diff --git a/.gitignore b/.gitignore
index 1be8bb9955..9841e0daea 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,7 +5,7 @@ obj/
_site/
Tools/NuGet/
.optemp/
-Thumbs.db
+*.db
.DS_Store
*.ini
_themes*/
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 2ffc227a40..3e1c1d1d11 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -65,22 +65,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "mdop",
- "build_source_folder": "mdop",
- "build_output_subfolder": "mdop",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "microsoft-edge",
"build_source_folder": "browsers/edge",
@@ -145,38 +129,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "surface",
- "build_source_folder": "devices/surface",
- "build_output_subfolder": "surface",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "surface-hub",
- "build_source_folder": "devices/surface-hub",
- "build_output_subfolder": "surface-hub",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "win-access-protection",
"build_source_folder": "windows/access-protection",
@@ -480,5 +432,8 @@
}
},
"need_generate_pdf": false,
- "need_generate_intellisense": false
+ "need_generate_intellisense": false,
+ "docs_build_engine": {
+ "name": "docfx_v3"
+ }
}
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 52940ae69f..aaf6321d69 100644
Binary files a/.openpublishing.redirection.json and b/.openpublishing.redirection.json differ
diff --git a/.vscode/extensions.json b/.vscode/extensions.json
deleted file mode 100644
index af02986a5a..0000000000
--- a/.vscode/extensions.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "recommendations": [
- "docsmsft.docs-authoring-pack"
- ]
-}
\ No newline at end of file
diff --git a/.vscode/settings.json b/.vscode/settings.json
deleted file mode 100644
index 9c0086e560..0000000000
--- a/.vscode/settings.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
- "cSpell.words": [
- "intune",
- "kovter",
- "kovter's",
- "poshspy"
- ]
-}
\ No newline at end of file
diff --git a/browsers/edge/about-microsoft-edge.md b/browsers/edge/about-microsoft-edge.md
index e2453e5990..e0085148dd 100644
--- a/browsers/edge/about-microsoft-edge.md
+++ b/browsers/edge/about-microsoft-edge.md
@@ -11,7 +11,6 @@ ms.prod: edge
ms.mktglfcycl: general
ms.topic: reference
ms.sitesec: library
-title: Microsoft Edge for IT Pros
ms.localizationpriority: medium
ms.date: 10/02/2018
---
diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index 37bef54e3a..48d52140c5 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -1,5 +1,5 @@
---
-description: You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many.
+description: You can customize your organization's browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many.
ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165
ms.reviewer:
author: dansimp
@@ -18,7 +18,10 @@ ms.localizationpriority: medium
> Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile
-You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. For example, you can set up multiple security settings in a Group Policy Object (GPO) linked to a domain, and then apply those settings to every computer in the domain.
+> [!NOTE]
+> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
+
+You can customize your organization's browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. For example, you can set up multiple security settings in a Group Policy Object (GPO) linked to a domain, and then apply those settings to every computer in the domain.
Other policy settings in Microsoft Edge include allowing Adobe Flash content to play automatically, provision a favorites list, set default search engine, and more. You configure a Group Policy setting in the Administrative Templates folders, which are registry-based policy settings that Group Policy enforces. Group Policy stores these settings in a specific registry location, which users cannot change. Also, Group Policy-aware Windows features and applications look for these settings in the registry, and if found the policy setting gets used instead of the regular settings.
diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml
index cb590ce308..f55040beb3 100644
--- a/browsers/edge/group-policies/index.yml
+++ b/browsers/edge/group-policies/index.yml
@@ -6,8 +6,6 @@ title: Microsoft Edge Legacy group policies
metadata:
- document_id:
-
title: Microsoft Edge Legacy group policies
description: Learn how to configure group policies in Microsoft Edge Legacy on Windows 10.
diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
index 8249262926..d906bfc6ce 100644
--- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@@ -15,6 +15,8 @@ ms.date: 01/17/2020
---
# Deploy Microsoft Edge Legacy kiosk mode
+> [!IMPORTANT]
+> Microsoft 365 apps and services will not support Internet Explorer 11 starting August 17, 2021 (Microsoft Teams will not support Internet Explorer 11 earlier, starting November 30, 2020). [Learn more](https://aka.ms/AA97tsw). Please note that Internet Explorer 11 will remain a supported browser. Internet Explorer 11 is a component of the Windows operating system and [follows the Lifecycle Policy](https://docs.microsoft.com/lifecycle/faq/internet-explorer-microsoft-edge) for the product on which it is installed.
> Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later
> Professional, Enterprise, and Education
diff --git a/browsers/edge/microsoft-edge.yml b/browsers/edge/microsoft-edge.yml
index 5c105dcdc2..2b47ccaaf7 100644
--- a/browsers/edge/microsoft-edge.yml
+++ b/browsers/edge/microsoft-edge.yml
@@ -3,7 +3,6 @@
documentType: LandingData
title: Microsoft Edge
metadata:
- document_id:
title: Microsoft Edge
description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization.
keywords: Microsoft Edge, issues, fixes, announcements, Windows Server, advisories
diff --git a/browsers/edge/troubleshooting-microsoft-edge.md b/browsers/edge/troubleshooting-microsoft-edge.md
index 3c50d4d50e..5479f689f3 100644
--- a/browsers/edge/troubleshooting-microsoft-edge.md
+++ b/browsers/edge/troubleshooting-microsoft-edge.md
@@ -9,7 +9,6 @@ author: dansimp
ms.author: dansimp
ms.prod: edge
ms.sitesec: library
-title: Deploy Microsoft Edge kiosk mode
ms.localizationpriority: medium
ms.date: 10/15/2018
---
diff --git a/browsers/edge/use-powershell-to manage-group-policy.md b/browsers/edge/use-powershell-to manage-group-policy.md
index 58a6b06b27..1b6d2e9338 100644
--- a/browsers/edge/use-powershell-to manage-group-policy.md
+++ b/browsers/edge/use-powershell-to manage-group-policy.md
@@ -5,7 +5,6 @@ ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)
ms.localizationpriority: medium
ms.date: 10/02/2018
ms.reviewer:
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index 50208546bb..576a1de28f 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -7,6 +7,7 @@
"**/*.yml"
],
"exclude": [
+ "**/includes/**",
"**/obj/**"
]
}
diff --git a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
index 8fe62f2f79..f09832c403 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
@@ -1,49 +1,53 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: How to use Group Policy to install ActiveX controls.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: ActiveX installation using group policy (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Group Policy and ActiveX installation
-
-ActiveX controls are installed and invoked using the HTML object tag with the CODEBASE attribute. This attribute, through a URL, makes Internet Explorer:
-
-- Get the ActiveX control if it's not already installed.
-
-- Download the installation package.
-
-- Perform trust verification on the object.
-
-- Prompt for installation permission, using the IE Information Bar.
-
-During installation, the rendering page registers and invokes the control, so that after installation, any standard user can invoke the control.
-
-**Important** ActiveX control installation requires administrator-level permissions.
-
-## Group Policy for the ActiveX Installer Service
-
-You use the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. The AXIS-related settings can be changed using either the Group Policy Management Console (GPMC) or the Local Group Policy Editor, and include:
-
-- **Approved Installation Sites for ActiveX Controls.** A list of approved installation sites used by AXIS to determine whether it can install a particular ActiveX control.
-
-- **ActiveX installation policy for sites in trusted zones.** Identifies how AXIS should behave when a website tries to install an ActiveX control. First, AXIS looks to see if the site appears in either the list of approved installation sites or in the **Trusted sites** zone. If the does, then AXIS checks to make sure the control meets your company's policy requirements. If the ActiveX control meets all of these requirements, the control is installed.
-
-For more information about the ActiveX Installer Service, see [Administering the ActiveX Installer Service in Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=214503).
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: security
+description: How to use Group Policy to install ActiveX controls.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: ActiveX installation using group policy (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Group Policy and ActiveX installation
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+ActiveX controls are installed and invoked using the HTML object tag with the CODEBASE attribute. This attribute, through a URL, makes Internet Explorer:
+
+- Get the ActiveX control if it's not already installed.
+
+- Download the installation package.
+
+- Perform trust verification on the object.
+
+- Prompt for installation permission, using the IE Information Bar.
+
+During installation, the rendering page registers and invokes the control, so that after installation, any standard user can invoke the control.
+
+**Important** ActiveX control installation requires administrator-level permissions.
+
+## Group Policy for the ActiveX Installer Service
+
+You use the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. The AXIS-related settings can be changed using either the Group Policy Management Console (GPMC) or the Local Group Policy Editor, and include:
+
+- **Approved Installation Sites for ActiveX Controls.** A list of approved installation sites used by AXIS to determine whether it can install a particular ActiveX control.
+
+- **ActiveX installation policy for sites in trusted zones.** Identifies how AXIS should behave when a website tries to install an ActiveX control. First, AXIS looks to see if the site appears in either the list of approved installation sites or in the **Trusted sites** zone. If the does, then AXIS checks to make sure the control meets your company's policy requirements. If the ActiveX control meets all of these requirements, the control is installed.
+
+For more information about the ActiveX Installer Service, see [Administering the ActiveX Installer Service in Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=214503).
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
index 664bc596e1..455bae28bd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
@@ -1,68 +1,72 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how to add employees to the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
----
-
-# Add employees to the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups.
-
-The available roles are:
-
-- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests.
-
-- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
-
-- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
-
-- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page.
-
-**To add an employee to the Enterprise Mode Site List Portal**
-1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page.
-
- The **Employee management** page appears.
-
-2. Click **Add a new employee**.
-
- The **Add a new employee** page appears.
-
-3. Fill out the fields for each employee, including:
-
- - **Email.** Add the employee's email address.
-
- - **Name.** This box autofills based on the email address.
-
- - **Role.** Pick a single role for the employee, based on the list above.
-
- - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers.
-
- - **Comments.** Add optional comments about the employee.
-
- - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box.
-
-4. Click **Save**.
-
-**To export all employees to an Excel spreadsheet**
-1. On the **Employee management** page, click **Export to Excel**.
-
-2. Save the EnterpriseModeUsersList.xlsx file.
-
- The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name.
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how to add employees to the Enterprise Mode Site List Portal.
+author: dansimp
+ms.prod: ie11
+title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+---
+
+# Add employees to the Enterprise Mode Site List Portal
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups.
+
+The available roles are:
+
+- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests.
+
+- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
+
+- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
+
+- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page.
+
+**To add an employee to the Enterprise Mode Site List Portal**
+1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page.
+
+ The **Employee management** page appears.
+
+2. Click **Add a new employee**.
+
+ The **Add a new employee** page appears.
+
+3. Fill out the fields for each employee, including:
+
+ - **Email.** Add the employee's email address.
+
+ - **Name.** This box autofills based on the email address.
+
+ - **Role.** Pick a single role for the employee, based on the list above.
+
+ - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers.
+
+ - **Comments.** Add optional comments about the employee.
+
+ - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box.
+
+4. Click **Save**.
+
+**To export all employees to an Excel spreadsheet**
+1. On the **Employee management** page, click **Export to Excel**.
+
+2. Save the EnterpriseModeUsersList.xlsx file.
+
+ The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
index 8ead60630e..57c8991c7d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
@@ -1,112 +1,116 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)
-
-**Applies to:**
-
-- Windows 8.1
-- Windows 7
-
-You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones.
-
-If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
-
-## Create an Enterprise Mode site list (TXT) file
-You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time.
**Important** This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
-
-You must separate each site using commas or carriage returns. For example:
-
-```
-microsoft.com, bing.com, bing.com/images
-```
-**-OR-**
-
-```
-microsoft.com
-bing.com
-bing.com/images
-```
-
-## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema
-You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-Each XML file must include:
-
-- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.
**Important** After this check, IE11 won’t look for an updated list again until you restart the browser.
-
-- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.
**Important** If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5.
-
-- <docMode> tag.This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-### Enterprise Mode v.1 XML schema example
-The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-```
-
-
- www.cpandl.com
- www.woodgrovebank.com
- adatum.com
- contoso.com
- relecloud.com
- /about
-
- fabrikam.com
- /products
-
-
-
- contoso.com
- /travel
-
- fabrikam.com
- /products
-
-
-
-```
-
-To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important** If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (.
-
-## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1)
-After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1).
-
- **To add multiple sites**
-
-1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**.
-
-2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-3. Click **OK** to close the **Bulk add sites to the list** menu.
-
-4. On the **File** menu, click **Save to XML**, and save your file.
-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
-
-## Next steps
-After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Related topics
-- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 8.1
+- Windows 7
+
+You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones.
+
+If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
+
+## Create an Enterprise Mode site list (TXT) file
+You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time.
