEMCM's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 146ad43afe..d078c538f5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -47,7 +47,7 @@ To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleO
`Set-RuleOption -FilePath -Option 0 -Delete`
-You can set several rule options within a WDAC policy. Table 1 describes each rule option, and whether they have supplemental policies. However, option 5 is not implemented as it is reserved for future work, and option 7 is not supported.
+You can set several rule options within a WDAC policy. Table 1 describes each rule option, and whether they have supplemental policies. However, option 5 isn't implemented as it's reserved for future work, and option 7 isn't supported.
> [!NOTE]
> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
@@ -57,14 +57,14 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| Rule option | Description | Valid supplemental option |
|------------ | ----------- | ----------- |
| **0 Enabled:UMCI** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. | No |
-| **1 Enabled:Boot Menu Protection** | This option is not currently supported. | No |
-| **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Kernel drivers built for Windows 10 should be WHQL certified. | No |
+| **1 Enabled:Boot Menu Protection** | This option isn't currently supported. | No |
+| **2 Required:WHQL** | By default, legacy drivers that aren't Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Kernel drivers built for Windows 10 should be WHQL certified. | No |
| **3 Enabled:Audit Mode (Default)** | Instructs WDAC to log information about applications, binaries, and scripts that would have been blocked, if the policy was enforced. You can use this option to identify the potential impact of your WDAC policy, and use the audit events to refine the policy before enforcement. To enforce a WDAC policy, delete this option. | No |
-| **4 Disabled:Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This option would be used by organizations that only want to run released binaries, not pre-release Windows builds. | No |
+| **4 Disabled:Flight Signing** | If enabled, WDAC policies won't trust flightroot-signed binaries. This option would be used by organizations that only want to run released binaries, not pre-release Windows builds. | No |
| **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes |
| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. | Yes |
-| **7 Allowed:Debug Policy Augmented** | This option is not currently supported. | Yes |
-| **8 Required:EV Signers** | This rule requires that drivers must be WHQL signed, and have been submitted by a partner with an Extended Verification (EV) certificate. All Windows 10 and Windows 11 drivers will meet this requirement. | No |
+| **7 Allowed:Debug Policy Augmented** | This option isn't currently supported. | Yes |
+| **8 Required:EV Signers** | This option isn't currently supported. | No |
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | No |
| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows without the proper update may have unintended results. | No |
@@ -88,16 +88,16 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
| Rule level | Description |
|----------- | ----------- |
-| **Hash** | Specifies individual hash values for each discovered binary. This is the most specific level, and requires additional effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
-| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it does not typically require a policy update when any binary is modified. |
-| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. Additional information about FilePath level rules can be found below. |
+| **Hash** | Specifies individual hash values for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
+| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. |
+| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. More information about FilePath level rules can be found below. |
| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
| **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). |
| **FilePublisher** | This level combines the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. Using this level, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. |
-| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root certificate because the scan does not validate anything beyond the certificates included in the provided signature (it does not go online or check local root stores). |
+| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root certificate because the scan doesn't validate anything beyond the certificates included in the provided signature (it doesn't go online or check local root stores). |
| **RootCertificate** | Currently unsupported. |
-| **WHQL** | Trusts binaries if they have been validated and signed by WHQL. This level is primarily for kernel binaries. |
+| **WHQL** | Trusts binaries if they've been validated and signed by WHQL. This level is primarily for kernel binaries. |
| **WHQLPublisher** | This level combines the WHQL level and the CN on the leaf certificate, and is primarily for kernel binaries. |
| **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This level is primarily for kernel binaries. |
@@ -114,19 +114,19 @@ For example, consider an IT professional in a department that runs many servers.
To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](/powershell/module/configci/new-cipolicy) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They deploy the policy in auditing mode to determine the potential impact from enforcing the policy. Using the audit data, they update their WDAC policies to include any additional software they want to run. Then they enable the WDAC policy in enforced mode for their servers.
-As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version.
+As part of normal operations, they'll eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they won't need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version.
## File rule precedence order
-WDAC has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md).
+WDAC has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these exist, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md).
## More information about filepath rules
-Filepath rules do not provide the same security guarantees that explicit signer rules do, since they are based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect will remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder.
+Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect will remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder.
-By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath and its parent directories (recursively) do not allow standard users write access.
+By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath and its parent directories (recursively) don't allow standard users write access.
-There is a defined list of SIDs that WDAC recognizes as admins. If a filepath allows write permissions for any SID not in this list, the filepath is considered to be user-writeable, even if the SID is associated to a custom admin user. To handle these special cases, you can override WDAC's runtime admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option described above.
+There's a defined list of SIDs that WDAC recognizes as admins. If a filepath allows write permissions for any SID not in this list, the filepath is considered to be user-writeable, even if the SID is associated to a custom admin user. To handle these special cases, you can override WDAC's runtime admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option described above.
WDAC's list of well-known admin SIDs are:
@@ -134,7 +134,7 @@ S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550;
When generating filepath rules using [New-CIPolicy](/powershell/module/configci/new-cipolicy), a unique, fully qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards, using the [-FilePathRules](/powershell/module/configci/new-cipolicyrule#parameters) switch.
-Wildcards can be used at the beginning or end of a path rule; only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. `C:\*` would include `C:\foo\*` ). Wildcards placed at the beginning of a path will allow the exact specified filename under any path (ex. `*\bar.exe` would allow `C:\bar.exe` and `C:\foo\bar.exe`). Wildcards in the middle of a path are not supported (ex. `C:\*\foo.exe`). Without a wildcard, the rule will allow only a specific file (ex. `C:\foo\bar.exe`).
+Wildcards can be used at the beginning or end of a path rule; only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. `C:\*` would include `C:\foo\*` ). Wildcards placed at the beginning of a path will allow the exact specified filename under any path (ex. `*\bar.exe` would allow `C:\bar.exe` and `C:\foo\bar.exe`). Wildcards in the middle of a path aren't supported (ex. `C:\*\foo.exe`). Without a wildcard, the rule will allow only a specific file (ex. `C:\foo\bar.exe`).
You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
@@ -146,17 +146,17 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
### Why does scan create four hash rules per XML file?
The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
-During validation CI will choose which hashes to calculate, depending on how the file is signed. For example, if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode, and we would just match using the first page hash.
+During validation CI will choose which hashes to calculate, depending on how the file is signed. For example, if the file is page-hash signed the entire file wouldn't get paged in to do a full sha256 authenticode, and we would just match using the first page hash.
In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
### Why does scan create eight hash rules for certain XML files?
-Separate rules are created for UMCI and KMCI. In some cases, files that are purely user-mode or purely kernel-mode may still generate both sets, since CI cannot always precisely determine what is purely user vs. kernel mode, and errs on the side of caution.
+Separate rules are created for UMCI and KMCI. In some cases, files that are purely user-mode or purely kernel-mode may still generate both sets, since CI can’t always precisely determine what is purely user vs. kernel mode, and errs on the side of caution.
## Windows Defender Application Control filename rules
-File name rule levels let you specify file attributes to base a rule on. File name rules provide the same security guarantees that explicit signer rules do, as they are based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules.
+File name rule levels let you specify file attributes to base a rule on. File name rules provide the same security guarantees that explicit signer rules do, as they're based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules.
Use Table 3 to select the appropriate file name level for your use cases. For instance, an LOB or production application and its binaries may all share the same product name. This option lets you easily create targeted policies based on the Product Name filename rule level.