diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index d9d9223bc1..1488658434 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -16550,6 +16550,10 @@
"redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference",
"redirect_document_id": false
},
-
+ {
+ "source_path": "windows/security/threat-protection/device-guard/memory-integrity.md",
+ "redirect_url": "https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78",
+ "redirect_document_id": true
+ }
]
}
diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md
index 82518ed170..dbee2e62f1 100644
--- a/store-for-business/includes/store-for-business-content-updates.md
+++ b/store-for-business/includes/store-for-business-content-updates.md
@@ -2,17 +2,9 @@
-## Week of January 25, 2021
+## Week of March 15, 2021
| Published On |Topic title | Change |
|------|------------|--------|
-| 1/29/2021 | [Distribute offline apps (Windows 10)](/microsoft-store/distribute-offline-apps) | modified |
-
-
-## Week of January 11, 2021
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 1/14/2021 | [Add unsigned app to code integrity policy (Windows 10)](/microsoft-store/add-unsigned-app-to-code-integrity-policy) | modified |
+| 3/17/2021 | [Roles and permissions in Microsoft Store for Business and Education (Windows 10)](/microsoft-store/roles-and-permissions-microsoft-store-for-business) | modified |
diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
index 0368064b89..5bab3cb32a 100644
--- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md
+++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
@@ -13,11 +13,16 @@ author: cmcatee-MSFT
manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date: 03/10/2021
+ms.date: 03/16/2021
---
# Roles and permissions in Microsoft Store for Business and Education
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
@@ -31,62 +36,65 @@ This table lists the global user accounts and the permissions they have in Micro
| | Global Administrator | Billing Administrator |
| ------------------------------ | --------------------- | --------------------- |
-| Sign up for Microsoft Store for Business and Education | X |
-| Modify company profile settings | X | |
-| Purchase apps | X | X |
+| Sign up for Microsoft Store for Business and Education | X | X |
+| Modify company profile settings | X | X |
+| Purchase apps | X | X |
| Distribute apps | X | X |
| Purchase subscription-based software | X | X |
-
-**Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
+- **Global Administrator** and **Billing Administrator** - IT Pros with these accounts have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
-**Billing Administrator** - IT Pros with this account have the same permissions as Microsoft Store Purchaser role.
+## Microsoft Store roles and permissions
-## Billing account roles and permissions
-There are a set of roles, managed at your billing account level, that help IT admins and employees manage access to and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store for Business.
+Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store.
This table lists the roles and their permissions.
-| Role | Buy from
Microsoft Store | Assign
roles | Edit
account | Sign
agreements | View
account |
-| ------------------------| ------ | -------- | ------ | -------| -------- |
-| Billing account owner | X | X | X | X | X |
-| Billing account contributor | | | X | X | X |
-| Billing account reader | | | | | X |
-| Signatory | | | | X | X |
+| | Admin | Purchaser | Device Guard signer |
+| ------------------------------ | ------ | -------- | ------------------- |
+| Assign roles | X | | |
+| Manage Microsoft Store for Business and Education settings | X | | |
+| Acquire apps | X | X | |
+| Distribute apps | X | X | |
+| Sign policies and catalogs | X | | |
+| Sign Device Guard changes | X | | X |
-
-## Purchasing roles and permissions
-There are also a set of roles for purchasing and managing items bought.
-This table lists the roles and their permissions.
-
-| Role | Buy from
Microsoft Store | Manage all items | Manage items
I buy |
-| ------------| ------ | -------- | ------ |
-| Purchaser | X | X | |
-| Basic purchaser | X | | X |
-
-## Assign roles
**To assign roles to people**
-1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com).
+1. Sign in to Microsoft Store for Business or Microsoft Store for Education.
>[!Note]
- >You need to be a Global Administrator, or have the Billing account owner role to access **Permissions**.
-
-2. Select **Manage**, and then select **Permissions**.
-3. On **Roles**, or **Purchasing roles**, select **Assign roles**.
-4. Enter a name, choose the role you want to assign, and select **Save**.
- If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts](manage-users-and-groups-microsoft-store-for-business.md).
+ >You need to be a Global Administrator, or have the Microsoft Store Admin role to access the **Permissions** page.
+
+ To assign roles, you need to be a Global Administrator or a Store Administrator.
+
+2. Click **Settings**, and then choose **Permissions**.
+
+ OR
+
+ Click **Manage**, and then click **Permissions** on the left-hand menu.
+
+
+
+3. Click **Add people**, type a name, choose the role you want to assign, and click **Save**.
+
+
+
+4. If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md).
\ No newline at end of file
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index f8d9e83171..149457d576 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -159,15 +159,16 @@
### [Personalization CSP](personalization-csp.md)
#### [Personalization DDF file](personalization-ddf.md)
### [Policy CSP](policy-configuration-service-provider.md)
-#### [Policy DDF file](policy-ddf-file.md)
-#### [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md)
-#### [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md)
-#### [Policies in Policy CSP supported by HoloLens 2](policy-csps-supported-by-hololens2.md)
-#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
-#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
-#### [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
-#### [Policies in Policy CSP supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md)
-#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md)
+#### [Policy CSP DDF file](policy-ddf-file.md)
+#### [Policies in Policy CSP supported by Group Policy](policies-in-policy-csp-supported-by-group-policy.md)
+#### [ADMX-backed policies in Policy CSP](policies-in-policy-csp-admx-backed.md)
+#### [Policies in Policy CSP supported by HoloLens 2](policies-in-policy-csp-supported-by-hololens2.md)
+#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md)
+#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md)
+#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policies-in-policy-csp-supported-by-iot-enterprise.md)
+#### [Policies in Policy CSP supported by Windows 10 IoT Core](policies-in-policy-csp-supported-by-iot-core.md)
+#### [Policies in Policy CSP supported by Microsoft Surface Hub](policies-in-policy-csp-supported-by-surface-hub.md)
+#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policies-in-policy-csp-that-can-be-set-using-eas.md)
#### [AboveLock](policy-csp-abovelock.md)
#### [Accounts](policy-csp-accounts.md)
#### [ActiveXControls](policy-csp-activexcontrols.md)
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index b511fd100f..378e0e0f1e 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -13,7 +13,7 @@ author: lomayor
# Azure Active Directory integration with MDM
-Azure Active Directory is the world largest enterprise cloud identity management service. It’s used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow.
+Azure Active Directory is the world largest enterprise cloud identity management service. It’s used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow.
Once a device is enrolled in MDM, the MDM can enforce compliance with corporate policies, add or remove apps, and more. Additionally, the MDM can report a device’s compliance Azure AD. This enables Azure AD to allow access to corporate resources or applications secured by Azure AD only to devices that comply with policies. To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This topic describes the steps involved.
@@ -52,19 +52,19 @@ Two Azure AD MDM enrollment scenarios:
In both scenarios, Azure AD is responsible for authenticating the user and the device, which provides a verified unique device identifier that can be used for MDM enrollment.
-In both scenarios, the enrollment flow provides an opportunity for the MDM service to render it's own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization.
+In both scenarios, the enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization.
-In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD to respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic.
+In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic.
-For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](https://go.microsoft.com/fwlink/?LinkId=690246).
+For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [Configure Azure MFA as authentication provider with AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
-Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar.
+Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios is similar.
> [!NOTE]
> Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
-### MDM endpoints involved in Azure AD integrated enrollment
+### MDM endpoints involved in Azure AD–integrated enrollment
Azure AD MDM enrollment is a two-step process:
@@ -112,27 +112,39 @@ The keys used by the MDM application to request access tokens from Azure AD are
Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery.
-1. Login to the Azure Management Portal using an admin account in your home tenant.
+1. Log in to the Azure Management Portal using an admin account in your home tenant.
+
2. In the left navigation, click on the **Active Directory**.
+
3. Click the directory tenant where you want to register the application.
Ensure that you are logged into your home tenant.
+
4. Click the **Applications** tab.
+
5. In the drawer, click **Add**.
+
6. Click **Add an application my organization is developing**.
+
7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then click **Next**.
+
8. Enter the login URL for your MDM service.
+
9. For the App ID, enter **https://<your\_tenant\_name>/ContosoMDM**, then click OK.
+
10. While still in the Azure portal, click the **Configure** tab of your application.
+
11. Mark your application as **multi-tenant**.
+
12. Find the client ID value and copy it.
You will need this later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery.
+
13. Generate a key for your application and copy it.
You will need this to call the Azure AD Graph API to report device compliance. This is covered in the subsequent section.