**Important** This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
+
+You must separate each site using commas or carriage returns. For example:
+
+```
+microsoft.com, bing.com, bing.com/images
+```
+**-OR-**
+
+```
+microsoft.com
+bing.com
+bing.com/images
+```
+
+## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema
+You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+
+Each XML file must include:
+
+- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.
**Important** After this check, IE11 won’t look for an updated list again until you restart the browser.
+
+- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.
**Important** If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5.
+
+- <docMode> tag.This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+### Enterprise Mode v.1 XML schema example
+The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+
+```
+
+
+ www.cpandl.com
+ www.woodgrovebank.com
+ adatum.com
+ contoso.com
+ relecloud.com
+ /about
+
+ fabrikam.com
+ /products
+
+
+
+ contoso.com
+ /travel
+
+ fabrikam.com
+ /products
+
+
+
+```
+
+To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important** If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (.
+
+## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1)
+After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1).
+
+ **To add multiple sites**
+
+1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**.
+
+2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+3. Click **OK** to close the **Bulk add sites to the list** menu.
+
+4. On the **File** menu, click **Save to XML**, and save your file.
+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
+
+## Next steps
+After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Related topics
+- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
index 78f0903d6f..37ef55dea6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
@@ -16,7 +16,10 @@ ms.date: 10/24/2017
---
-# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)
+# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
**Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
index 8b8435daff..8c5e4b4426 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
@@ -1,66 +1,70 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)
-
-**Applies to:**
-
-- Windows 8.1
-- Windows 7
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
**Important** You can only add specific URLs, not Internet or Intranet Zones.
-
-
Note If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2).
-
- **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
-
-1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**.
-
-2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
-Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation.
-
-3. Type any comments about the website into the **Notes about URL** box.
-Administrators can only see comments while they’re in this tool.
-
-4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE.
-
-The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected.
-
-Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-5. Click **Save** to validate your website and to add it to the site list for your enterprise.
- If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
-
-6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
- You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Next steps
-After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 8.1
+- Windows 7
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
**Important** You can only add specific URLs, not Internet or Intranet Zones.
+
+
Note If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2).
+
+ **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
+
+1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**.
+
+2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
+Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation.
+
+3. Type any comments about the website into the **Notes about URL** box.
+Administrators can only see comments while they’re in this tool.
+
+4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE.
+
+The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected.
+
+Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+5. Click **Save** to validate your website and to add it to the site list for your enterprise.
+ If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
+
+6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
+ You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Next steps
+After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Related topics
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
index 0977b87b94..63f0d7bd6f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -16,7 +16,10 @@ ms.date: 07/27/2017
---
-# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)
+# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
**Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
index f08c08fcdb..23bb9ee14a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
@@ -1,82 +1,86 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Administrative templates and Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Administrative templates and Internet Explorer 11
-
-Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including:
-
-- What registry locations correspond to each setting.
-
-- What value options or restrictions are associated with each setting.
-
-- The default value for many settings.
-
-- Text explanations about each setting and the supported version of Internet Explorer.
-
-For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519).
-
-## What are Administrative Templates?
-Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates:
-
-- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor.
-
-- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language.
-
-## How do I store Administrative Templates?
-As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs).
-
Important Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files.
-
-## Administrative Templates-related Group Policy settings
-When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder.
-
Note You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the PolicyDefinitions folder on this computer.
-
-IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths:
-
-- Computer Configuration\\Administrative Templates\\Windows Components\\
-
-- User Configuration\\Administrative Templates\\Windows Components\\
-
-
-|Catalog |Description |
-| ------------------------------------------------ | --------------------------------------------|
-|IE |Turns standard IE configuration on and off. |
-|Internet Explorer\Accelerators |Sets up and manages Accelerators. |
-|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. |
-|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. |
-|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.|
-|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. |
-|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. |
-|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. |
-|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. |
-|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. |
-|Internet Explorer\Privacy |Turns various privacy-related features on and off. |
-|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. |
-|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. |
-|RSS Feeds |Sets up and manages RSS feeds in the browser. |
-
-
-## Editing Group Policy settings
-Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions:
-
-- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates.
-
-- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment.
-
-## Related topics
-- [Administrative templates (.admx) for Windows 10 April 2018 Update](https://www.microsoft.com/download/details.aspx?id=56880)
-- [Administrative templates (.admx) for Windows 10 October 2018 Update](https://www.microsoft.com/download/details.aspx?id=57576)
-- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580)
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: security
+description: Administrative templates and Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Administrative templates and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including:
+
+- What registry locations correspond to each setting.
+
+- What value options or restrictions are associated with each setting.
+
+- The default value for many settings.
+
+- Text explanations about each setting and the supported version of Internet Explorer.
+
+For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519).
+
+## What are Administrative Templates?
+Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates:
+
+- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor.
+
+- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language.
+
+## How do I store Administrative Templates?
+As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs).
+
Important Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files.
+
+## Administrative Templates-related Group Policy settings
+When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder.
+
Note You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the PolicyDefinitions folder on this computer.
+
+IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths:
+
+- Computer Configuration\\Administrative Templates\\Windows Components\\
+
+- User Configuration\\Administrative Templates\\Windows Components\\
+
+
+|Catalog |Description |
+| ------------------------------------------------ | --------------------------------------------|
+|IE |Turns standard IE configuration on and off. |
+|Internet Explorer\Accelerators |Sets up and manages Accelerators. |
+|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. |
+|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. |
+|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.|
+|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. |
+|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. |
+|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. |
+|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. |
+|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. |
+|Internet Explorer\Privacy |Turns various privacy-related features on and off. |
+|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. |
+|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. |
+|RSS Feeds |Sets up and manages RSS feeds in the browser. |
+
+
+## Editing Group Policy settings
+Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions:
+
+- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates.
+
+- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment.
+
+## Related topics
+- [Administrative templates (.admx) for Windows 10 April 2018 Update](https://www.microsoft.com/download/details.aspx?id=56880)
+- [Administrative templates (.admx) for Windows 10 October 2018 Update](https://www.microsoft.com/download/details.aspx?id=57576)
+- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
index 977e17394e..07687792a3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
@@ -1,62 +1,66 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
----
-
-# Approve a change request using the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes.
-
-## Approve or reject a change request
-The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request.
-
-**To approve or reject a change request**
-1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page.
-
- The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane.
-
-2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons.
-
-3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**.
-
- An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request.
-
-
-## Send a reminder to the Approver(s) group
-If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group.
-
-- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**.
-
- An email is sent to the selected Approver(s).
-
-
-## View rejected change requests
-The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request.
-
-**To view the rejected change request**
-
-- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane.
-
- All rejected change requests appear, with role assignment determining which ones are visible.
-
-
-## Next steps
-After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic.
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
+author: dansimp
+ms.prod: ie11
+title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+---
+
+# Approve a change request using the Enterprise Mode Site List Portal
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes.
+
+## Approve or reject a change request
+The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request.
+
+**To approve or reject a change request**
+1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page.
+
+ The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane.
+
+2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons.
+
+3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**.
+
+ An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request.
+
+
+## Send a reminder to the Approver(s) group
+If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group.
+
+- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**.
+
+ An email is sent to the selected Approver(s).
+
+
+## View rejected change requests
+The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request.
+
+**To view the rejected change request**
+
+- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane.
+
+ All rejected change requests appear, with role assignment determining which ones are visible.
+
+
+## Next steps
+After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
index d45374e404..7dbfc19776 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
@@ -1,62 +1,66 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto configuration and auto proxy problems with Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto configuration and auto proxy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto configuration and auto proxy problems with Internet Explorer 11
-You might experience some problems using automatic configuration and auto-proxy with Internet Explorer 11.
-
-## Branding changes aren't distributed using automatic configuration
-If you've turned on the **Disable external branding of Internet Explorer** Group Policy Object, you won't be able to use automatic configuration to distribute your branding changes to your users' computers. When this object is turned on, it prevents the branding of IE by a non-Microsoft company or entity, such as an Internet service provider or Internet content provider. For more information about automatic configuration, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) and [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). For more information about Group Policy settings, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md).
-
-## Proxy server setup issues
-If you experience issues while setting up your proxy server, you can try these troubleshooting steps:
-
-- Check to make sure the proxy server address is right.
-
-- Check that both **Automatically detect settings** and **Automatic configuration** are turned on in the browser.
-
-- Check that the browser is pointing to the right automatic configuration script location.
-
- **To check your proxy server address**
-
-1. On the **Tools** menu, click **Internet Options**, and then **Connections**.
-
-2. Click **Settings** or **LAN Settings**, and then look at your proxy server address.
-
-3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.
**Note** If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652).
-
- **To check that you've turned on the correct settings**
-
-4. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
-
-5. Click **Settings** or **LAN Settings**.
-
-6. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.
**Note** If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again.
-
- **To check that you're pointing to the correct automatic configuration script location**
-
-7. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
-
-8. Click **Settings** or **LAN Settings**.
-
-9. In the **Automatic configuration** area, check that you've chosen the **Use automatic configuration script** box, and that it has the correct location to your automatic configuration script or for your automatic proxy URL.
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto configuration and auto proxy problems with Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto configuration and auto proxy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto configuration and auto proxy problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+You might experience some problems using automatic configuration and auto-proxy with Internet Explorer 11.
+
+## Branding changes aren't distributed using automatic configuration
+If you've turned on the **Disable external branding of Internet Explorer** Group Policy Object, you won't be able to use automatic configuration to distribute your branding changes to your users' computers. When this object is turned on, it prevents the branding of IE by a non-Microsoft company or entity, such as an Internet service provider or Internet content provider. For more information about automatic configuration, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) and [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). For more information about Group Policy settings, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md).
+
+## Proxy server setup issues
+If you experience issues while setting up your proxy server, you can try these troubleshooting steps:
+
+- Check to make sure the proxy server address is right.
+
+- Check that both **Automatically detect settings** and **Automatic configuration** are turned on in the browser.
+
+- Check that the browser is pointing to the right automatic configuration script location.
+
+ **To check your proxy server address**
+
+1. On the **Tools** menu, click **Internet Options**, and then **Connections**.
+
+2. Click **Settings** or **LAN Settings**, and then look at your proxy server address.
+
+3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.
**Note** If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652).
+
+ **To check that you've turned on the correct settings**
+
+4. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
+
+5. Click **Settings** or **LAN Settings**.
+
+6. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.
**Note** If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again.
+
+ **To check that you're pointing to the correct automatic configuration script location**
+
+7. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
+
+8. Click **Settings** or **LAN Settings**.
+
+9. In the **Automatic configuration** area, check that you've chosen the **Use automatic configuration script** box, and that it has the correct location to your automatic configuration script or for your automatic proxy URL.
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
index 1b9a0ba9c8..82857ac50e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
@@ -1,74 +1,78 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto configuration settings for Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto configuration settings for Internet Explorer 11
-Automatic configuration lets you apply custom branding and graphics to your internal Internet Explorer installations, running on Windows 8.1 or Windows Server 2012 R2. For more information about adding custom branding and graphics to your IE package, see [Customize the toolbar button and Favorites List icons using IEAK 11](../ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md).
**Important** You'll only see and be able to use the **IE Customization Wizard 11 - Automatic Configuration** page if you're creating an internal IE installation package. For more information about the **IE Customization Wizard 11 - Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
-
-## Adding the automatic configuration registry key
-For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry key to your IE installation package.
**Important** Follow these directions carefully because serious problems can occur if you update your registry incorrectly. For added protection, back up your registry so you can restore it if a problem occurs.
-
- **To add the registry key**
-
-1. On the **Start** screen, type **regedit**, and then click **Regedit.exe**.
-
-2. Right-click the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl` subkey, point to **New**, and then click **Key**.
-
-3. Enter the new key name, `FEATURE\AUTOCONFIG\BRANDING`, and then press Enter.
-
-4. Right-click `FEATURE\AUTOCONFIG\BRANDING`, point to **New**, and then click **DWORD (32-bit) Value**.
-
-5. Enter the new DWORD value name, **iexplore.exe**, and then press Enter.
-
-6. Right-click **iexplore.exe**, and then click **Modify**.
-
-7. In the **Value data** box, enter **1**, and then click **OK**.
-
-8. Exit the registry editor.
-
-## Updating your automatic configuration settings
-After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding.
-
Important Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter.
-
- **To update your settings**
-
-1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-2. Choose the **Automatically detect configuration settings** check box to allow automatic detection of browser settings.
-
-3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
-
- - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that automatic configuration only happens when the computer restarts.
-
- - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script.
-
- - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.
**Important** Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
-
-If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md).
-
-## Locking your automatic configuration settings
-You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
-
-- **Using Microsoft Active Directory.** Choose **Disable changing Automatic Configuration settings** from the Administrative Templates setting.