-For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667)
+For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
### Add an on-premises MDM
@@ -208,7 +220,7 @@ The following table shows the required information to create an entry in the Azu
### Add on-premises MDM to the app gallery
-There are no special requirements for adding on-premises MDM to the app gallery.There is a generic entry for administrator to add an app to their tenant.
+There are no special requirements for adding on-premises MDM to the app gallery. There is a generic entry for administrator to add an app to their tenant.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. These are used to obtain authorization to access the Azure AD Graph API and for reporting device compliance.
@@ -347,7 +359,8 @@ The following claims are expected in the access token passed by Windows to the T
-
+
+
> [!NOTE]
> There is no device ID claim in the access token because the device may not yet be enrolled at this time.
@@ -355,7 +368,7 @@ To retrieve the list of group memberships for the user, you can use the [Azure A
Here's an example URL.
-```console
+```http
https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
Authorization: Bearer eyJ0eXAiOi
```
@@ -647,7 +660,7 @@ Alert sample:
## Determine when a user is logged in through polling
-An alert is send to the MDM server in DM package\#1.
+An alert is sent to the MDM server in DM package\#1.
- Alert type - com.microsoft/MDM/LoginStatus
- Alert format - chr
@@ -925,5 +938,3 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di
-
-
diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
index 9732019e98..28c2b08822 100644
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@@ -112,8 +112,8 @@ Example: Export the Debug logs
```
-## Collect logs from Windows 10 Mobile devices
-
+
+
-## Collect logs remotely from Windows 10 Holographic or Windows 10 Mobile devices
+## Collect logs remotely from Windows 10 Holographic
-For holographic or mobile devices already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).
+For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).
You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider:
diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md
index 9ce12f6be8..97ae6b939f 100644
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@@ -25,6 +25,10 @@ eUICCs
--------IsActive
--------PPR1Allowed
--------PPR1AlreadySet
+--------DownloadServers
+------------ServerName
+----------------DiscoveryState
+----------------AutoEnable
--------Profiles
------------ICCID
----------------ServerName
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index f8763ab613..9c6de75b46 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -236,6 +236,9 @@ ADMX Info:
- GP ADMX file name: *AppHVSI.admx*
+> [!NOTE]
+> To enforce this policy, device restart or user logon/logoff is required.
+
**Settings/AllowCameraMicrophoneRedirection**
Added in Windows 10, version 1809. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device.
diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md
index 394b329d5d..b9eb08a9e3 100644
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@@ -39,9 +39,18 @@ The following resources provide additional information about using Windows Updat
## How do I reset Windows Update components?
-[Reset Windows Update Client settings script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data.
+- Try using the [Windows Update Troubleshooter](https://support.microsoft.com/windows/windows-update-troubleshooter-for-windows-10-19bc41ca-ad72-ae67-af3c-89ce169755dd), which will analyze the situation and reset any components that need it.
+- Try the steps in [Troubleshoot problems updating Windows 10](https://support.microsoft.com/windows/troubleshoot-problems-updating-windows-10-188c2b0f-10a7-d72f-65b8-32d177eb136c).
+- Try the steps in [Fix Windows Update](https://support.microsoft.com/sbs/windows/fix-windows-update-errors-18b693b5-7818-5825-8a7e-2a4a37d6d787) errors.
+
+If all else fails, try resetting the Windows Update Agent by running these commands from an elevated command prompt:
+
+ ``` console
+ net stop wuauserv
+ rd /s /q %systemroot%\SoftwareDistribution
+ net start wuauserv
+ ```
-[Reset Windows Update Agent script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allows you to reset the Windows Update Agent, resolving issues with Windows Update.
## Reset Windows Update components manually
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 8ea91fd4cc..e974dc183f 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -23,7 +23,7 @@ Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription
With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions—**Windows 10 Education**.
-The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices.
+The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices.
## Subscription Activation for Windows 10 Enterprise
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index c05de0195e..7ab3353cab 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -81,7 +81,13 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
> [!NOTE]
-> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
+> The certificate for the CA issuing the domain controller certificate must be included in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a multi-tier CA hierarchy or a third-party CA, this may not be done by default. If the Domain Controller certificate does not directly chain to a CA certificate in the NTAuth store, user authentication will fail.
+
+The following PowerShell command can be used to check all certificates in the NTAuth store:
+
+```powershell
+Certutil -viewstore -enterprise NTAuth
+```
### Publish Certificate Templates to a Certificate Authority
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index a0330b3425..89a4c83d9b 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -42,6 +42,9 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and
- [SSTP](https://technet.microsoft.com/library/ff687819.aspx)
SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option.
+
+ > [!NOTE]
+ > When a VPN plug-in is used, the adapter will be listed as an SSTP adapter, even though the VPN protocol used is the plug-in's protocol.
- Automatic
@@ -63,11 +66,13 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.m
The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune:
-
+> [!div class="mx-imgBorder"]
+> 
In Intune, you can also include custom XML for third-party plug-in profiles:
-
+> [!div class="mx-imgBorder"]
+> 
## Related topics
@@ -85,4 +90,3 @@ In Intune, you can also include custom XML for third-party plug-in profiles:
-
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index dbb57c5791..39a4183c0e 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -253,6 +253,10 @@
##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
##### [Set preferences](microsoft-defender-atp/mac-preferences.md)
##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
+##### [Device control]()
+###### [Device control overview](microsoft-defender-atp/mac-device-control-overview.md)
+###### [JAMF examples](microsoft-defender-atp/mac-device-control-jamf.md)
+###### [Intune examples](microsoft-defender-atp/mac-device-control-intune.md)
##### [Schedule scans](microsoft-defender-atp/mac-schedule-scan-atp.md)
#### [Troubleshoot]()
diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
index 7da7e7d670..ef4138dc66 100644
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ b/windows/security/threat-protection/auditing/audit-file-system.md
@@ -21,6 +21,8 @@ ms.technology: mde
- Windows 10
- Windows Server 2016
+> [!NOTE]
+> For more details about applicability on older operating system versions, read the article [Audit File System](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11)).
Audit File System determines whether the operating system generates audit events when users attempt to access file system objects.
@@ -61,4 +63,3 @@ Only one event, “[4658](event-4658.md): The handle to an object was closed,”
- [5051](event-5051.md)(-): A file was virtualized.
- [4670](event-4670.md)(S): Permissions on an object were changed.
-
diff --git a/windows/security/threat-protection/device-guard/memory-integrity.md b/windows/security/threat-protection/device-guard/memory-integrity.md
deleted file mode 100644
index d743f3eae6..0000000000
--- a/windows/security/threat-protection/device-guard/memory-integrity.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Memory integrity
-keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
-description: Learn about memory integrity, a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy.
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Memory integrity
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Memory integrity is a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy. It uses hardware virtualization and Hyper-V to protect Windows kernel mode processes from the injection and execution of malicious or unverified code. The integrity of code that runs on Windows is validated by memory integrity, making Windows resistant to attacks from malicious software. Memory integrity is a powerful security boundary that helps to block many types of malware from running in Windows 10 and Windows Server 2016 environments.
-
-For more information about Windows Security, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md
index a9c1588361..c2e32ce5d1 100644
--- a/windows/security/threat-protection/intelligence/safety-scanner-download.md
+++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md
@@ -39,12 +39,12 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from
## System requirements
-Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/lifecycle).
+Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/lifecycle).
## How to run a scan
1. Download this tool and open it.
-2. Select the type of scan you want run and start the scan.
+2. Select the type of scan that you want to run and start the scan.
3. Review the scan results displayed on screen. For detailed detection results, view the log at **%SYSTEMROOT%\debug\msert.log**.
To remove this tool, delete the executable file (msert.exe by default).
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index a9eed379da..34fc1933f8 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -30,7 +30,7 @@ For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with Po
For example:
[](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
-[](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be)
+[](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0)
The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
index 77a859a805..8ab6bc321a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
@@ -12,7 +12,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: ksarens
manager: dansimp
-ms.date: 08/17/2020
+ms.date: 03/19/2021
ms.technology: mde
---
@@ -25,12 +25,11 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
+You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool **mpcmdrun.exe**. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
> [!NOTE]
-> You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
->
-> If you're running an updated Microsoft Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\`.
+> You might need to open an administrator-level version of the command prompt. When you search for **Command Prompt** on the Start menu, choose **Run as administrator**.
+> If you're running an updated Microsoft Defender Platform version, run `**MpCmdRun**` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\`.