-
-- **Not Using Active Directory.** Choose the **Disable changing Automatic Configuration settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object.
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto configuration settings for Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto configuration settings for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Automatic configuration lets you apply custom branding and graphics to your internal Internet Explorer installations, running on Windows 8.1 or Windows Server 2012 R2. For more information about adding custom branding and graphics to your IE package, see [Customize the toolbar button and Favorites List icons using IEAK 11](../ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md).
**Important** You'll only see and be able to use the **IE Customization Wizard 11 - Automatic Configuration** page if you're creating an internal IE installation package. For more information about the **IE Customization Wizard 11 - Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
+
+## Adding the automatic configuration registry key
+For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry key to your IE installation package.
**Important** Follow these directions carefully because serious problems can occur if you update your registry incorrectly. For added protection, back up your registry so you can restore it if a problem occurs.
+
+ **To add the registry key**
+
+1. On the **Start** screen, type **regedit**, and then click **Regedit.exe**.
+
+2. Right-click the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl` subkey, point to **New**, and then click **Key**.
+
+3. Enter the new key name, `FEATURE\AUTOCONFIG\BRANDING`, and then press Enter.
+
+4. Right-click `FEATURE\AUTOCONFIG\BRANDING`, point to **New**, and then click **DWORD (32-bit) Value**.
+
+5. Enter the new DWORD value name, **iexplore.exe**, and then press Enter.
+
+6. Right-click **iexplore.exe**, and then click **Modify**.
+
+7. In the **Value data** box, enter **1**, and then click **OK**.
+
+8. Exit the registry editor.
+
+## Updating your automatic configuration settings
+After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding.
+
Important Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter.
+
+ **To update your settings**
+
+1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+2. Choose the **Automatically detect configuration settings** check box to allow automatic detection of browser settings.
+
+3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
+
+ - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that automatic configuration only happens when the computer restarts.
+
+ - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script.
+
+ - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.
**Important** Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
+
+If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md).
+
+## Locking your automatic configuration settings
+You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
+
+- **Using Microsoft Active Directory.** Choose **Disable changing Automatic Configuration settings** from the Administrative Templates setting.
+
+- **Not Using Active Directory.** Choose the **Disable changing Automatic Configuration settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object.
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
index 6d58aac85b..3e2c898988 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
@@ -1,55 +1,59 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto detect settings Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto detect settings Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto detect settings Internet Explorer 11
-After you specify the specific settings related to automatic detection on your Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, you can set up your users' browser settings from a central location.
-
-Automatic detection works even if the browser wasn't originally set up or installed by the administrator.
-
-- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts.
-
-- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses.
**Note** DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen.
-
-## Updating your automatic detection settings
-To use automatic detection, you have to set up your DHCP and DNS servers.
**Note** Your DHCP servers must support the `DHCPINFORM` message, to obtain the DHCP options.
-
- **To turn on automatic detection for DHCP servers**
-
-1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
-
-3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
-
- **To turn on automatic detection for DNS servers**
-
-4. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-5. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings.
-
-6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.
**-OR-**
Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.
**Note** For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651).
-
-7. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.
**Note** Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto detect settings Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto detect settings Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto detect settings Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+After you specify the specific settings related to automatic detection on your Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, you can set up your users' browser settings from a central location.
+
+Automatic detection works even if the browser wasn't originally set up or installed by the administrator.
+
+- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts.
+
+- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses.
**Note** DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen.
+
+## Updating your automatic detection settings
+To use automatic detection, you have to set up your DHCP and DNS servers.
**Note** Your DHCP servers must support the `DHCPINFORM` message, to obtain the DHCP options.
+
+ **To turn on automatic detection for DHCP servers**
+
+1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
+
+3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
+
+ **To turn on automatic detection for DNS servers**
+
+4. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+5. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings.
+
+6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.
**-OR-**
Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.
**Note** For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651).
+
+7. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.
**Note** Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
index bd7bd5c030..f285933bcb 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
@@ -1,50 +1,54 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto proxy configuration settings for Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto proxy configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto proxy configuration settings for Internet Explorer 11
-Configure and maintain your proxy settings, like pointing your users' browsers to your automatic proxy script, through the Internet Explorer Customization Wizard 11 running on either Windows 8.1 or Windows Server 2012 R2.
-
-## Updating your auto-proxy settings
-You can use your Internet settings (.ins) files to set up your standard proxy settings. You can also specify script files (.js, .jvs, or .pac) to configure and maintain your advanced proxy settings. IE uses your auto-proxy script files to dynamically determine whether to connect to a host or use a proxy server. If a proxy server connection fails, Internet Explorer 11 automatically attempts to connect to another proxy server that you have specified.
-
- **To update your settings**
-
-1. Create a script file with your proxy information, copying it to a server location.
-
-2. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
-
- - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that updates only happen when the computer restarts.
-
- - **Automatic Configuration URL (.INS file) box:** Type the location of the .ins file you want to use for automatic configuration. For more information about setting up **Automatic Configuration**, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md).
-
- - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.
**Important** IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
-
-## Locking your auto-proxy settings
-You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
-
-- **Using Microsoft Active Directory.** Choose **Disable changing proxy settings** from the Administrative Templates setting.
-
-- **Not Using Active Directory.** Choose the **Prevent changing proxy settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514).
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto proxy configuration settings for Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto proxy configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto proxy configuration settings for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Configure and maintain your proxy settings, like pointing your users' browsers to your automatic proxy script, through the Internet Explorer Customization Wizard 11 running on either Windows 8.1 or Windows Server 2012 R2.
+
+## Updating your auto-proxy settings
+You can use your Internet settings (.ins) files to set up your standard proxy settings. You can also specify script files (.js, .jvs, or .pac) to configure and maintain your advanced proxy settings. IE uses your auto-proxy script files to dynamically determine whether to connect to a host or use a proxy server. If a proxy server connection fails, Internet Explorer 11 automatically attempts to connect to another proxy server that you have specified.
+
+ **To update your settings**
+
+1. Create a script file with your proxy information, copying it to a server location.
+
+2. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
+
+ - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that updates only happen when the computer restarts.
+
+ - **Automatic Configuration URL (.INS file) box:** Type the location of the .ins file you want to use for automatic configuration. For more information about setting up **Automatic Configuration**, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md).
+
+ - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.
**Important** IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
+
+## Locking your auto-proxy settings
+You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
+
+- **Using Microsoft Active Directory.** Choose **Disable changing proxy settings** from the Administrative Templates setting.
+
+- **Not Using Active Directory.** Choose the **Prevent changing proxy settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514).
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md
index 12bd5502e3..17f6488e0a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md
@@ -1,43 +1,47 @@
----
-title: Blocked out-of-date ActiveX controls
-description: This page is periodically updated with new ActiveX controls blocked by this feature.
-author: dansimp
-ms.author: dansimp
-audience: itpro
manager: dansimp
-ms.date: 05/10/2018
-ms.topic: article
-ms.prod: ie11
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-ms.assetid: ''
-ms.reviewer:
-ms.sitesec: library
----
-
-# Blocked out-of-date ActiveX controls
-
-ActiveX controls are small apps that let websites provide content, like videos and games, and let you interact with content, like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up to date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a security feature called _out-of-date ActiveX control blocking_.
-
-We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list.
-
-You will receive a notification if a webpage tries to load one of the following of ActiveX control versions:
-
-**Java**
-
-| Java 2 Platform, Standard Edition (J2SE) 1.4, everything below (but not including) update 43 |
-|----------------------------------------------------------------------------------------------|
-| J2SE 5.0, everything below (but not including) update 99 |
-| Java SE 6, everything below (but not including) update 181 |
-| Java SE 7, everything below (but not including) update 171 |
-| Java SE 8, everything below (but not including) update 161 |
-| Java SE 9, everything below (but not including) update 4 |
-
-**Silverlight**
-
-
-| Everything below (but not including) Silverlight 5.1.50907.0 |
-|--------------------------------------------------------------|
-| |
-
-For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864).
+---
+title: Blocked out-of-date ActiveX controls
+description: This page is periodically updated with new ActiveX controls blocked by this feature.
+author: dansimp
+ms.author: dansimp
+audience: itpro
+manager: dansimp
+ms.date: 05/10/2018
+ms.topic: article
+ms.prod: ie11
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: security
+ms.assetid: ''
+ms.reviewer:
+ms.sitesec: library
+---
+
+# Blocked out-of-date ActiveX controls
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+ActiveX controls are small apps that let websites provide content, like videos and games, and let you interact with content, like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up to date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a security feature called _out-of-date ActiveX control blocking_.
+
+We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list.
+
+You will receive a notification if a webpage tries to load one of the following of ActiveX control versions:
+
+**Java**
+
+| Java 2 Platform, Standard Edition (J2SE) 1.4, everything below (but not including) update 43 |
+|----------------------------------------------------------------------------------------------|
+| J2SE 5.0, everything below (but not including) update 99 |
+| Java SE 6, everything below (but not including) update 181 |
+| Java SE 7, everything below (but not including) update 171 |
+| Java SE 8, everything below (but not including) update 161 |
+| Java SE 9, everything below (but not including) update 4 |
+
+**Silverlight**
+
+
+| Everything below (but not including) Silverlight 5.1.50907.0 |
+|--------------------------------------------------------------|
+| |
+
+For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
index fe61c67cf5..9aca832f3e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
@@ -1,38 +1,42 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: performance
-description: Browser cache changes and roaming profiles
-author: dansimp
-ms.prod: ie11
-ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Browser cache changes and roaming profiles (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 10/16/2017
----
-
-
-# Browser cache changes and roaming profiles
-We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity.
-
-You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.
**Note** Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545).
-
-To get the best results while using roaming profiles, we strongly recommend the following:
-
-- Create a separate roaming repository for each domain account that uses roaming.
-
-- Restrict roaming user profiles so they work on only one computer at a time. Using a single roaming profile on multiple computers isn’t supported (via console or Remote Desktop) and can cause unpredictable results, including cookie loss.
-
-- Allow all computers that let users sign-on with a roaming profile have identical IE cookie policies and settings.
-
-- Make sure to delete the user’s local roaming profile at sign off for any computer using user profile roaming. You can do this by turning on the **Delete cached copies of roaming profiles** Group Policy Object.
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: performance
+description: Browser cache changes and roaming profiles
+author: dansimp
+ms.prod: ie11
+ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Browser cache changes and roaming profiles (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 10/16/2017
+---
+
+
+# Browser cache changes and roaming profiles
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity.
+
+You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.
**Note** Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545).
+
+To get the best results while using roaming profiles, we strongly recommend the following:
+
+- Create a separate roaming repository for each domain account that uses roaming.
+
+- Restrict roaming user profiles so they work on only one computer at a time. Using a single roaming profile on multiple computers isn’t supported (via console or Remote Desktop) and can cause unpredictable results, including cookie loss.
+
+- Allow all computers that let users sign-on with a roaming profile have identical IE cookie policies and settings.
+
+- Make sure to delete the user’s local roaming profile at sign off for any computer using user profile roaming. You can do this by turning on the **Delete cached copies of roaming profiles** Group Policy Object.
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
index d3cae2a67a..f358312bbc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -1,56 +1,60 @@
----
-ms.localizationpriority: medium
-title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
-description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
-ms.mktglfcycl: deploy
-ms.prod: ie11
-ms.sitesec: library
-author: dansimp
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
----
-
-
-# Change history for Internet Explorer 11
-This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
-
-## April 2017
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. |
-
-## March 2017
-|New or changed topic | Description |
-|----------------------|-------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to add the Allow VBScript to run in Internet Explorer and the Hide the button (next to the New Tab button) that opens Microsoft Edge settings. |
-
-## November 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Updated the DocMode reason section to correct Code 8 and to add Code 9.|
-
-## August 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
-|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
-|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)|Added the Understanding the returned reason codes section to the topic. |
-
-## July 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. |
-
-## June 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated with 2 new policies, Send all sites not included in the Enterprise Mode Site List to Microsoft Edge and Show message when opening sites in Microsoft Edge using Enterprise Mode. |
-
-
-## May 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. |
-
+---
+ms.localizationpriority: medium
+title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
+description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
+ms.mktglfcycl: deploy
+ms.prod: ie11
+ms.sitesec: library
+author: dansimp
+ms.date: 07/27/2017
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+---
+
+
+# Change history for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
+
+## April 2017
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. |
+
+## March 2017
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to add the Allow VBScript to run in Internet Explorer and the Hide the button (next to the New Tab button) that opens Microsoft Edge settings. |
+
+## November 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Updated the DocMode reason section to correct Code 8 and to add Code 9.|
+
+## August 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
+|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
+|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)|Added the Understanding the returned reason codes section to the topic. |
+
+## July 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. |
+
+## June 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated with 2 new policies, Send all sites not included in the Enterprise Mode Site List to Microsoft Edge and Show message when opening sites in Microsoft Edge using Enterprise Mode. |
+
+
+## May 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. |
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
index 0b2d9ff141..9b4b3e6f1f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
@@ -1,51 +1,55 @@
----
-title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
-description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
-ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-ms.sitesec: library
-author: dansimp
-ms.author: dansimp
-ms.date: 08/14/2017
-ms.localizationpriority: medium
----
-
-
-# Check for a new Enterprise Mode site list xml file
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
-
-The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
-
-**How Internet Explorer 11 looks for an updated site list**
-
-1. Internet Explorer starts up and looks for an updated site list in the following places:
-
- 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list.