The utility has the following commands:
@@ -68,7 +67,7 @@ MpCmdRun.exe -Scan -ScanType 2
|:----|:----|
| `ValidateMapsConnection failed (800106BA) or 0x800106BA` | The Microsoft Defender Antivirus service is disabled. Enable the service and try again.
**Note:** In Windows 10 1909 or older, and Windows Server 2019 or older, the service used to be called "Windows Defender Antivirus" service.|
| `0x80070667` | You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
-| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0` (where `2008.4-0` might differ since platform updates are monthly except for December)|
+| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2012.4-0` (where `2012.4-0` might differ since platform updates are monthly except for March)|
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)` | Not enough privileges. Use the command prompt (cmd.exe) as an administrator.|
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070006 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80004005 httpcode=450)` | Possible network-related issues, like name resolution problems|
@@ -76,7 +75,9 @@ MpCmdRun.exe -Scan -ScanType 2
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=800722F0D` | The firewall is blocking the connection or conducting SSL inspection. |
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80072EE7 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
-## Related topics
+## See also
+- [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)
+- [Manage Microsoft Defender Antivirus in your business](configuration-management-reference-microsoft-defender-antivirus.md)
- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index 1b34d236ed..4fd8f01ece 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: pahuijbr
manager: dansimp
-ms.date: 03/10/2021
+ms.date: 03/19/2021
ms.technology: mde
---
@@ -35,7 +35,7 @@ There are two types of updates related to keeping Microsoft Defender Antivirus u
> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
> Make sure to update your antivirus protection even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
>
-> To see the most current engine, platform, and signature date, visit the [Microsoft security encyclopedia](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info).
+> To see the most current engine, platform, and signature date, visit the [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
## Security intelligence updates
@@ -48,7 +48,7 @@ Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft
Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
-For a list of recent security intelligence updates, see [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes).
+For a list of recent security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
Engine updates are included with security intelligence updates and are released on a monthly cadence.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
index 753fe73c40..d3be8cb22e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
@@ -32,11 +32,11 @@ ms.technology: mde
## Before you begin
> [!NOTE]
-> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
+> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to Microsoft Threat Experts - Targeted Attack Notification managed threat hunting service.
Ensure that you have Defender for Endpoint deployed in your environment with devices enrolled, and not just on a laboratory set-up.
-If you're a Defender for Endpoint customer, you need to apply for Microsoft Threat Experts - Targeted Attack Notifications to get special insights and analysis to help identify the most critical threats, so you can respond to them quickly. Contact your account team or Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand to consult with our threat experts on relevant detections and adversaries.
+If you're a Defender for Endpoint customer, you need to apply for **Microsoft Threat Experts - Targeted Attack Notifications** to get special insights and analysis to help identify the most critical threats, so you can respond to them quickly. Contact your account team or Microsoft representative to subscribe to **Microsoft Threat Experts - Experts on Demand** to consult with our threat experts on relevant detections and adversaries.
## Apply for Microsoft Threat Experts - Targeted Attack Notifications service
If you're already a Defender for Endpoint customer, you can apply through the Microsoft Defender Security Center.
@@ -78,7 +78,7 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert
2. From the dashboard, select the same alert topic that you got from the email, to view the details.
## Subscribe to Microsoft Threat Experts - Experts on Demand
-If you're already a Defender for Endpoint customer, you can contact your Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand.
+This is available as a subscription service. If you're already a Defender for Endpoint customer, you can contact your Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand.
## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization
You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised device, or a threat intelligence context that you see on your portal dashboard.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 07e759c41a..5203fd56b7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -200,7 +200,7 @@ The following capabilities are included in this integration:
- Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
> [!NOTE]
- > Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016.
+ > The integration between Azure Defender for Servers and Microsoft Defender for Endpoint has been expanded to support [Windows Server 2019 and Windows Virtual Desktop (WVD)](https://docs.microsoft.com/azure/security-center/release-notes#microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-virtual-desktop-wvd-in-preview).
- Windows servers monitored by Azure Security Center will also be available in Defender for Endpoint - Azure Security Center seamlessly connects to the Defender for Endpoint tenant, providing a single view across clients and servers. In addition, Defender for Endpoint alerts will be available in the Azure Security Center console.
- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
index b42807a66d..66054db1e1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
@@ -47,10 +47,10 @@ To use either of these supported SIEM tools, you'll need to:
- [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md)
- Configure the supported SIEM tool:
- - [Configure HP ArcSight to pull Defender for Endpoint detections](configure-arcsight.md)
+ - [Configure Micro Focus ArcSight to pull Defender for Endpoint detections](configure-arcsight.md)
- Configure IBM QRadar to pull Defender for Endpoint detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
-For more information on the list of fields exposed in the Detection API see, [Defender for Endpoint Detection fields](api-portal-mapping.md).
+For more information on the list of fields exposed in the Detection API, see [Defender for Endpoint Detection fields](api-portal-mapping.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-1.png
new file mode 100644
index 0000000000..fb946071db
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-2.png
new file mode 100644
index 0000000000..2220e12523
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-3.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-3.png
new file mode 100644
index 0000000000..51110a707c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-4.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-4.png
new file mode 100644
index 0000000000..ff9dafe040
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-notification.png
new file mode 100644
index 0000000000..af8250de77
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-notification.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
index 5512e5de90..79e0659584 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
@@ -105,8 +105,8 @@ getfile c:\Users\user\Desktop\work.txt -auto
>
> The following file types **cannot** be downloaded using this command from within Live Response:
>
-> * [Reparse point files](/windows/desktop/fileio/reparse-points/)
-> * [Sparse files](/windows/desktop/fileio/sparse-files/)
+> * [Reparse point files](https://docs.microsoft.com/windows/win32/fileio/reparse-points)
+> * [Sparse files](https://docs.microsoft.com/windows/win32/fileio/sparse-files)
> * Empty files
> * Virtual files, or files that are not fully present locally
>
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-intune.md
new file mode 100644
index 0000000000..8f77c8695b
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-intune.md
@@ -0,0 +1,426 @@
+---
+title: Examples of device control policies for Intune
+description: Learn how to use device control policies using examples that can be used with Intune.
+keywords: microsoft, defender, atp, mac, device, control, usb, removable, media, intune
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: m365-security
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+ - m365-security-compliance
+ - m365initiative-defender-endpoint
+ms.topic: conceptual
+ms.technology: mde
+---
+
+# Examples of device control policies for Intune
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+This document contains examples of device control policies that you can customize for your own organization. These examples are applicable if you are using Intune to manage devices in your enterprise.
+
+## Restrict access to all removable media
+
+The following example restricts access to all removable media. Note the `none` permission that is applied at the top level of the policy, meaning that all file operations will be disallowed.
+
+```xml
+
+
+
+
+ PayloadUUID
+ C4E6A782-0C8D-44AB-A025-EB893987A295
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP settings
+ PayloadDescription
+ Microsoft Defender ATP configuration settings
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
+ PayloadType
+ com.microsoft.wdav
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP configuration settings
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ none
+
+
+
+
+
+
+
+```
+
+## Set all removable media to be read-only
+
+The following example configures all removable media to be read-only. Note the `read` permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed.
+
+```xml
+
+
+
+
+ PayloadUUID
+ C4E6A782-0C8D-44AB-A025-EB893987A295
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP settings
+ PayloadDescription
+ Microsoft Defender ATP configuration settings
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
+ PayloadType
+ com.microsoft.wdav
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP configuration settings
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+
+
+
+
+
+
+
+```
+
+## Disallow program execution from removable media
+
+The following example shows how program execution from removable media can be disallowed. Note the `read` and `write` permissions that are applied at the top level of the policy.
+
+```xml
+
+
+
+
+ PayloadUUID
+ C4E6A782-0C8D-44AB-A025-EB893987A295
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP settings
+ PayloadDescription
+ Microsoft Defender ATP configuration settings
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
+ PayloadType
+ com.microsoft.wdav
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP configuration settings
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+ write
+
+
+
+
+
+
+
+```
+
+## Restrict all devices from specific vendors
+
+The following example restricts all devices from specific vendors (in this case identified by `fff0` and `4525`). All other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute).