-
- 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list.
-
- 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry.
-
-2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
**Note** If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
-
-
-
-
-
-
-
-
-
+---
+title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
+description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
+ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.prod: ie11
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+ms.sitesec: library
+author: dansimp
+ms.author: dansimp
+ms.date: 08/14/2017
+ms.localizationpriority: medium
+---
+
+
+# Check for a new Enterprise Mode site list xml file
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
+
+The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
+
+**How Internet Explorer 11 looks for an updated site list**
+
+1. Internet Explorer starts up and looks for an updated site list in the following places:
+
+ 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list.
+
+ 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list.
+
+ 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry.
+
+2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
**Note** If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
index c35d115df7..810264c501 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
@@ -1,31 +1,35 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Choose how to deploy Internet Explorer 11 (IE11)
-author: dansimp
-ms.prod: ie11
-ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Choose how to deploy Internet Explorer 11 (IE11)
-In this section, you can learn about how to deploy your custom version of Internet Explorer using Automatic Version Synchronization (AVS) or using your software distribution tools.
-
-## In this section
-
-| Topic | Description |
-|------------------------------------------------------------- | ------------------------------------------------------ |
-|[Deploy IE11 using Automatic Version Synchronization (AVS)](deploy-ie11-using-automatic-version-synchronization-avs.md) |Guidance about how to deploy your custom browser packages using Automatic Version Synchronization (AVS). |
-|[Deploy IE11 using software distribution tools](deploy-ie11-using-software-distribution-tools.md) |Guidance about how to deploy your custom browser packages using System Center 2012 R2, Windows Server Update Services (WSUS), Group Policy software installation, or Microsoft Deployment toolkit (MDT). |
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Choose how to deploy Internet Explorer 11 (IE11)
+author: dansimp
+ms.prod: ie11
+ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Choose how to deploy Internet Explorer 11 (IE11)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+In this section, you can learn about how to deploy your custom version of Internet Explorer using Automatic Version Synchronization (AVS) or using your software distribution tools.
+
+## In this section
+
+| Topic | Description |
+|------------------------------------------------------------- | ------------------------------------------------------ |
+|[Deploy IE11 using Automatic Version Synchronization (AVS)](deploy-ie11-using-automatic-version-synchronization-avs.md) |Guidance about how to deploy your custom browser packages using Automatic Version Synchronization (AVS). |
+|[Deploy IE11 using software distribution tools](deploy-ie11-using-software-distribution-tools.md) |Guidance about how to deploy your custom browser packages using System Center 2012 R2, Windows Server Update Services (WSUS), Group Policy software installation, or Microsoft Deployment toolkit (MDT). |
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
index 563f38160c..72a5766494 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
@@ -1,37 +1,41 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Choose how to install Internet Explorer 11 (IE11)
-author: dansimp
-ms.prod: ie11
-ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Choose how to install Internet Explorer 11 (IE11)
-Before you install Internet Explorer 11, you should:
-
-- **Migrate Group Policy Objects.** Decide if your Group Policy Objects should migrate to the new version.
-
-- **Check vendor support for updated functionality.** Check whether third-party vendors have new versions or updates to necessary add-ons, apps, or code libraries.
-
-- **Choose the right version of Internet Explorer.** IE11 comes pre-installed on Windows 8.1 and Windows Server 2012 R2 or you can download it for Windows 7 SP1 or Windows Server 2008 R2 with Service Pack 1 (SP1) from the [Internet Explorer Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214251) site.
-
-- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation.
-
- - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/cloud-platform/microsoft-intune).
-
- - **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669).
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Choose how to install Internet Explorer 11 (IE11)
+author: dansimp
+ms.prod: ie11
+ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Choose how to install Internet Explorer 11 (IE11)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Before you install Internet Explorer 11, you should:
+
+- **Migrate Group Policy Objects.** Decide if your Group Policy Objects should migrate to the new version.
+
+- **Check vendor support for updated functionality.** Check whether third-party vendors have new versions or updates to necessary add-ons, apps, or code libraries.
+
+- **Choose the right version of Internet Explorer.** IE11 comes pre-installed on Windows 8.1 and Windows Server 2012 R2 or you can download it for Windows 7 SP1 or Windows Server 2008 R2 with Service Pack 1 (SP1) from the [Internet Explorer Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214251) site.
+
+- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation.
+
+ - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/cloud-platform/microsoft-intune).
+
+ - **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669).
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 12049fdcb9..0ffe059374 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Collect data using Enterprise Site Discovery
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
index d01fccf729..db62af6aab 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Use the Settings page to finish setting up the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
index 278408ab38..ad4441c9e3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Create a change request using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
index 6c260e93aa..395703b43d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Create packages for multiple operating systems or languages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You'll create multiple versions of your custom browser package if:
- You support more than 1 version of Windows®.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
index fc43585ae7..342b139714 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Customize Internet Explorer 11 installation packages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can customize Internet Explorer 11 to support various browser behaviors, multiple operating system versions and languages, and Setup information (.inf) files.
|Topic |Description |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index b2c4c0f80a..843d917596 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
index b9089ee16a..0f0c56de35 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
---
# Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS).
## What is Automatic Version Synchronization?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
index dc31c3230e..c3940fbefd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Deploy Internet Explorer 11 using software distribution tools
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
If you already manage software distribution and updates on your network through software distribution tools, you can also use these tools for ongoing deployments of Internet Explorer. Software distribution tools include:
- **System Center R2 2012 System Center 2012 R2 Configuration Manager.** Deploy and install Internet Explorer 11 on your user's computers through a software distribution package. For more information about using this tool, see [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
index 567b8fbeb8..0177418299 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
index f0f44c2897..e8d1ec3d7d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Deprecated document modes and Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
index 8ad5f3e6ad..29574ab860 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
index cb419efe7f..e21f3e41ed 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
@@ -17,6 +17,9 @@ ms.date: 4/12/2018
# Enable and disable add-ons using administrative templates and group policy
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Add-ons let your employees personalize Internet Explorer. You can manage IE add-ons using Group Policy and Group Policy templates.
There are four types of add-ons:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
index d0998607dc..7f00307378 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Enhanced Protected Mode problems with Internet Explorer
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Enhanced Protected Mode further restricts Protected Mode to deny potential attackers access to sensitive or personal information. If this feature is turned on, users might start to see errors asking them to turn it off, like **This webpage wants to run "npctrl.dll. If you trust this site, you can disable Enhanced Protected Mode for this site to run the control**. If your users click the **Disable** box, Enhanced Protected Mode is turned off for only the single visit to that specific site. After the user leaves the site, Enhanced Protected Mode is automatically turned back on.
You can use your company’s Group Policy to turn Enhanced Protected Mode on or off for all users. For more information, see the [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md) information in this guide.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
index 71104a8786..e5e3c31095 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Enterprise Mode for Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 09160baadd..6832c2797b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Enterprise Mode schema v.1 guidance
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index a321e5a744..299c6c093f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -18,6 +18,9 @@ ms.date: 12/04/2017
# Enterprise Mode schema v.2 guidance
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
index cf235b25aa..ce2f14b162 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Export your Enterprise Mode site list from the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index f1d72eb1a1..a5abdb8400 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Fix web compatibility issues using document modes and the Enterprise Mode site list
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site. This addition to the site list is a continuation of our commitment to help you upgrade and stay up-to-date on the latest version of Internet Explorer, while still preserving your investments in existing apps.
## What does this mean for me?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
index c3c7ead8ff..54da1d4ba1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Fix validation problems using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
index d2fadc609c..93486e7113 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Advanced Group Policy Management (AGPM) is an add-on license that available for the Microsoft Desktop Optimization Pack (MDOP). This license gives you change control and a role assignment-model that helps optimize Group Policy management and reduce the risk of widespread failures.
From AGPM you can:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
index df5754f0b6..e1e763af4c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
A Microsoft Management Console (MMC)-based tool that uses scriptable interfaces to manage Group Policy. The 32-bit and 64-bit versions are included with Windows Server R2 with Service Pack 1 (SP1) and Windows Server 2012 R2.
## Why use the GPMC?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
index d80c5af350..7e8c419582 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Group Policy and Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
index 4ca3868ed5..dce572d812 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, the Local Group Policy Editor, and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
A Microsoft Management Console (MMC)-based tool that manages both computer and user-related configurations for an individual computer policy. This tool is included with Windows® 7 Service Pack 1 (SP1) and Windows 8.1.
Here's a list of the policy settings you can use, based on the configuration type. For more info, see [Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=294912).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md
index 8a5b6d7859..12b360b126 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy and compatibility with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 has many Group Policy entries that can be configured for keeping your environment managed and safe. This table includes all of our recommendations around security, performance, and compatibility with the previous versions of Internet Explorer, regardless of which Zone the website is in.
|Activity |Location |Setting the policy object |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
index 403471f4c7..3eafec01ac 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy management tools
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Group Policy, based on Microsoft Active Directory Domain Services (AD DS), lets you manage your organization's computer and user settings as part of your Group Policy objects (GPOs), which are added and changed in the Group Policy Management Console (GPMC). GPOs can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. The most effective way to target a specific GPO is to use Windows Management Instrumentation (WMI) filters. Like, creating a WMI filter that applies a GPO only to computers with a specific make and model.
By using Group Policy, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple Internet Explorer 11 security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
index ae5c5f783e..938e3e036e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group policy preferences and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Group Policy preferences are less strict than Group Policy settings, based on:
| |Group Policy preferences |Group Policy settings |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
index d94601a9d5..26cf3ae659 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](https://go.microsoft.com/fwlink/p/?LinkId=279872).
## Group Policy Object-related Log Files
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
index 1f0caf9bc3..cd9e8a1740 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, Shortcut Extensions, and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Group Policy includes the Shortcuts preference extension, which lets you configure shortcuts to:
- **File system objects.** Traditional shortcuts that link to apps, files, folders, drives, shares, or computers. For example, linking a shortcut to an app from the **Start** screen.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
index 2de349942d..6f57e982ec 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, Windows Powershell, and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Your domain-joined Group Policy Objects (GPOs) can use any of Group Policy-related “cmdlets” that run within Windows PowerShell.
Each cmdlet is a single-function command-line tool that can:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
index 9fe7dca247..edcb50cb9e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
@@ -17,6 +17,9 @@ ms.date: 05/22/2018
---
# Internet Explorer 11 delivery through automatic updates
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates.
- [Automatic updates delivery process](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#automatic-updates-delivery-process)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
index 6b34fcc195..30de0a2c97 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
@@ -11,6 +11,9 @@ ms.author: dansimp
# Full-sized flowchart detailing how document modes are chosen in IE11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
index 5ab9dd5e58..f585e3210d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Import your Enterprise Mode site list to the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md
index 74f09e116d..c40ba230ff 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/index.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/index.md
@@ -14,6 +14,9 @@ manager: dansimp
# Internet Explorer 11 (IE11) - Deployment Guide for IT Pros
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
index e9fcf44f0e..47a4d07569 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Install and Deploy Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index 7dd92ecc08..027cf25129 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using Microsoft Intune
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805).
## Adding and deploying the IE11 package
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
index 5dade69199..c6bd4e15e8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
You can install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images.
You'll need to extract the .cab file for each supported operating system and platform combination and the .msu file for each prerequisite update. Download the IE11 update and prerequisites here:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
index 2b40174159..e08ca5dffe 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can install Internet Explorer 11 (IE11) by using [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?linkid=276664). Complete these steps for each operating system and platform combination.
**To install IE11**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
index 9da3cd91fa..d0d9d17be1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using your network
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can install Internet Explorer 11 (IE11) over your network by putting your custom IE11 installation package in a shared network folder and letting your employees run the Setup program on their own computers. You can create the network folder structure manually, or you can run Internet Explorer Administration Kit 11 (IEAK 11).
**Note** If you support multiple architectures and operating systems, create a subfolder for each combination. If you support multiple languages, create a subfolder for each localized installation file.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
index 5d230773e3..d593de27c6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using third-party tools
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can install Internet Explorer 11 (IE11) using third-party electronic software distribution (ESD) systems and these command-line options:
## Setup Modes
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
index 62bfab42b9..662514e102 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Windows Server Update Services (WSUS) lets you download a single copy of the Microsoft product update and cache it on your local WSUS servers. You can then configure your computers to get the update from your local servers instead of Windows Update. For more information about WSUS, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790).
**To import from Windows Update to WSUS**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
index 3ebe727aeb..3e6ffbfad8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Most Internet Explorer 11 installations are straightforward and work the way they should. But it's possible that you might have problems.
If you do, you can:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
index 16331ab49c..803fc7fb83 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Fix intranet search problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
After upgrading to Internet Explorer 11, you might experience search issues while using your intranet site.
## Why is my intranet redirecting me to search results?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
index 2270749c81..66b29a20c4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Manage Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
index c0087953b7..e0dbd2bdab 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Missing Internet Explorer Maintenance settings for Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
index fbc40cbf73..faa927931e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Missing the Compatibility View Button
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
index 3e564954a6..6c68a1ec01 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
@@ -16,6 +16,12 @@ ms.date: 07/27/2017
# .NET Framework problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+## Summary
+
If you’re having problems launching your legacy apps while running Internet Explorer 11, it’s most likely because Internet Explorer no longer starts apps that use managed browser hosting controls, like in .NET Framework 1.1 and 2.0.
**To turn managed browser hosting controls back on**
@@ -24,11 +30,14 @@ If you’re having problems launching your legacy apps while running Internet Ex
2. **For 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
-For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page.
+## More information
-
-
-
+IEHost is a Microsoft .NET Framework 1.1-based technology that provides a better model than ActiveX controls to host controls within the browser. The IEHost controls are lightweight and are operated under the .NET security model where they are operated inside a sandbox.
+From the .NET Framework 4, we remove the IEHost.dll file for the following reasons:
+- IEHost/HREF-EXE-style controls are exposed to the Internet. This poses a high security risk, and most customers who install the Framework are benefiting very little from this security risk.
+- Managed hosting controls and invoking random ActiveX controls may be unsafe, and this risk cannot be countered in the .NET Framework. Therefore, the ability to host is disabled. We strongly suggest that IEHost should be disabled in any production environment.
+- Potential security vulnerabilities and assembly versioning conflicts in the default application domain. By relying on COM Interop wrappers to load your assembly, it is implicitly loaded in the default application domain. If other browser extensions do the same function, they have the risks in the default application domain such as disclosing information, and so on. If you are not using strong-named assemblies as dependencies, type loading exceptions can occur. You cannot freely configure the common language runtime (CLR), because you do not own the host process, and you cannot run any code before your extension is loaded.
+For more information about .NET Framework application compatibility, see [Application compatibility in the .NET Framework](/dotnet/framework/migration-guide/application-compatibility).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index 65e099eb37..9b8ab9eb33 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# New group policy settings for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 gives you some new Group Policy settings to help you manage your company's web browser configurations, including:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 5591606f32..a2f12352fd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -18,6 +18,9 @@ ms.date: 05/10/2018
# Out-of-date ActiveX control blocking
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
@@ -105,7 +108,10 @@ reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVe
```
Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. Use this configuration option at your own risk.
-## Out-of-date ActiveX control blocking on managed devices
+## Out-of-date ActiveX control blocking
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+ on managed devices
Out-of-date ActiveX control blocking includes four new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system.
### Group Policy settings
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index 80a59c9305..fbcbcbadb9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -16,6 +16,9 @@ ms.date: 10/16/2017
# Problems after installing Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
After you install Internet Explorer 11 in your organization, you might run into the following issues. By following these suggestions, you should be able to fix them.
## Internet Explorer is in an unusable state
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index df8a2b1707..4c973ffad6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
index 4995a12e9a..f30c495bb3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Remove sites from a local compatibility view list
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
index c9b859509b..93b323b78a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Remove sites from a local Enterprise Mode site list
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
index bb22b43b3f..acfe82d2a5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
@@ -17,6 +17,9 @@ ms.date: 04/02/2020
# Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
index 28b18117e1..7b80dd178d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Save your site list to XML in the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
index 4565b9f0c1..4d5e66ec80 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Schedule approved change requests for production using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 0f35b04d1c..f96a952626 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Search your Enterprise Mode site list in the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index b6c1af8258..6edccdda73 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Set the default browser using Group Policy
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can use the Group Policy setting, **Set a default associations configuration file**, to set the default browser for your company devices running Windows 10.
**To set the default browser as Internet Explorer 11**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index fd55a40ebd..94f9336c89 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Set up Enterprise Mode logging and data collection
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
index 7b0dd491aa..c022c08569 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Set up the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
index 7dd3e837c0..70d197c391 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Setup problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Installing Internet Explorer creates the following log files, which are stored in the Windows installation folder (typically, the C:\\Windows folder):
- `IE11_main.log`
diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
index a8953ad3f4..37b7bc16cf 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# System requirements and language support for Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
index 1f9a047156..14bd40e745 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
@@ -17,6 +17,9 @@ ms.date: 05/10/2018
# Tips and tricks to manage Internet Explorer compatibility
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List.
Jump to:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
index 39d999c947..bf8ceeb867 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Troubleshoot Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
index 1df0d6b95e..7e4561fa2a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Turn off Enterprise Mode
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
index 90442b3bbc..178085c2ad 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Fix font rendering problems by turning off natural metrics
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
By default, Internet Explorer 11 uses “natural metrics”. Natural metrics use inter-pixel spacing that creates more accurately rendered and readable text, avoiding many common font rendering problems with Windows Internet Explorer 9 or older sites.
However, you might find that many intranet sites need you to use Windows Graphics Device Interface (GDI) metrics. To avoid potential compatibility issues, you must turn off natural metrics for those sites.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index 744df8c766..8c84054dc3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -18,6 +18,9 @@ ms.localizationpriority: medium
# Turn on Enterprise Mode and use a site list
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index 1324c12963..b4db0fb7a4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Turn on local control and logging for Enterprise Mode
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
index 446375289c..750bca0e82 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# List of updated features and tools - Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
index c26e39ddcc..fe55abfdc6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ author: dansimp
# Use the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
index 3cbc140f4b..cbfcfecf93 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 12/04/2017
# Use the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
index 14fcd048fc..b7669cf1ca 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# User interface problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Some of the features in both Internet Explorer 11 and IEAK 11 have moved around. Here are some of the more common changes.
## Where did features go in the Internet Explorer Customization Wizard 11?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
index 6bff79cc82..677f1c974a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Using IE7 Enterprise Mode or IE8 Enterprise Mode
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
index 07e3ce2e2b..7015595563 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer Administration Kit 11 (IEAK 11) helps you set up, deploy, and maintain Internet Explorer 11.
**Note** IEAK 11 works in network environments, with or without Microsoft Active Directory.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
index 1f7b62dfa5..afc27104af 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Using Setup Information (.inf) files to create install packages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
IEAK 11 uses Setup information (.inf) files to provide uninstallation instructions. Uninstallation instructions let your employees remove components, like files, registry entries, or shortcuts, through the **Uninstall or change a program** box. For details about .inf files, see [INF File Sections and Directives](https://go.microsoft.com/fwlink/p/?LinkId=327959).
**To add uninstallation instructions to the .inf files**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
index a3fce1731d..a31c831abd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Verify your changes using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
index 42db6c85c5..1ccd3e4d0c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Verify the change request update in the production environment using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
index 2be252275c..9aa736bacb 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
index 20ad5ac557..f2db72080d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# View the available Enterprise Mode reports from the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
index e5de6fffdd..771f7b3439 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Virtualization and compatibility with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
If your company is considering upgrading to the latest version of Internet Explorer, but is hesitant because of a large number of web apps that need to be tested and moved, we recommend that you consider virtualization. Virtualization lets you set up a virtual environment where you can run earlier versions of IE.
**Important**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index 1a2c6fc17a..b9fb67f961 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 10/25/2018
# Enterprise Mode and the Enterprise Mode Site List
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
@@ -61,7 +64,10 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso
- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list.
-## Enterprise Mode and the Enterprise Mode Site List XML file
+## Enterprise Mode and the Enterprise Mode Site List
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+ XML file
The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11.
Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
index 4f1c56a922..1fd67f656b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
@@ -19,6 +19,9 @@ ms.date: 05/10/2018
# What is the Internet Explorer 11 Blocker Toolkit?
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
index de71b3a8ff..dd8e3bcce6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
@@ -17,6 +17,9 @@ ms.author: dansimp
# Workflow-based processes for employees using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
index 8917b1de22..c27e670fd6 100644
--- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
@@ -16,6 +16,9 @@ ms.date: 10/16/2017
# Internet Explorer 11 - FAQ for IT Pros
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration.
## Frequently Asked Questions
diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
index e35b64b8a4..cf59b670d6 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
@@ -16,6 +16,9 @@ ms.date: 05/10/2018
# Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
> [!Important]
diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.md b/browsers/internet-explorer/ie11-faq/faq-ieak11.md
index 7405392094..929acbed39 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ieak11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ieak11.md
@@ -18,6 +18,9 @@ ms.date: 05/10/2018
# IEAK 11 - Frequently Asked Questions
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Get answers to commonly asked questions about the Internet Explorer Administration Kit 11 (IEAK 11), and find links to additional material you might find helpful.
**What is IEAK 11?**
diff --git a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
index b211933353..40a7886b0a 100644
--- a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Accelerators page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Accelerators** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add accelerators to your employee computers. Accelerators are contextual menu options that can quickly get to a web service from any webpage. For example, an accelerator can look up a highlighted word in the dictionary or a selected location on a map.
**Note**
diff --git a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
index 7e89dab65d..b4d0459c78 100644
--- a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Add and approve ActiveX controls using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
There are two main approaches to how you can control the use of ActiveX controls in your company. For more info about ActiveX controls, including how to manage the controls using Group Policy, see [Group Policy and ActiveX installation](../ie11-deploy-guide/activex-installation-using-group-policy.md) in the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md).
**Note**
diff --git a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
index eae4f678e5..c04501eea7 100644
--- a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Add a Root Certificate page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK.
Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
index 60be35bc0d..ebff04a24a 100644
--- a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Additional Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Additional Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you pick additional custom, corporate, and Internet settings that relate to your employee’s desktop, operating system, and security. If you don’t change a setting, it’ll be ignored.
The additional settings appear in administration (.adm) files that are stored in your `:\Program Files\Windows IEAK 11\policies` folder. You can also create your own .adm files with options that can be configured using the wizard. Any edits you make to your own .adm file are stored as .ins files, which are used to build the .inf files for your custom install package.
diff --git a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
index d3883b39ca..879c328e43 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Automatic Configuration page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Automatic Configuration** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you provide URLs to the files that’ll automatically configure Internet Explorer 11 for a group of employees or devices.
**Note**
diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
index 1a46247c5c..7d4f9344c9 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Set up auto detection for DHCP or DNS servers using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Set up your network to automatically detect and customize Internet Explorer 11 when it’s first started. Automatic detection is supported on both Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), letting your servers detect and set up your employee’s browser settings from a central location, using a configuration URL (.ins file) or a JavaScript proxy configuration file (.js, .jvs, or .pac).
Before you can set up your environment to use automatic detection, you need to turn the feature on.
diff --git a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
index c317a46e0e..b4565ed485 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Automatic Version Synchronization page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 runs the synchronization process every time you run the wizard, downloading the Internet Explorer 11 Setup file to your computer. The Setup file includes the required full and express packages.
**Important**
diff --git a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
index 3508c186af..7271837b2e 100644
--- a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
@@ -18,6 +18,9 @@ ms.date: 04/24/2018
# Before you start using IEAK 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Before you run IEAK 11 and the Customization Wizard, make sure you have met the following requirements:
- Have you determined which licensing version of the Internet Explorer Administration Kit 11 to install? For info, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md).
diff --git a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
index 5c9c189f24..351b1bbb76 100644
--- a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Branding .INS file to create custom branding and setup info
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about the custom branding and setup information in your browser package.
|Name |Value | Description |
diff --git a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
index c1f3999a3a..0116384f6d 100644
--- a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Browser User Interface page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Browser User Interface** page of the Internet Explorer Customization Wizard 11 lets you change the toolbar buttons and the title bar text in IE.
**Note** The customizations you make on this page apply only to Internet Explorer for the desktop.
diff --git a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
index b2b123ff69..05fb2324f7 100644
--- a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to customize the Internet Explorer toolbar.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
index a39adaff3e..3214ea32c0 100644
--- a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Browsing Options page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Browsing Options** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you decide how you want to manage items in the **Favorites, Favorites Bar, and Feeds** section, including the Microsoft-provided default items.