+
+```xml
+
+
+
+
+ PayloadUUID
+ C4E6A782-0C8D-44AB-A025-EB893987A295
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP settings
+ PayloadDescription
+ Microsoft Defender ATP configuration settings
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
+ PayloadType
+ com.microsoft.wdav
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP configuration settings
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+ write
+ execute
+
+ vendors
+
+ fff0
+
+ permission
+
+ none
+
+
+ 4525
+
+ permission
+
+ none
+
+
+
+
+
+
+
+
+
+```
+
+## Restrict specific devices identified by vendor ID, product ID, and serial number
+
+The following example restricts two specific devices, identified by vendor ID `fff0`, product ID `1000`, and serial numbers `04ZSSMHI2O7WBVOA` and `04ZSSMHI2O7WBVOB`. At all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted.
+
+```xml
+
+
+
+
+ PayloadUUID
+ C4E6A782-0C8D-44AB-A025-EB893987A295
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP settings
+ PayloadDescription
+ Microsoft Defender ATP configuration settings
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
+ PayloadType
+ com.microsoft.wdav
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP configuration settings
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+ write
+ execute
+
+ vendors
+
+ fff0
+
+ permission
+
+ read
+ write
+ execute
+
+ products
+
+ 1000
+
+ permission
+
+ read
+ write
+ execute
+
+ serialNumbers
+
+ 04ZSSMHI2O7WBVOA
+
+ none
+
+ 04ZSSMHI2O7WBVOB
+
+ none
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Related topics
+
+- [Overview of device control for macOS](mac-device-control-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-jamf.md
new file mode 100644
index 0000000000..a0dbbbf455
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-jamf.md
@@ -0,0 +1,221 @@
+---
+title: Examples of device control policies for JAMF
+description: Learn how to use device control policies using examples that can be used with JAMF.
+keywords: microsoft, defender, endpoint, atp, mac, device, control, usb, removable, media, jamf
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: m365-security
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+ - m365-security-compliance
+ - m365initiative-defender-endpoint
+ms.topic: conceptual
+ms.technology: mde
+---
+
+# Examples of device control policies for JAMF
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+This document contains examples of device control policies that you can customize for your own organization. These examples are applicable if you are using JAMF to manage devices in your enterprise.
+
+## Restrict access to all removable media
+
+The following example restricts access to all removable media. Note the `none` permission that is applied at the top level of the policy, meaning that all file operations will be prohibited.
+
+```xml
+
+
+
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ none
+
+
+
+
+
+```
+
+## Set all removable media to be read-only
+
+The following example configures all removable media to be read-only. Note the `read` permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed.
+
+```xml
+
+
+
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+
+
+
+
+
+```
+
+## Disallow program execution from removable media
+
+The following example shows how program execution from removable media can be disallowed. Note the `read` and `write` permissions that are applied at the top level of the policy.
+
+```xml
+
+
+
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+ write
+
+
+
+
+
+```
+
+## Restrict all devices from specific vendors
+
+The following example restricts all devices from specific vendors (in this case identified by `fff0` and `4525`). All other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute).
+
+```xml
+
+
+
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+ write
+ execute
+
+ vendors
+
+ fff0
+
+ permission
+
+ none
+
+
+ 4525
+
+ permission
+
+ none
+
+
+
+
+
+
+
+```
+
+## Restrict specific devices identified by vendor ID, product ID, and serial number
+
+The following example restricts two specific devices, identified by vendor ID `fff0`, product ID `1000`, and serial numbers `04ZSSMHI2O7WBVOA` and `04ZSSMHI2O7WBVOB`. At all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted.
+
+```xml
+
+
+
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+ write
+ execute
+
+ vendors
+
+ fff0
+
+ permission
+
+ read
+ write
+ execute
+
+ products
+
+ 1000
+
+ permission
+
+ read
+ write
+ execute
+
+ serialNumbers
+
+ 04ZSSMHI2O7WBVOA
+
+ none
+
+ 04ZSSMHI2O7WBVOB
+
+ none
+
+
+
+
+
+
+
+
+
+
+```
+
+## Related topics
+
+- [Overview of device control for macOS](mac-device-control-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-overview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-overview.md
new file mode 100644
index 0000000000..f0445b47b4
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-overview.md
@@ -0,0 +1,370 @@
+---
+title: Device control for macOS
+description: Learn how to configure Microsoft Defender for Endpoint for Mac to reduce threats from removable storage such as USB devices.
+keywords: microsoft, defender, atp, mac, device, control, usb, removable, media
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: m365-security
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+ - m365-security-compliance
+ - m365initiative-defender-endpoint
+ms.topic: conceptual
+ms.technology: mde
+---
+
+# Device control for macOS
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Requirements
+
+Device control for macOS has the following prerequisites:
+
+>[!div class="checklist"]
+> - Microsoft Defender for Endpoint entitlement (can be trial)
+> - Minimum OS version: macOS 10.15.4 or higher
+> - Minimum product version: 101.24.59
+> - Your device must be running with system extensions (this is the default on macOS 11 Big Sur).
+>
+> You can check if your device is running on system extensions by running the following command and verify that it is printing `endpoint_security_extension` to the console:
+>
+> ```bash
+> mdatp health --field real_time_protection_subsystem
+> ```
+> - Your device must be in `Beta` (previously called `InsiderFast`) Microsoft AutoUpdate update channel. For more information, see [Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md).
+>
+> You can check the update channel using the following command:
+>
+> ```bash
+> mdatp health --field release_ring
+> ```
+>
+> If the above command does not print either `Beta` or `InsiderFast`, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).
+>
+> ```bash
+> defaults write com.microsoft.autoupdate2 ChannelName -string Beta
+> ```
+>
+> Alternatively, if you are in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md).
+
+## Device control policy
+
+To configure device control for macOS, you must create a policy that describes the restrictions you want to put in place within your organization.
+
+The device control policy is included in the configuration profile used to configure all other product settings. For more information, see [Configuration profile structure](mac-preferences.md#configuration-profile-structure).
+
+Within the configuration profile, the device control policy is defined in the following section:
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | deviceControl |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+The device control policy can be used to:
+
+- [Customize the URL target for notifications raised by device control](#customize-url-target-for-notifications-raised-by-device-control)
+- [Allow or block removable devices](#allow-or-block-removable-devices)
+
+### Customize URL target for notifications raised by device control
+
+When the device control policy that you have put in place is enforced on a device (for example, access to a removable media device is restricted), a notification is displayed to the user.
+
+
+
+When end users click this notification, a web page is opened in the default browser. You can configure the URL that is opened when end users click the notification.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | navigationTarget |
+| **Data type** | String |
+| **Comments** | If not defined, the product uses a default URL pointing to a generic page explaining the action taken by the product. |
+
+### Allow or block removable devices
+
+The removable media section of the device control policy is used to restrict access to removable media.
+
+> [!NOTE]
+> The following types of removable media are currently supported and can be included in the policy: USB storage devices.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | removableMediaPolicy |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+This section of the policy is hierarchical, allowing for maximum flexibility and covering a wide range of use cases. At the top level are vendors, identified by a vendor ID. For each vendor, there are products, identified by a product ID. Finally, for each product there are serial numbers denoting specific devices.
+
+```
+|-- policy top level
+ |-- vendor 1
+ |-- product 1
+ |-- serial number 1
+ ...
+ |-- serial number N
+ ...
+ |-- product N
+ ...
+ |-- vendor N
+```
+
+For information on how to find the device identifiers, see [Look up device identifiers](#look-up-device-identifiers).
+
+The policy is evaluated from the most specific entry to the most general one. Meaning, when a device is plugged in, the product tries to find the most specific match in the policy for each removable media device and apply the permissions at that level. If there is no match, then the next best match is applied, all the way to the permission specified at the top level, which is the default when a device does not match any other entry in the policy.
+
+#### Policy enforcement level
+
+Under the removable media section, there is an option to set the enforcement level, which can take one of the following values:
+
+- `audit` - Under this enforcement level, if access to a device is restricted, a notification is displayed to the user, however the device can still be used. This enforcement level can be useful to evaluate the effectiveness of a policy.
+- `block` - Under this enforcement level, the operations that the user can perform on the device are limited to what is defined in the policy. Furthermore, a notification is raised to the user.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | enforcementLevel |
+| **Data type** | String |
+| **Possible values** | audit (default)
block |
+
+#### Default permission level
+
+At the top level of the removable media section, you can configure the default permission level for devices that do not match anything else in the policy.
+
+This setting can be set to:
+
+- `none` - No operations can be performed on the device
+- A combination of the following values:
+ - `read` - Read operations are permitted on the device
+ - `write` - Write operations are permitted on the device
+ - `execute` - Execute operations are permitted on the device
+
+> [!NOTE]
+> If `none` is present in the permission level, any other permissions (`read`, `write`, or `execute`) will be ignored.