The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page.
diff --git a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
index e5bf7ebb40..321f45caf5 100644
--- a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the CabSigning .INS file to customize the digital signature info for your apps
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to customize the digital signature info for your apps.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
index cda9702eb4..b6138064be 100644
--- a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Use the Compatibility View page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
We’re sorry. We’ve changed the way Compatibility View works in Internet Explorer 11 and have removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11. For more info about the changes we’ve made to the Compatibility View functionality, see [Missing the Compatibility View Button](../ie11-deploy-guide/missing-the-compatibility-view-button.md).
Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
index aaec7b0fa2..e9051c955b 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Connection Manager page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
We're sorry. We've removed all of the functionality included on the Connection Manager page of the Internet Explorer Customization Wizard 11.
Click **Next** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page or **Back** to go to the [Compatibility View](compat-view-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
index 66beabdbca..bc00c58bec 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Connection Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Connection Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you import the connection settings from your computer, to preset the connection settings on your employee’s computers.
**Note** Using the options on the **Additional Settings** page of the wizard, you can let your employees change their connection settings. For more information see the [Additional Settings](additional-settings-ieak11-wizard.md) page. You can also customize additional connection settings using the **Automatic Configuration** page in the wizard. For more information see the [Automatic Configuration](auto-config-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
index 779e024e57..0e7777a64e 100644
--- a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the ConnectionSettings .INS file to review the network connections for install
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about the network connection settings used to install your custom package. This section creates a common configuration on all of your employee’s computers.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
index 91f26adf5b..0befbc922f 100644
--- a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Create the build computer folder structure using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Create your build environment on the computer that you’ll use to build your custom browser package. Your license agreement determines your folder structure and which version of Internet Explorer Administration Kit 11 (IEAK 11) you’ll use: **Internal** or **External**.
|Name |Version |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
index 3e8043c959..e2a0fb48a9 100644
--- a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Tasks and references to consider before creating and deploying custom packages using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Review this list of tasks and references to help you use the Internet Explorer Administration Kit 11 (IEAK 11) to set up, deploy, and manage Internet Explorer 11 in your company.
|Task |References |
diff --git a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
index 6196fabf79..5d88bfa81a 100644
--- a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Create multiple versions of your custom package using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You'll need to create multiple versions of your custom browser package if:
- You support more than 1 version of the Windows operating system.
diff --git a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
index 3cf498605c..ba3904ae39 100644
--- a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
+++ b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use uninstallation .INF files to uninstall custom components
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The Internet Explorer Administration Kit 11 (IEAK 11) uses Setup information (.inf) files to provide installation instructions for your custom browser packages. You can also use this file to uninstall your custom components by removing the files, registry entries, and shortcuts, and adding your custom component to the list of programs that can be uninstalled from **Uninstall or change a program**.
**To uninstall your custom components**
diff --git a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
index 571b73d327..1a981a5a16 100644
--- a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Custom Components page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Custom Components** page of the Internet Explorer Customization Wizard 11 lets you add up to 10 additional components that your employees can install at the same time they install IE. These components can be created by Microsoft or your organization as either compressed cabinet (.cab) or self-extracting executable (.exe) files. If you’re using Microsoft components, make sure you have the latest version and software patches from the [Microsoft Support](https://go.microsoft.com/fwlink/p/?LinkId=258658) site. To include Microsoft Update components, you must bundle the associated files into a custom component.
**Important** You should sign any custom code that’s being downloaded over the Internet. The default settings of Internet Explorer 11 will automatically reject any unsigned code. For more info about digitally signing custom components, see [Security features and IEAK 11](security-and-ieak11.md).
diff --git a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
index e7469fa864..7a5556235d 100644
--- a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the CustomBranding .INS file to create custom branding and setup info
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Provide the URL to your branding cabinet (.cab) file.
diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
index 3c0af97192..9ed59cf64e 100644
--- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
+++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Customize Automatic Search for Internet Explorer using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer lets websites advertise any search provider that uses the open search standard described at the A9 website ( [OpenSearch 1.1 Draft 5](https://go.microsoft.com/fwlink/p/?LinkId=208582)). When IE detects new search providers, the **Search** box becomes active and adds the new providers to the drop-down list of providers.
Using the **Administrative Templates** section of Group Policy, you can prevent the search box from appearing, you can add a list of acceptable search providers, or you can restrict your employee’s ability to add or remove search providers.
diff --git a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
index 06e8d6c3f3..7d0a2f9882 100644
--- a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the ExtRegInf .INS file to specify installation files and mode
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to specify your Setup information (.inf) files and the installation mode for your custom components.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
index 47bf04d6e2..030dc054d2 100644
--- a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Favorites, Favorites Bar, and Feeds** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add:
- **Links.** Used so your employees can quickly connect with your important websites. These links can appear in the **Links** folder or on the **Favorites Bar**.
diff --git a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
index 694b8d994d..ac736e20df 100644
--- a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the FavoritesEx .INS file for your Favorites icon and URLs
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about where you store your **Favorites** icon file, whether your **Favorites** are available offline, and the URLs for each **Favorites** site.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
index b27bc3273a..f72747f486 100644
--- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
@@ -15,6 +15,9 @@ ms.sitesec: library
# Use the Feature Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Feature Selection** page of the Internet Explorer Customization Wizard 11 lets you choose which parts of the setup processes and Internet Explorer 11 to change for your company, including:
- **Setup Customizations.** Lets you add custom components, decide which components to install, provide your download site information, and modify the Setup title bar and graphics.
diff --git a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
index f3224c2055..0aee908cd4 100644
--- a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the File Locations page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **File Locations** page of the Internet Explorer Customization Wizard 11 lets you change the location of your folders, including:
- Where you’ll create and store your custom installation package.
diff --git a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
index 38703f9131..616e3b9938 100644
--- a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# File types used or created by IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
A list of the file types used or created by tools in IEAK 11:
|File type |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
index 507450938d..9d6fe74f8a 100644
--- a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **First Run Wizard and Welcome Page Options** page of the Internet Explorer Customization Wizard 11 lets you decide what your employee’s see the first time they log on to IE, based on their operating system.
- **Windows 8.1 Update and newer.** No longer includes a **Welcome** page, so if you pick the **Use Internet Explorer 11 Welcome Page** or the **Use a custom Welcome page** option, IEAK creates an initial **Home** page that loads before all other **Home** pages, as the first tab. This only applies to the Internet Explorer for the desktop.
diff --git a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
index 0864538448..e3d95badec 100644
--- a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Customize the Toolbar button and Favorites List icons using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use these customization guidelines to change the browser toolbar button and the **Favorites List** icons, using your own branding and graphics.
**Important** Check your license agreement to make sure this customization is available.
diff --git a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
index 0ba0f580a8..2da43b7f38 100644
--- a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Hardware and software requirements for Internet Explorer 11 and the IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Before you can use the Internet Explorer Administration Kit 11 and the Internet Explorer Customization Wizard 11, you must first install Internet Explorer 11. For more info about installing IE11, see the [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md) page.
## Hardware requirements
diff --git a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
index 7d50512355..6c46e306f3 100644
--- a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the HideCustom .INS file to hide the GUID for each custom component
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about whether to hide the globally unique identifier (GUID) for each of your custom components.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
index 51dc959759..c9d24160a9 100644
--- a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
+++ b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Internet Explorer Setup command-line options and return codes
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can use command-line options along with a tool like IExpress to package your custom version of Internet Explorer and to perform a batch installation across your organization.
## IE Setup command-line options
diff --git a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
index b8c3d25c24..1d8b34786a 100644
--- a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
+++ b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
@@ -18,6 +18,9 @@ ms.date: 05/10/2018
# Internet Explorer Administration Kit (IEAK) information and downloads
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
>Applies to: Windows 10
The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. To find more information on the IEAK, see [What IEAK can do for you](what-ieak-can-do-for-you.md).
diff --git a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
index f27ec8b5b9..0aa9964807 100644
--- a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
+++ b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use the Internet Explorer Administration Kit 11 (IEAK 11) and the Internet Explorer Customization Wizard 11 to customize your browser install packages for deployment to your employee's devices.
## IE Customization Wizard 11 options
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
index cd7c730569..57128dfefe 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# IExpress Wizard command-line options
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows Server 2008 R2 with SP1
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
index 35dc9f9cc5..fe4bb3a985 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# IExpress Wizard for Windows Server 2008 R2 with SP1
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use the IExpress Wizard and its associated command-line options to create self-extracting files that automatically run your custom Internet Explorer Setup (.inf or .exe file) program that’s contained inside.
## IExpress Wizard location
diff --git a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
index 022767b179..b32b5bacab 100644
--- a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Important URLS – Home Page and Support** page of the Internet Explorer Customization Wizard 11 lets you choose one or more **Home** pages and an online support page for your customized version of IE.
**To use the Important URLS – Home Page and Support page**
diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md
index 29b8c0ceca..946a42e72a 100644
--- a/browsers/internet-explorer/ie11-ieak/index.md
+++ b/browsers/internet-explorer/ie11-ieak/index.md
@@ -14,6 +14,9 @@ manager: dansimp
# Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
diff --git a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
index 15db2bc20f..6936f198d0 100644
--- a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Internal Install page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Internal Install** page of the Internet Explorer Customization Wizard 11 lets you customize Setup for the default browser and the latest browser updates, based on your company’s guidelines.
**Note** The customizations made on this page only apply to Internet Explorer for the desktop on Windows 7.
diff --git a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
index b625916fd1..666c5f8b17 100644
--- a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the ISP_Security .INS file to add your root certificate
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about where you store the root certificate you’re adding to your custom package.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
index b2f66781b7..a343a30e51 100644
--- a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Language Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Language Selection** page of the Internet Explorer Customization Wizard 11 lets you choose the language for your Internet Explorer Administration Kit 11 (IEAK 11) custom package. You can create custom Internet Explorer 11 packages in any of the languages your operating system version is available in.
**Important** Make sure that the language of your IEAK 11 installation matches the language of your custom IE11 package. If the languages don’t match, IEAK 11 won’t work properly.
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index ea1f1cb9e1..4c14f5ec98 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 10/23/2018
# Determine the licensing version and features to use in IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11, referred to as the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (referred to as the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment.
During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
diff --git a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
index a441fe7be2..f628def610 100644
--- a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Media .INS file to specify your install media
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The types of media on which your custom install package is available.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
index ce2517bf60..ae7b3c6150 100644
--- a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Package Type Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Package Type Selection** page of the Internet Explorer Customization Wizard 11 lets you pick which type of media you’ll use to distribute your custom installation package. You can pick more than one type, if you need it.
**Important** You can't create a full installation package for deployment to Windows 10 computers. That option only works for computers running Windows 7 or Windows 8.1.
diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
index 342ac46d58..67d9caac65 100644
--- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Use the Platform Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package.
**To use the Platform Selection page**
diff --git a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
index 809110fc8b..4720c446af 100644
--- a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Before you install your package over your network using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Employees can install the custom browser package using a network server. However, you must either lower the intranet security level or make the server a trusted site.
**To lower your intranet security**
diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
index 8b46cc1615..acfbbc74ae 100644
--- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Use the Programs page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer.
**Important** The customizations you make on this page only apply to Internet Explorer for the desktop.
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
index 06213a78ae..56a0823f9a 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use proxy auto-configuration (.pac) files with IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
These are various ways you can use a proxy auto-configuration (.pac) file to specify an automatic proxy URL. We've included some examples here to help guide you, but you'll need to change the proxy names, port numbers, and IP addresses to match your organization's info.
Included examples:
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
index 80e2e5d2c0..9def48f2d3 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Proxy .INS file to specify a proxy server
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about whether to use a proxy server. If yes, this also includes the host names for the proxy server.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
index a99dc70ae0..ba113af6cc 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Proxy Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Proxy Settings** page of the Internet Explorer Customization Wizard 11 lets you pick the proxy servers used by your employees to connect for services required by the custom install package.
Using a proxy server lets you limit access to the Internet. You can also use the **Additional Settings** page of the wizard to further restrict your employees from changing the proxy settings.
diff --git a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
index c6fb131002..f3b4414183 100644
--- a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Register an uninstall app for custom components using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Register the uninstall apps for any custom components you’ve included in your Internet Explorer 11 package. Registering these apps lets your employees remove the components later, using **Uninstall or change a program** in the Control Panel.
## Register your uninstallation program
diff --git a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
index 8bf7232c7c..340327e916 100644
--- a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Using the Resultant Set of Policy (RSoP) snap-in to review policy settings
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
After you’ve deployed your custom Internet Explorer package to your employees, you can use the Resultant Set of Policy (RSoP) snap-in to view your created policy settings. The RSoP snap-in is a two-step process. First, you run the RSoP wizard to determine what information should be viewed. Second, you open the specific items in the console window to view the settings. For complete instructions about how to use RSoP, see [Resultant Set of Policy](https://go.microsoft.com/fwlink/p/?LinkId=259479).
**To add the RSoP snap-in**
diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
index f66425a743..c092a2101b 100644
--- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Search Providers page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Search Providers** page of the Internet Explorer Customization Wizard 11 lets you add a default search provider (typically, Bing®) and additional providers to your custom version of IE.
**Note** The Internet Explorer Customization Wizard 11 offers improved and extended search settings. However, you can still optionally include support for Search Suggestions and Favicons, as well as Accelerator previews by using an .ins file from a previous version of IEAK.
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
index 71d99f8b9f..336ad87ef1 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Security features and IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use Internet Explorer in conjunction with your new and existing security measures, to make sure the computers in your company aren’t compromised while on the Internet.
## Enhanced Protection Mode
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
index 16ffc69435..c78a131719 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Security and Privacy Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Security and Privacy Settings** page of the Internet Explorer Customization Wizard 11 lets you manage your security zones, privacy settings, and content ratings. These settings help restrict the types of content your employees can access from the Internet, including any content that might be considered offensive or otherwise inappropriate in a corporate setting.
**To use the Security and Privacy Settings page**
diff --git a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
index e65b0e2b77..b4fd0c45b2 100644
--- a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Security Imports .INS file to import security info
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to import security information from your local device to your custom package.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
index 9ae559b4b4..e4fcd7c739 100644
--- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Troubleshoot custom package and IEAK 11 problems
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
While the Internet Explorer Customization Wizard has been around for quite a while, there are still some known issues that you might encounter while deploying or managing your custom IE install package.
## I am unable to locate some of the wizard pages
diff --git a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
index 965fda174e..06a1d3c029 100644
--- a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
@@ -1,40 +1,44 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Use the URL .INS file to use an auto-configured proxy server (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the URL .INS file to use an auto-configured proxy server
-Info about whether to use an auto-configured proxy server. If yes, this also includes the URLs to the pages that appear when your employees first connect to that server.
-
-|Name |Value |Description |
-|-----|------|------------|
-|AutoConfig |
**0.** Don’t automatically configure the browser.
**1.** Automatically configure the browser.
|Determines whether to automatically configure the customized browser on your employee’s device. |
-|AutoConfigJSURL |`` |The URL for the proxy auto-config file (.js or .jvs) |
-|AutoConfigTime |*integer* |Automatically configures the browser on your employee’s device after its run for a specified length of time. |
-|AutoConfigURL |`` |The URL for the proxy auto-config (.pac) file. |
-|FirstHomePage |`` |The page (URL) that appears the first time the custom browser is opened on the employee’s device. |
-|Help_Page |`` |The URL to your internal technical support site. |
-|Home_Page |`` |The URL to your default **Home** page. |
-|NoWelcome |
**0.** Display the **Welcome** page.
**1.** Don’t display the **Welcome** page.
|Determines whether to show the **Welcome** page the first time the browser’s used on an employee’s device. |
-|Quick_Link_1 |`` |The URL to your first Quick Link. |
-|Quick_Link_1_Name |`` |The name of the site associated with Quick_Link_1. |
-|Quick_Link_2 |`` |The URL to your second Quick Link. |
-|Quick_Link_2_Name |`` |The name of the site associated with Quick_Link_2. |
-|Quick_Link_X |`` |The URL to another Quick Link. |
-|Quick_Link_X_Icon |`` |A Quick Links icon (.ico) file. |
-|Quick_Link_X_Name |`` |The name of the site associated with another Quick Link. |
-|Quick_Link_X_Offline |
**0.** Don’t make the Quick Links available offline.
**1.** Make the Quick Links available offline.
|Determines whether to make the Quick Links available for offline browsing. |
-|Search_Page |`` |The URL to the default search page. |
-|UseLocalIns |
**0.** Don’t use a local .ins file.
**1.** Use a local .ins file.
|Determines whether to use a local Internet Settings (.ins) file |
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Use the URL .INS file to use an auto-configured proxy server (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the URL .INS file to use an auto-configured proxy server
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Info about whether to use an auto-configured proxy server. If yes, this also includes the URLs to the pages that appear when your employees first connect to that server.
+
+|Name |Value |Description |
+|-----|------|------------|
+|AutoConfig |
**0.** Don’t automatically configure the browser.
**1.** Automatically configure the browser.
|Determines whether to automatically configure the customized browser on your employee’s device. |
+|AutoConfigJSURL |`` |The URL for the proxy auto-config file (.js or .jvs) |
+|AutoConfigTime |*integer* |Automatically configures the browser on your employee’s device after its run for a specified length of time. |
+|AutoConfigURL |`` |The URL for the proxy auto-config (.pac) file. |
+|FirstHomePage |`` |The page (URL) that appears the first time the custom browser is opened on the employee’s device. |
+|Help_Page |`` |The URL to your internal technical support site. |
+|Home_Page |`` |The URL to your default **Home** page. |
+|NoWelcome |
**0.** Display the **Welcome** page.
**1.** Don’t display the **Welcome** page.
|Determines whether to show the **Welcome** page the first time the browser’s used on an employee’s device. |
+|Quick_Link_1 |`` |The URL to your first Quick Link. |
+|Quick_Link_1_Name |`` |The name of the site associated with Quick_Link_1. |
+|Quick_Link_2 |`` |The URL to your second Quick Link. |
+|Quick_Link_2_Name |`` |The name of the site associated with Quick_Link_2. |
+|Quick_Link_X |`` |The URL to another Quick Link. |
+|Quick_Link_X_Icon |`` |A Quick Links icon (.ico) file. |
+|Quick_Link_X_Name |`` |The name of the site associated with another Quick Link. |
+|Quick_Link_X_Offline |
**0.** Don’t make the Quick Links available offline.
**1.** Make the Quick Links available offline.
|Determines whether to make the Quick Links available for offline browsing. |
+|Search_Page |`` |The URL to the default search page. |
+|UseLocalIns |
**0.** Don’t use a local .ins file.
**1.** Use a local .ins file.
|Determines whether to use a local Internet Settings (.ins) file |
+
diff --git a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
index ed8f2be8f1..364daedbbc 100644
--- a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
@@ -1,60 +1,64 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process.
-author: dansimp
-ms.prod: ie11
-ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the User Experience page in the IEAK 11 Wizard
-The **User Experience** page of the Internet Explorer Customization Wizard 11 lets you decide how much you want your employees to interact with the custom package’s Setup process.
-
-**Note** You’ll only see this page if you are running the **Internal** version of the Internet Explorer Customization Wizard 11.
The customizations you make on this page only apply to Internet Explorer for the desktop on Windows 7.
-
-**To use the User Experience page**
-
-1. Choose how your employee should interact with Setup, including:
-
- - **Interactive installation**. Lets your employees change installation options while installing your custom package. This experience shows all of the progress and error messages throughout the process.
-
- - **Hands-free installation**. Lets you make all of the decisions for your employees. However, they’ll still see all of the progress and error messages throughout the process.
-
- - **Completely silent installation**. Lets you make all of the decisions for your employees and hides all of the progress and error messages. Because this mode is completely silent, if the installation fails, your employees won’t know and they won’t be able to run the installation package again.
-
Both the hands-free and completely silent installation options will:
-
- - Answer prompts so Setup can continue.
-
- - Accept the license agreement.
-
- - Determine that Internet Explorer 11 is installed and not just downloaded.
-
- - Perform your specific installation type.
-
- - Install IE in the default location, unless it is already installed. In that case, the new version of the browser is installed in the same location as the previous version.
-
-2. Choose if your employee’s device will restart at the end of Setup.
-
- - **Default**. Prompts your employees to restart after installing IE.
-
- - **No restart**. Doesn’t restart the computer after installing IE. The employee will have to manually restart later.
-
- - **Force restart**. Automatically restarts the computer after installing IE.
-
-3. Click **Next** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page or **Back** to go to the [Internal Install](internal-install-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process.
+author: dansimp
+ms.prod: ie11
+ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the User Experience page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+The **User Experience** page of the Internet Explorer Customization Wizard 11 lets you decide how much you want your employees to interact with the custom package’s Setup process.
+
+**Note** You’ll only see this page if you are running the **Internal** version of the Internet Explorer Customization Wizard 11.
The customizations you make on this page only apply to Internet Explorer for the desktop on Windows 7.
+
+**To use the User Experience page**
+
+1. Choose how your employee should interact with Setup, including:
+
+ - **Interactive installation**. Lets your employees change installation options while installing your custom package. This experience shows all of the progress and error messages throughout the process.
+
+ - **Hands-free installation**. Lets you make all of the decisions for your employees. However, they’ll still see all of the progress and error messages throughout the process.
+
+ - **Completely silent installation**. Lets you make all of the decisions for your employees and hides all of the progress and error messages. Because this mode is completely silent, if the installation fails, your employees won’t know and they won’t be able to run the installation package again.
+
Both the hands-free and completely silent installation options will:
+
+ - Answer prompts so Setup can continue.
+
+ - Accept the license agreement.
+
+ - Determine that Internet Explorer 11 is installed and not just downloaded.
+
+ - Perform your specific installation type.
+
+ - Install IE in the default location, unless it is already installed. In that case, the new version of the browser is installed in the same location as the previous version.
+
+2. Choose if your employee’s device will restart at the end of Setup.
+
+ - **Default**. Prompts your employees to restart after installing IE.
+
+ - **No restart**. Doesn’t restart the computer after installing IE. The employee will have to manually restart later.
+
+ - **Force restart**. Automatically restarts the computer after installing IE.
+
+3. Click **Next** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page or **Back** to go to the [Internal Install](internal-install-ieak11-wizard.md) page.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
index 3efd12ffa8..c9bb888bed 100644
--- a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
+++ b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
@@ -1,37 +1,41 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Using Internet Settings (.INS) files with IEAK 11
-Use the Internet Settings (.ins) files and the Internet Explorer Administration Kit 11 (IEAK 11) to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file.
-
-Here's a list of the available .INS file settings:
-
-|Setting |Description |
-|-----------------------------------------|------------------------------------------------------------------------------|
-|[Branding](branding-ins-file-setting.md) |Customize the branding and setup information in your browser package. |
-|[BrowserToolbars](browsertoolbars-ins-file-setting.md) |Customize the appearance of the IE toolbar. |
-|[CabSigning](cabsigning-ins-file-setting.md) |Digital signature information for your programs. |
-|[ConnectionSettings](connectionsettings-ins-file-setting.md) |Info about the networking connection settings used to install your custom package. |
-|[CustomBranding](custombranding-ins-file-setting.md) |URL location to your branding cabinet (.cab) file. |
-|[ExtRegInf](extreginf-ins-file-setting.md) |Names of your Setup information (.inf) files and the installation mode for components. |
-|[FavoritesEx](favoritesex-ins-file-setting.md) |Add a path to your icon file for **Favorites**, decide whether **Favorites** are available offline, and add URLs to each**Favorites** site. |
-|[HideCustom](hidecustom-ins-file-setting.md) |Whether to hide the globally unique identifier (GUID) for each custom component. |
-|[ISP_Security](isp-security-ins-file-setting.md) |The root certificate you’re adding to your custom package. |
-|[Media](media-ins-file-setting.md) |Types of media in which your custom installation package is available. |
-|[Proxy](proxy-ins-file-setting.md) |Whether to use a proxy server. |
-|[Security Imports](security-imports-ins-file-setting.md) |Whether to import security information for your custom package. |
-|[URL](url-ins-file-setting.md) |Whether to use an auto-configured proxy server. |
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package.
+author: dansimp
+ms.prod: ie11
+ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Using Internet Settings (.INS) files with IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Use the Internet Settings (.ins) files and the Internet Explorer Administration Kit 11 (IEAK 11) to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file.