+
+> [!NOTE]
+> The `execute` permission only refers to execution of Mach-O binaries. It does not include execution of scripts or other types of payloads.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | permission |
+| **Data type** | Array of strings |
+| **Possible values** | none
read
write
execute |
+
+#### Restrict removable media by vendor, product, and serial number
+
+As described in [Allow or block removable devices](#allow-or-block-removable-devices), removable media such as USB devices can be identified by the vendor ID, product ID, and serial number.
+
+At the top level of the removable media policy, you can optionally define more granular restrictions at the vendor level.
+
+The `vendors` dictionary contains one or more entries, with each entry being identified by the vendor ID.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | vendors |
+| **Data type** | Dictionary (nested preference) |
+
+For each vendor, you can specify the desired permission level for devices from that vendor.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | permission |
+| **Data type** | Array of strings |
+| **Possible values** | Same as [Default permission level](#default-permission-level) |
+
+Furthermore, you can optionally specify the set of products belonging to that vendor for which more granular permissions are defined. The `products` dictionary contains one or more entries, with each entry being identified by the product ID.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | products |
+| **Data type** | Dictionary (nested preference) |
+
+For each product, you can specify the desired permission level for that product.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | permission |
+| **Data type** | Array of strings |
+| **Possible values** | Same as [Default permission level](#default-permission-level) |
+
+Furthermore, you can specify an optional set of serial numbers for which more granular permissions are defined.
+
+The `serialNumbers` dictionary contains one or more entries, with each entry being identified by the serial number.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | serialNumbers |
+| **Data type** | Dictionary (nested preference) |
+
+For each serial number, you can specify the desired permission level.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | permission |
+| **Data type** | Array of strings |
+| **Possible values** | Same as [Default permission level](#default-permission-level) |
+
+#### Example device control policy
+
+The following example shows how all of the above concepts can be combined into a device control policy. In the following example, note the hierarchical nature of the removable media policy.
+
+```xml
+
+
+
+
+ deviceControl
+
+ navigationTarget
+ [custom URL for notifications]
+ removableMediaPolicy
+
+ enforcementLevel
+ [enforcement level]
+ permission
+
+ [permission]
+
+
+ vendors
+
+ [vendor id]
+
+ permission
+
+ [permission]
+
+
+ products
+
+ [product id]
+
+ permission
+
+ [permission]
+
+
+ serialNumbers
+
+ [serial-number]
+
+ [permission]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+We have included more examples of device control policies in the following documents:
+
+- [Examples of device control policies for Intune](mac-device-control-intune.md)
+- [Examples of device control policies for JAMF](mac-device-control-jamf.md)
+
+#### Look up device identifiers
+
+To find the vendor ID, product ID, and serial number of a USB device:
+
+1. Log into a Mac device.
+1. Plug in the USB device for which you want to look up the identifiers.
+1. In the top-level menu of macOS, select **About This Mac**.
+
+ 
+
+1. Select **System Report**.
+
+ 
+
+1. From the left column, select **USB**.
+
+ 
+
+1. Under **USB Device Tree**, navigate to the USB device that you plugged in.
+
+ 
+
+1. The vendor ID, product ID, and serial number are displayed. When adding the vendor ID and product ID to the removable media policy, you must only add the part after `0x`. For example, in the below image, vendor ID is `1000` and product ID is `090c`.
+
+#### Discover USB devices in your organization
+
+You can view mount, unmount, and volume change events originating from USB devices in Microsoft Defender for Endpoint advanced hunting. These events can be helpful to identify suspicious usage activity or perform internal investigations.
+
+```
+DeviceEvents
+ | where ActionType == "UsbDriveMount" or ActionType == "UsbDriveUnmount" or ActionType == "UsbDriveDriveLetterChanged"
+ | where DeviceId == ""
+```
+
+## Device control policy deployment
+
+The device control policy must be included next to the other product settings, as described in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
+
+This profile can be deployed using the instructions listed in [Configuration profile deployment](mac-preferences.md#configuration-profile-deployment).
+
+## Troubleshooting tips
+
+After pushing the configuration profile through Intune or JAMF, you can check if it was successfully picked up by the product by running the following command from the Terminal:
+
+```bash
+mdatp device-control removable-media policy list
+```
+
+This command will print to standard output the device control policy that the product is using. In case this prints `Policy is empty`, make sure that (a) the configuration profile has indeed been pushed to your device from the management console, and (b) it is a valid device control policy, as described in this document.
+
+On a device where the policy has been delivered successfully and where there are one or more devices plugged in, you can run the following command to list all devices and the effective permissions applied to them.
+
+```bash
+mdatp device-control removable-media devices list
+```
+
+Example of output:
+
+```Output
+.Device(s)
+|-o Name: Untitled 1, Permission ["read", "execute"]
+| |-o Vendor: General "fff0"
+| |-o Product: USB Flash Disk "1000"
+| |-o Serial number: "04ZSSMHI2O7WBVOA"
+| |-o Mount point: "/Volumes/TESTUSB"
+```
+
+In the above example, there is only one removable media device plugged in and it has `read` and `execute` permissions, according to the device control policy that was delivered to the device.
+
+## Related topics
+
+- [Examples of device control policies for Intune](mac-device-control-intune.md)
+- [Examples of device control policies for JAMF](mac-device-control-jamf.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
index 7fdbbda41d..82dc9ee2a0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
@@ -75,12 +75,12 @@ You'll need to take the following steps:
1. Locate the file `WindowsDefenderATPOnboarding.plist` from the previous section.
- 
+ 
2. In the Jamf Pro dashboard, select **New**.
- 
+ 
3. Enter the following details:
@@ -93,13 +93,13 @@ You'll need to take the following steps:
4. In **Application & Custom Settings** select **Configure**.
- 
+ 
5. Select **Upload File (PLIST file)** then in **Preference Domain** enter: `com.microsoft.wdav.atp`.
- 
+ 
- 
+ 
7. Select **Open** and select the onboarding file.
@@ -118,17 +118,17 @@ You'll need to take the following steps:
- 
+ 
11. Select **Save**.
- 
+ 
12. Select **Done**.
- 
+ 
@@ -268,7 +268,7 @@ You'll need to take the following steps:
3. In the Jamf Pro dashboard, select **General**.
- 
+ 
4. Enter the following details:
@@ -280,64 +280,64 @@ You'll need to take the following steps:
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
- 
+ 
5. In **Application & Custom Settings** select **Configure**.
- 
+ 
6. Select **Upload File (PLIST file)**.
- 
+ 
7. In **Preferences Domain**, enter `com.microsoft.wdav`, then select **Upload PLIST File**.
- 
+ 
8. Select **Choose File**.
- 
+ 
9. Select the **MDATP_MDAV_configuration_settings.plist**, then select **Open**.
- 
+ 
10. Select **Upload**.
- 
+ 
- 
+ 
>[!NOTE]
>If you happen to upload the Intune file, you'll get the following error:
- >
+ >
11. Select **Save**.
- 
+ 
12. The file is uploaded.
- 
+ 
- 
+ 
13. Select the **Scope** tab.
- 
+ 
14. Select **Contoso's Machine Group**.
15. Select **Add**, then select **Save**.
- 
+ 
- 
+ 
16. Select **Done**. You'll see the new **Configuration profile**.
- 
+ 
## Step 4: Configure notifications settings
@@ -360,45 +360,45 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
- 
+ 
5. Select **Upload File (PLIST file)**.
- 
+ 
6. Select **Choose File** > **MDATP_MDAV_Notification_Settings.plist**.
- 
+ 
- 
+ 
7. Select **Open** > **Upload**.
- 
+ 
- 
+ 
8. Select the **Scope** tab, then select **Add**.
- 
+ 
9. Select **Contoso's Machine Group**.
10. Select **Add**, then select **Save**.
- 
+ 
- 
+ 
11. Select **Done**. You'll see the new **Configuration profile**.
- 
+ 
## Step 5: Configure Microsoft AutoUpdate (MAU)
@@ -410,7 +410,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
ChannelName
- Production
+ Current
HowToCheck
AutomaticDownload
EnableCheckForUpdatesButton
@@ -427,7 +427,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
3. In the Jamf Pro dashboard, select **General**.
- 
+ 
4. Enter the following details:
@@ -441,54 +441,54 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
5. In **Application & Custom Settings** select **Configure**.
- 
+ 
6. Select **Upload File (PLIST file)**.
- 
+ 
7. In **Preference Domain** enter: `com.microsoft.autoupdate2`, then select **Upload PLIST File**.
- 
+ 
8. Select **Choose File**.
- 
+ 
9. Select **MDATP_MDAV_MAU_settings.plist**.
- 
+ 
10. Select **Upload**.
- 
+ 
- 
+ 
11. Select **Save**.
- 
+ 
12. Select the **Scope** tab.
- 
+ 
13. Select **Add**.
- 
+ 
- 
+ 
- 
+ 
14. Select **Done**.
- 
+ 
## Step 6: Grant full disk access to Microsoft Defender for Endpoint
1. In the Jamf Pro dashboard, select **Configuration Profiles**.
- 
+ 
2. Select **+ New**.
@@ -502,11 +502,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Level: Computer level
- 
+ 
4. In **Configure Privacy Preferences Policy Control** select **Configure**.
- 
+ 
5. In **Privacy Preferences Policy Control**, enter the following details:
@@ -514,12 +514,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Identifier Type: Bundle ID
- Code Requirement: `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`
-
6. Select **+ Add**.
- 
+ 
- Under App or service: Set to **SystemPolicyAllFiles**
@@ -527,11 +526,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
7. Select **Save** (not the one at the bottom right).
- 
+ 
8. Click the `+` sign next to **App Access** to add a new entry.
- 
+ 
9. Enter the following details:
@@ -541,7 +540,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
10. Select **+ Add**.
- 
+ 
- Under App or service: Set to **SystemPolicyAllFiles**
@@ -549,19 +548,19 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
11. Select **Save** (not the one at the bottom right).
- 
+ 
12. Select the **Scope** tab.
- 
+ 
13. Select **+ Add**.
- 
+ 
14. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**.
- 
+ 
15. Select **Add**.
@@ -569,9 +568,9 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
17. Select **Done**.
- 
+ 
- 
+ 
## Step 7: Approve Kernel extension for Microsoft Defender for Endpoint
@@ -590,11 +589,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Distribution Method: Install Automatically
- Level: Computer Level
- 
+ 
3. In **Configure Approved Kernel Extensions** select **Configure**.
- 
+ 
4. In **Approved Kernel Extensions** Enter the following details:
@@ -602,11 +601,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Display Name: Microsoft Corp.
- Team ID: UBF8T346G9
- 
+ 
5. Select the **Scope** tab.
- 
+ 
6. Select **+ Add**.
@@ -614,15 +613,15 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
8. Select **+ Add**.
- 
+ 
9. Select **Save**.
- 
+ 
10. Select **Done**.
- 
+ 
## Step 8: Approve System extensions for Microsoft Defender for Endpoint
@@ -641,11 +640,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Distribution Method: Install Automatically
- Level: Computer Level
- 
+ 
3. In **System Extensions** select **Configure**.
- 
+ 
4. In **System Extensions** enter the following details:
@@ -656,11 +655,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- **com.microsoft.wdav.epsext**
- **com.microsoft.wdav.netext**
- 
+ 
5. Select the **Scope** tab.
- 
+ 
6. Select **+ Add**.
@@ -668,15 +667,15 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
8. Select **+ Add**.
- 
+ 
9. Select **Save**.
- 
+ 
10. Select **Done**.
- 
+ 
## Step 9: Configure Network Extension
@@ -704,19 +703,19 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender
5. Select **Choose File** and select `microsoft.network-extension.signed.mobileconfig`.
- 
+ 
6. Select **Upload**.
- 
+ 
7. After uploading the file, you are redirected to a new page to finalize the creation of this profile.
- 
+ 
8. Select the **Scope** tab.
- 
+ 
9. Select **+ Add**.
@@ -724,15 +723,15 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender
11. Select **+ Add**.
- 
+ 
12. Select **Save**.
- 
+ 
13. Select **Done**.
- 
+ 
## Step 10: Schedule scans with Microsoft Defender for Endpoint for Mac
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
@@ -741,22 +740,22 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
1. Navigate to where you saved `wdav.pkg`.
- 
+ 
2. Rename it to `wdav_MDM_Contoso_200329.pkg`.
- 
+ 
3. Open the Jamf Pro dashboard.
- 
+ 
4. Select your computer and click the gear icon at the top, then select **Computer Management**.
- 
+ 
5. In **Packages**, select **+ New**.
- 
+ 
6. In **New Package** Enter the following details:
@@ -765,7 +764,7 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
- Category: None (default)
- Filename: Choose File
- 
+ 
Open the file and point it to `wdav.pkg` or `wdav_MDM_Contoso_200329.pkg`.
@@ -779,75 +778,75 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
**Limitations tab**
Keep default values.
- 
+ 
8. Select **Save**. The package is uploaded to Jamf Pro.
- 
+ 
It can take a few minutes for the package to be available for deployment.
- 
+ 
9. Navigate to the **Policies** page.
- 
+ 
10. Select **+ New** to create a new policy.
- 
+ 
11. In **General** Enter the following details:
- Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later
- 
+ 
12. Select **Recurring Check-in**.
- 
+ 
13. Select **Save**.
14. Select **Packages > Configure**.
- 
+ 
15. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
- 
+ 
16. Select **Save**.
- 
+ 
17. Select the **Scope** tab.
- 
+ 
18. Select the target computers.
- 
+ 
**Scope**
Select **Add**.
- 
+ 
- 
+ 
**Self-Service**
- 
+ 
19. Select **Done**.
- 
+ 
- 
+ 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
index f8dd7f0bd7..38addca0cd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
@@ -43,7 +43,7 @@ The following steps can be used to troubleshoot and mitigate these issues:
1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender for Endpoint for Mac is contributing to the performance issues.
- If your device is not managed by your organization, real-time protection can be disabled using one of the following options:
+ If your device is not managed by your organization, real-time protection can be disabled using one of the following options:
- From the user interface. Open Microsoft Defender for Endpoint for Mac and navigate to **Manage settings**.
@@ -55,10 +55,102 @@ The following steps can be used to troubleshoot and mitigate these issues:
mdatp config real-time-protection --value disabled
```
- If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
+ If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
+
+ If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case, please contact customer support for further instructions and mitigation.
2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
-3. Configure Microsoft Defender for Endpoint for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
+1. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Mac.
+
+ > [!NOTE]
+ > This feature is available in version 100.90.70 or newer.
+ This feature is enabled by default on the **Dogfood** and **InsiderFast** channels. If you're using a different update channel, this feature can be enabled from the command line:
+
+ ```bash
+ mdatp config real-time-protection-statistics --value enabled
+ ```
+
+ This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
+
+ ```bash
+ mdatp health --field real_time_protection_enabled
+ ```
+
+ Verify that the **real_time_protection_enabled** entry is true. Otherwise, run the following command to enable it:
+
+ ```bash
+ mdatp config real-time-protection --value enabled
+ ```
+
+ ```output
+ Configuration property updated
+ ```
+
+ To collect current statistics, run:
+
+ ```bash
+ mdatp config real-time-protection --value enabled
+ ```
+
+ > [!NOTE]
+ > Using **--output json** (note the double dash) ensures that the output format is ready for parsing.
+
+ The output of this command will show all processes and their associated scan activity.
+
+1. On your Mac system, download the sample Python parser high_cpu_parser.py using the command:
+
+ ```bash
+ wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py
+ ```
+
+ The output of this command should be similar to the following:
+
+ ```Output
+ --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.
+ mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.xxx.xxx| :443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 1020 [text/plain]
+ Saving to: 'high_cpu_parser.py'
+ 100%[===========================================>] 1,020 --.-K/s in
+ 0s
+ ```
+
+1. Next, type the following commands:
+
+ ```bash
+ chmod +x high_cpu_parser.py
+ ```
+
+ ```bash
+ cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log
+ ```
+
+ The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact.
+
+ For example, the output of the command will be something like the below:
+
+ ```output
+ ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10
+ 27432 None 76703
+ 73467 actool 1249
+ 73914 xcodebuild 1081
+ 73873 bash 1050
+ 27475 None 836
+ 1 launchd 407
+ 73468 ibtool 344
+ 549 telemetryd_v1 325
+ 4764 None 228
+ 125 CrashPlanService 164
+ ```
+
+ To improve the performance of Defender for Endpoint for Mac, locate the one with the highest number under the Total files scanned row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md).
+
+ > [!NOTE]
+ > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
+
+1. Configure Microsoft Defender for Endpoint for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
See [Configure and validate exclusions for Microsoft Defender for Endpoint for Mac](mac-exclusions.md) for details.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
index 57c75b7e1f..2dcc5842d6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
@@ -55,7 +55,7 @@ These steps assume you already have Defender for Endpoint running on your device
If your device isn't already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect the next time the product starts (when the next product update is installed, or when the device is rebooted).
```bash
- defaults write com.microsoft.autoupdate2 ChannelName -string InsiderFast
+ defaults write com.microsoft.autoupdate2 ChannelName -string Beta
```
Alternatively, if you're in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [Deploy updates for Microsoft Defender ATP for Mac: Set the channel name](mac-updates.md#set-the-channel-name).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
index 518755e4a6..c0e133184e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
@@ -57,19 +57,27 @@ This section describes the most common preferences that can be used to configure
### Set the channel name
-The channel determines the type and frequency of updates that are offered through MAU. Devices in `InsiderFast` (corresponding to the Insider Fast channel) can try out new features before devices in `External` (corresponding to the Insider Slow channel) and `Production`.
+The channel determines the type and frequency of updates that are offered through MAU. Devices in `Beta` can try out new features before devices in `Preview` and `Current`.
-The `Production` channel contains the most stable version of the product.
+The `Current` channel contains the most stable version of the product.
+
+>[!IMPORTANT]
+> Prior to Microsoft AutoUpdate version 4.29, channels had different names:
+>
+> - `Beta` was named `InsiderFast` (Insider Fast)
+> - `Preview` was named `External` (Insider Slow)
+> - `Current` was named `Production`
>[!TIP]
->In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `InsiderFast` or `External`.
+>In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `Beta` or `Preview`.
|||
-|:---|:---|
+|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | ChannelName |
| **Data type** | String |
-| **Possible values** | InsiderFast
External
Production |
+| **Possible values** | Beta
Preview
Current |
+|||
>[!WARNING]
>This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender for Endpoint for Mac, execute the following command after replacing `[channel-name]` with the desired channel:
@@ -82,62 +90,67 @@ The `Production` channel contains the most stable version of the product.
Change how often MAU searches for updates.
|||
-|:---|:---|
+|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | UpdateCheckFrequency |
| **Data type** | Integer |
| **Default value** | 720 (minutes) |
| **Comment** | This value is set in minutes. |
+|||
### Change how MAU interacts with updates
Change how MAU searches for updates.
|||
-|:---|:---|
+|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | HowToCheck |
| **Data type** | String |
| **Possible values** | Manual
AutomaticCheck
AutomaticDownload |
| **Comment** | Note that AutomaticDownload will do a download and install silently if possible. |
+|||
### Change whether the "Check for Updates" button is enabled
Change whether local users will be able to click the "Check for Updates" option in the Microsoft AutoUpdate user interface.
|||
-|:---|:---|
+|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | EnableCheckForUpdatesButton |
| **Data type** | Boolean |
| **Possible values** | True (default)
False |
+|||
### Disable Insider checkbox
Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users.
|||
-|:---|:---|
+|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | DisableInsiderCheckbox |
| **Data type** | Boolean |
| **Possible values** | False (default)
True |
+|||
### Limit the telemetry that is sent from MAU
Set to false to send minimal heartbeat data, no application usage, and no environment details.
|||
-|:---|:---|
+|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | SendAllTelemetryEnabled |
| **Data type** | Boolean |
| **Possible values** | True (default)
False |
+|||
## Example configuration profile
The following configuration profile is used to:
-- Place the device in the Insider Fast channel
+- Place the device in the Beta channel
- Automatically download and install updates
- Enable the "Check for updates" button in the user interface
- Allow users on the device to enroll into the Insider channels
@@ -150,7 +163,7 @@ The following configuration profile is used to:
ChannelName
- InsiderFast
+ Beta
HowToCheck
AutomaticDownload
EnableCheckForUpdatesButton
@@ -210,7 +223,7 @@ The following configuration profile is used to:
PayloadEnabled
ChannelName
- InsiderFast
+ Beta
HowToCheck
AutomaticDownload
EnableCheckForUpdatesButton
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index a7440b08d2..a1769aa84a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -36,6 +36,11 @@ ms.technology: mde
> [!IMPORTANT]
> Support for macOS 10.13 (High Sierra) has been discontinued on February 15th, 2021.
+## 101.23.64 (20.121021.12364.0)
+
+- Added a new option to the command-line tool to view information about the last on-demand scan. To view information about the last on-demand scan, run `mdatp health --details antivirus`
+- Performance improvements & bug fixes
+
## 101.22.79 (20.121012.12279.0)
- Performance improvements & bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
index 460b94e65a..9a445faf14 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
@@ -40,20 +40,22 @@ This managed threat hunting service provides expert-driven insights and data thr
> [!NOTE]
> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
-If you're a Microsoft Defender for Endpoint customer, you need to apply for Microsoft Threat Experts - Targeted Attack Notifications to get special insights and analysis that help identify the most critical threats so you can respond to them quickly. Contact your account team or Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand to consult with our threat experts on relevant detections and adversaries.
+If you're a Microsoft Defender for Endpoint customer, you need to apply for **Microsoft Threat Experts - Targeted Attack Notifications** to get special insights and analysis that help identify the most critical threats in your environment so you can respond to them quickly.
To enroll to Microsoft Threat Experts - Targeted Attack Notifications benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts - Targeted Attack Notifications** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications.
+Contact your account team or Microsoft representative to subscribe to **Microsoft Threat Experts - Experts on Demand** to consult with our threat experts on relevant detections and adversaries that your organization is facing.
+
See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details.
-## Targeted attack notification
-Microsoft Threat Experts provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. These notifications shows up as a new alert. The managed hunting service includes:
+## Microsoft Threat Experts - Targeted attack notification
+Microsoft Threat Experts - Targeted attack notification provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. These notifications shows up as a new alert. The managed hunting service includes:
- Threat monitoring and analysis, reducing dwell time and risk to the business
- Hunter-trained artificial intelligence to discover and prioritize both known and unknown attacks
- Identifying the most important risks, helping SOCs maximize time and energy
- Scope of compromise and as much context as can be quickly delivered to enable fast SOC response.
-## Collaborate with experts, on demand
+## Microsoft Threat Experts - Experts on Demand
Customers can engage our security experts directly from within Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised devices, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can:
- Get additional clarification on alerts including root cause or scope of the incident
- Gain clarity into suspicious device behavior and next steps if faced with an advanced attacker
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index 7ff00a13e3..3af559d037 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -31,6 +31,11 @@ ms.date: 03/08/2021
Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet. Network protection expands the scope of [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
Network protection is supported on Windows, beginning with Windows 10, version 1709.
+Network Protection is not yet supported on other operating systems. To learn which Web Protection functionality is supported using the Edge (Chromium) browser, see [Web protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview) to find out which Web Protection functionality is supported using the Edge (Chromium) browser.
+
+Network Protection extends the protection in [Web protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview) to an OS level – and would thus provide Web protection functionality in Edge to other supported browsers as well as non-browser applications.
+In addition, Network Protection provides visibility and blocking of Indicators of Compromise (IOCs) when used with [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) including the enforcement of your [custom indicator list](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).
+
For more information about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
@@ -88,6 +93,23 @@ This procedure creates a custom view that filters to only show the following eve
| 1125 | Event when network protection fires in audit mode |
| 1126 | Event when network protection fires in block mode |
+
+## Considerations for Windows virtual desktop running Windows 10 Enterprise Multi-Session
+Due to the multi-user nature of this operating system, please observe the following:
+
+1. Network Protection is a machine-wide feature and cannot be targeted to specific user (sessions).
+2. This applies to Web content filtering policies as well.
+3. If differentiation between user groups is required, consider creating separate Windows Virtual Desktop host pools and assignments.
+4. Test Network Protection in audit mode to test behavior before blocking.
+5. Due to the multi-user nature, you may consider resizing your deployment accordingly.
+
+Alternative option:
+For Windows 10 Enterprise Multi-Session 1909 and up, used in Windows Virtual Desktop on Azure, Network protection for Microsoft Edge can be enabled using the following method:
+
+1. Use Turn on network protection - Windows security | Microsoft Docs and follow the instructions to apply your policy
+2. Execute the following PowerShell command: Set-MpPreference -AllowNetworkProtectionOnWinServer 1
+
+
## Related articles
- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrates how the feature works, and what events would typically be created.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index 845231f559..0febc465a0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -31,14 +31,11 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
The Defender for Endpoint service is constantly being updated to include new feature enhancements and capabilities.
-> [!TIP]
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
-
Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience.
>[!TIP]
@@ -64,14 +61,6 @@ The following features are included in the preview release:
- [Device health and compliance report](machine-reports.md)
The device health and compliance report provides high-level information about the devices in your organization.
-- [Information protection](information-protection-in-windows-overview.md)
-Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender for Endpoint is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.
-
- >[!NOTE]
- >Partially available from Windows 10, version 1809.
-
-- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019)
Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices.
-
> [!TIP]
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink)
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 18151f137c..3662667af2 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -31,7 +31,6 @@ The Security Compliance Toolkit consists of:
- Windows 10 Version 20H2 (October 2020 Update)
- Windows 10 Version 2004 (May 2020 Update)
- Windows 10 Version 1909 (November 2019 Update)
- - Windows 10 Version 1903 (May 2019 Update)
- Windows 10 Version 1809 (October 2018 Update)
- Windows 10 Version 1803 (April 2018 Update)
- Windows 10 Version 1607 (Anniversary Update)
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 1a451b7545..e14bb95c30 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -10,11 +10,10 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
-author: jsuther1974
+author: dansimp
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 05/21/2019
ms.technology: mde
---
@@ -92,4 +91,65 @@ Example 3: Allows a specific COM object to register in PowerShell
```
+### How to configure settings for the CLSIDs
+Given the following example of an error in the Event Viewer (**Application and Service Logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**):
+
+Log Name: Microsoft-Windows-AppLocker/MSI and Script
+Source: Microsoft-Windows-AppLocker
+Date: 11/11/2020 1:18:11 PM
+Event ID: 8036
+Task Category: None
+Level: Error
+Keywords:
+User: S-1-5-21-3340858017-3068726007-3466559902-3647
+Computer: contoso.com
+Description:
+{f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.
+
+Event XML:
+
+```XML
+
+
+
+ 8036
+ 0
+ 2
+ 0
+ 0
+ 0x4000000000000000
+
+ 819347
+
+
+ Microsoft-Windows-AppLocker/MSI and Script
+ contoso.com
+
+
+
+ false
+ {f8d253d9-89a4-4daa-87b6-1168369f0b21}
+
+
+```
+
+To add this CLSID to the existing policy, use the following steps:
+
+1. Open PowerShell ISE with Administrative privileges.
+2. Copy and edit this command, then run it from the admin PowerShell ISE. Consider the policy name to be `WDAC_policy.xml`.
+
+```PowerShell
+PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath \WDAC_policy.xml -Key 8856f961-340a-11d0-a96b-00c04fd705a2 -Provider WSH -Value True -ValueName EnterpriseDefinedClsId -ValueType Boolean
+```
+
+Once the command has been run, you will find that the following section is added to the policy XML.
+
+```XML
+
+
+
+ true
+
+
+```
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index 562b8ec51b..6e7a63e0fe 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -18,7 +18,7 @@ ms.topic: article
**Applies to**
- Windows 10, version 2004
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909.
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909.
To download and install Windows 10, version 2004, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, see this [video](https://aka.ms/Windows-10-May-2020-Update).
@@ -33,7 +33,7 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings
- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
-- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#windows-hello-pin-in-safe-mode-build-18995).
+- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
@@ -108,17 +108,17 @@ Windows PowerShell cmdlets have been improved:
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting.
Additional improvements:
-- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
+- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Automatic cloud-based congestion detection is available for PCs with cloud service support.
The following [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) policies are removed in this release:
- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
- - Reason: Replaced with separate policies for foreground and background
+ - Reason: Replaced with separate policies for foreground and background.
- Max Upload Bandwidth (DOMaxUploadBandwidth)
- - Reason: impacts uploads to internet peers only, which isn't used in Enterprises.
+ - Reason: Impacts uploads to internet peers only, which isn't used in enterprises.
- Absolute max throttle (DOMaxDownloadBandwidth)
- - Reason: separated to foreground and background
+ - Reason: Separated to foreground and background.
### Windows Update for Business
@@ -134,11 +134,11 @@ The following [Delivery Optimization](https://docs.microsoft.com/windows/deploym
### Wi-Fi 6 and WPA3
-Windows now supports the latest Wi-Fi standards with [Wi-Fi 6 and WPA3](https://support.microsoft.com/help/4562575/windows-10-faster-more-secure-wifi). Wi-Fi 6 gives you better wireless coverage and performance with added security. WPA3 provides improved Wi-Fi security and secures open networks.
+Windows now supports the latest Wi-Fi standards with [Wi-Fi 6 and WPA3](https://support.microsoft.com/help/4562575/windows-10-faster-more-secure-wifi). Wi-Fi 6 gives you better wireless coverage and performance with added security. WPA3 provides improved Wi-Fi security and secures open networks.
### TEAP
-In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by [enterprise policy](https://docs.microsoft.com/openspecs/windows_protocols/ms-gpwl/94cf6896-c28e-4865-b12a-d83ee38cd3ea).
+In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by [enterprise policy](https://docs.microsoft.com/openspecs/windows_protocols/ms-gpwl/94cf6896-c28e-4865-b12a-d83ee38cd3ea).
## Virtualization
@@ -182,7 +182,7 @@ Also see information about the exciting new Edge browser [here](https://blogs.wi
## Application settings
-This release enables explicit [control over when Windows automatically restarts apps](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC.
+This release enables explicit [Control over restarting apps at sign-in (Build 18965)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC.
## Windows Shell
@@ -194,8 +194,8 @@ Several enhancements to the Windows 10 user interface are implemented in this re
- Productivity: chat-based UI gives you the ability to [interact with Cortana using typed or spoken natural language queries](https://support.microsoft.com/help/4557165) to easily get information across Microsoft 365 and stay on track. Productivity focused capabilities such as finding people profiles, checking schedules, joining meetings, and adding to lists in Microsoft To Do are currently available to English speakers in the US.
- - In the coming months, with regular app updates through the Microsoft Store, we’ll enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users.
-
+ - In the coming months, with regular app updates through the Microsoft Store, we’ll enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users.
+
- Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365’s enterprise-level privacy, security, and compliance promises](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide) as set out in the Online Services Terms.
- Move the Cortana window: drag the Cortana window to a more convenient location on your desktop.
@@ -208,7 +208,7 @@ Windows Search is improved in several ways. For more information, see [Superchar
### Virtual Desktops
-You can now [rename your virtual desktops](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#renaming-your-virtual-desktops-build-18975), instead of getting stuck with the system-issued names like Desktop 1.
+There is a new [Update on Virtual Desktop renaming (Build 18975)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#update-on-virtual-desktop-renaming-build-18975), where, instead of getting stuck with the system-issued names like Desktop 1, you can now rename your virtual desktops more freely.
### Bluetooth pairing
@@ -216,13 +216,13 @@ Pairing Bluetooth devices with your computer will occur through notifications, s
### Reset this PC
-The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-reset-this-pc-option-cloud-download-build-18970) option.
+The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#reset-your-pc-from-the-cloud-build-18970) option.
### Task Manager
The following items are added to Task Manager in this release:
- GPU Temperature is available on the Performance tab for devices with a dedicated GPU card.
-- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#disk-type-visible-in-task-manager-performance-tab-build-18898).
+- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#disk-type-now-visible-in-task-manager-performance-tab-build-18898).
## Graphics & display
@@ -232,7 +232,7 @@ The following items are added to Task Manager in this release:
### 2-in-1 PCs
-A [new tablet experience](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for two-in-one convertible PCs is available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption.
+See [Introducing a new tablet experience for 2-in-1 convertible PCs! (Build 18970)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#introducing-a-new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for details on a new tablet experience for two-in-one convertible PCs that is now available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption.
### Specialized displays
@@ -245,24 +245,24 @@ Examples include:
- Dedicated video monitoring
- Monitor panel testing and validation
- Independent Hardware Vendor (IHV) driver testing and validation
-
+
To prevent Windows from using a display, choose Settings > Display and click Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On. The display will now be available for a specialized use.
## Desktop Analytics
-[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
+[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/whats-new).
## See Also
- - [What’s new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
- - [What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
- - [What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
- - [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
- - [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
- - [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
- - [What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.
- - [What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
- - [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
- - [Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
+- [What’s new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
+- [What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
+- [What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
+- [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
+- [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
+- [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
+- [What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/Active-Dev-Branch): A preview of new features for businesses.
+- [What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
+- [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
+- [Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.