+
+Here's a list of the available .INS file settings:
+
+|Setting |Description |
+|-----------------------------------------|------------------------------------------------------------------------------|
+|[Branding](branding-ins-file-setting.md) |Customize the branding and setup information in your browser package. |
+|[BrowserToolbars](browsertoolbars-ins-file-setting.md) |Customize the appearance of the IE toolbar. |
+|[CabSigning](cabsigning-ins-file-setting.md) |Digital signature information for your programs. |
+|[ConnectionSettings](connectionsettings-ins-file-setting.md) |Info about the networking connection settings used to install your custom package. |
+|[CustomBranding](custombranding-ins-file-setting.md) |URL location to your branding cabinet (.cab) file. |
+|[ExtRegInf](extreginf-ins-file-setting.md) |Names of your Setup information (.inf) files and the installation mode for components. |
+|[FavoritesEx](favoritesex-ins-file-setting.md) |Add a path to your icon file for **Favorites**, decide whether **Favorites** are available offline, and add URLs to each**Favorites** site. |
+|[HideCustom](hidecustom-ins-file-setting.md) |Whether to hide the globally unique identifier (GUID) for each custom component. |
+|[ISP_Security](isp-security-ins-file-setting.md) |The root certificate you’re adding to your custom package. |
+|[Media](media-ins-file-setting.md) |Types of media in which your custom installation package is available. |
+|[Proxy](proxy-ins-file-setting.md) |Whether to use a proxy server. |
+|[Security Imports](security-imports-ins-file-setting.md) |Whether to import security information for your custom package. |
+|[URL](url-ins-file-setting.md) |Whether to use an auto-configured proxy server. |
+
diff --git a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
index 06b86bce15..d62e11e507 100644
--- a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
+++ b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
@@ -1,68 +1,72 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: support
-ms.pagetype: security
-description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
-author: dansimp
-ms.author: dansimp
-ms.manager: elizapo
-ms.prod: ie11
-ms.assetid:
-ms.reviewer:
-audience: itpro
manager: dansimp
-title: What IEAK can do for you
-ms.sitesec: library
-ms.date: 05/10/2018
----
-
-# What IEAK can do for you
-
-Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
-
-IEAK 10 and newer includes the ability to install using one of the following installation modes:
-
-- Internal
-
-- External
-
-## IEAK 11 users
-Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
-
-IEAK 10 and newer includes the ability to install using one of the following installation modes:
-- Internal
-- External
-
-> [!NOTE]
-> IEAK 11 works in network environments, with or without Microsoft Active Directory service.
-
-
-### Corporations
-IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality.
-
-Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older).
-
-### Internet service providers
-IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package.
-
-ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older).
-
-### Internet content providers
-IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use.
-
-ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older)
-
-### Independent software vendors
-IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar.
-
-ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older).
-
-## Additional resources
-
-- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md)
-- [Download IEAK 11](ieak-information-and-downloads.md)
-- [IEAK 11 overview](index.md)
-- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index)
-- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
-- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
-- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
-- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643)
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: support
+ms.pagetype: security
+description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
+author: dansimp
+ms.author: dansimp
+ms.manager: elizapo
+ms.prod: ie11
+ms.assetid:
+ms.reviewer:
+audience: itpro
+manager: dansimp
+title: What IEAK can do for you
+ms.sitesec: library
+ms.date: 05/10/2018
+---
+
+# What IEAK can do for you
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
+
+IEAK 10 and newer includes the ability to install using one of the following installation modes:
+
+- Internal
+
+- External
+
+## IEAK 11 users
+Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
+
+IEAK 10 and newer includes the ability to install using one of the following installation modes:
+- Internal
+- External
+
+> [!NOTE]
+> IEAK 11 works in network environments, with or without Microsoft Active Directory service.
+
+
+### Corporations
+IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality.
+
+Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older).
+
+### Internet service providers
+IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package.
+
+ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older).
+
+### Internet content providers
+IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use.
+
+ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older)
+
+### Independent software vendors
+IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar.
+
+ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older).
+
+## Additional resources
+
+- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md)
+- [Download IEAK 11](ieak-information-and-downloads.md)
+- [IEAK 11 overview](index.md)
+- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index)
+- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
+- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
+- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
+- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643)
diff --git a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
index e81b0eedea..03de7ed423 100644
--- a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
@@ -1,31 +1,35 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard
-The **Wizard Complete – Next Steps** page of the Internet Explorer Customization Wizard 11 lets you build your custom installation package, after you click **Finish**.
-
-In most cases, your next steps will be to prepare your files for installation from your network or from another distribution method. If you haven’t already done it, you’ll need to digitally sign any program or .cab files that are going to be distributed over the Internet or over an intranet that isn’t configured to allow downloads.
-
-After that, the steps you’ll use to distribute your customized browser will vary, depending on your version of IEAK (Internal or External) and the media you’re using to distribute the package. For more information, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md).
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package.
+author: dansimp
+ms.prod: ie11
+ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+The **Wizard Complete – Next Steps** page of the Internet Explorer Customization Wizard 11 lets you build your custom installation package, after you click **Finish**.
+
+In most cases, your next steps will be to prepare your files for installation from your network or from another distribution method. If you haven’t already done it, you’ll need to digitally sign any program or .cab files that are going to be distributed over the Internet or over an intranet that isn’t configured to allow downloads.
+
+After that, the steps you’ll use to distribute your customized browser will vary, depending on your version of IEAK (Internal or External) and the media you’re using to distribute the package. For more information, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md).
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
new file mode 100644
index 0000000000..96a04e5f70
--- /dev/null
+++ b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
@@ -0,0 +1,13 @@
+---
+author: pamgreen-msft
+ms.author: pamgreen
+ms.date: 10/02/2018
+ms.reviewer:
+audience: itpro
+manager: pamgreen
+ms.prod: ie11
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> Microsoft 365 apps and services will not support Internet Explorer 11 starting August 17, 2021 (Microsoft Teams will not support Internet Explorer 11 earlier, starting November 30, 2020). [Learn more](https://aka.ms/AA97tsw). Please note that Internet Explorer 11 will remain a supported browser. Internet Explorer 11 is a component of the Windows operating system and [follows the Lifecycle Policy](https://docs.microsoft.com/lifecycle/faq/internet-explorer-microsoft-edge) for the product on which it is installed.
\ No newline at end of file
diff --git a/browsers/internet-explorer/internet-explorer.yml b/browsers/internet-explorer/internet-explorer.yml
index 4c11b5c85e..7a2759960e 100644
--- a/browsers/internet-explorer/internet-explorer.yml
+++ b/browsers/internet-explorer/internet-explorer.yml
@@ -1,69 +1,174 @@
-### YamlMime:YamlDocument
+### YamlMime:Landing
-documentType: LandingData
-title: Internet Explorer 11
+title: Internet Explorer 11 documentation
+summary: Consistent, reliable web browsing on Windows 7, Windows 8.1, and Windows 10, with the security, performance, backward compatibility, and modern standards support that large organizations need.
metadata:
- document_id:
- title: Internet Explorer 11
- description: Consistent, reliable web browsing on Windows 7, Windows 8.1, and Windows 10, with the security, performance, backward compatibility, and modern standards support that large organizations need.
- keywords: Internet Explorer 11. IE11
- ms.localizationpriority: medium
- author: lizap
+ title: Internet Explorer 11 documentation
+ description: Consistent, reliable web browsing on Windows 7, Windows 8.1, and Windows 10, with the security, performance, backward compatibility, and modern standards support that large organizations need.
+ ms.topic: landing-page
+ author: lizap
ms.author: elizapo
- manager: dougkim
- ms.topic: article
- ms.devlang: na
+ ms.date: 07/06/2020
-sections:
-- items:
- - type: markdown
- text: "
- Consistent, reliable web browsing on Windows 7, Windows 8.1, and Windows 10, with the security, performance, backward compatibility, and modern standards support that large organizations need.
- "
-- title: Explore
-- items:
- - type: markdown
- text: "
- Find tools, step-by-step guides, updates, and other resources to help you get started.
-
- "
-- title: Plan
-- items:
- - type: markdown
- text: "
- Find information and tips to help you assess compatibility and prioritize processes as you plan for Internet Explorer 11.
-
- "
-- title: Deploy
-- items:
- - type: markdown
- text: "
- Find the resources you need to successfully deploy Internet Explorer 11 in your organization.
-
- "
-- title: Manage
-- items:
- - type: markdown
- text: "
- Find everything you need to manage Internet Explorer 11 effectively in your organization. Get information on Group Policy, blocked out-of-date ActiveX controls, scripts, and more.
-
- "
-- title: Support
-- items:
- - type: markdown
- text: "
- Get help from product specialists and community experts, and find solutions to commonly encountered issues.
-
**Sign up for the Windows IT Pro Insider** Get the latest tools, tips, and expert guidance on deployment, management, security, and more. Learn more
**Microsoft Edge Dev blog** Keep up with the latest browser trends, security tips, and news for IT professionals. Read the blog
**Microsoft Edge Dev on Twitter** Get the latest news and updates from the Microsoft Web Platform team. Visit Twitter
-
- "
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card
+ - title: Explore
+ linkLists:
+ - linkListType: get-started
+ links:
+ - text: IE11 features and tools
+ url: /internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11
+ - text: System requirements and language support
+ url: /internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11
+ - text: Frequently asked questions
+ url: /internet-explorer/ie11-faq/faq-for-it-pros-ie11
+ - text: Internet Explorer 11 deployment guide
+ url: /internet-explorer/ie11-deploy-guide/
+ - text: Use Enterprise Mode to improve compatibility
+ url: /microsoft-edge/deploy/emie-to-improve-compatibility
+ - text: Lifecycle FAQ - Internet Explorer
+ url: https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer
+ - linkListType: download
+ links:
+ - text: Download IE11 with Windows 10
+ url: https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise
+ - text: Enterprise Mode Site List Manager (schema, v.2)
+ url: https://www.microsoft.com/download/details.aspx?id=49974
+ - text: Cumulative security updates for Internet Explorer 11
+ url: https://www.catalog.update.microsoft.com/Search.aspx?q=cumulative%20security%20update%20for%20internet%20explorer%2011
+ - linkListType: learn
+ links:
+ - text: Getting started with Windows 10 for IT professionals
+ url: https://mva.microsoft.com/training-courses/getting-started-with-windows-10-for-it-professionals-10629?l=fCowqpy8_5905094681
+ - text: 'Windows 10: Top Features for IT Pros'
+ url: https://mva.microsoft.com/training-courses/windows-10-top-features-for-it-pros-16319?l=xBnT2ihhC_7306218965
+ - text: Manage and modernize Internet Explorer with Enterprise Mode
+ url: https://channel9.msdn.com/events/teched/newzealand/2014/pcit307
+ - text: 'Virtual Lab: Enterprise Mode'
+ url: https://www.microsoft.com/handsonlabs/SelfPacedLabs/?storyGuid=e4155067-2c7e-4b46-8496-eca38bedca02
+
+ # Card
+ - title: Plan
+ linkLists:
+ - linkListType: get-started
+ links:
+ - text: What is Enterprise Mode?
+ url: /internet-explorer/ie11-deploy-guide/what-is-enterprise-mode
+ - text: Tips and tricks to manage Internet Explorer compatibility
+ url: /internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility
+ - text: Download the Enterprise Site Discovery Toolkit
+ url: https://www.microsoft.com/download/details.aspx?id=44570
+ - text: Collect data using Enterprise Site Discovery
+ url: /internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery
+ - text: Manage Windows upgrades with Upgrade Readiness
+ url: /windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness
+ - text: 'Demo: Plan and manage Windows 10 upgrades and feature updates with'
+ url: https://techcommunity.microsoft.com/t5/Microsoft-Ignite-Content-2017/Windows-Analytics-Plan-and-manage-Windows-10-upgrades-and/td-p/98639
+ - linkListType: how-to-guide
+ links:
+ - text: Turn on Enterprise Mode and use a site list
+ url: /internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list
+ - text: Add sites to the Enterprise Mode site list
+ url: /internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool
+ - text: Edit the Enterprise Mode site list
+ url: /internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager
+ - text: Turn on local control and logging for Enterprise Mode
+ url: /internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode
+
+ # Card
+ - title: Deploy
+ linkLists:
+ - linkListType: get-started
+ links:
+ - text: IEAK 11 user's guide
+ url: /internet-explorer/ie11-ieak/
+ - text: Download IEAK 11
+ url: /internet-explorer/ie11-ieak/ieak-information-and-downloads
+ - text: Frequently asked questions about IEAK 11
+ url: /internet-explorer/ie11-faq/faq-ieak11
+ - text: Customization and distribution guidelines
+ url: /internet-explorer/ie11-ieak/licensing-version-and-features-ieak11#customization-guidelines
+ - linkListType: deploy
+ links:
+ - text: Install Internet Explorer 11 through automatic updates (recommended)
+ url: /internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates
+ - text: Install Internet Explorer 11 as part of an operating system deployment
+ url: /internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems
+ - text: Install Internet Explorer 11 over the network
+ url: /internet-explorer/ie11-deploy-guide/install-ie11-using-the-network
+ - text: Install Internet Explorer 11 with System Center 2012 R2 Configuration Manager
+ url: /internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager
+ - text: Install Internet Explorer 11 with Windows Server Update Services (WSUS)
+ url: /internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus
+ - text: Install Internet Explorer 11 with Microsoft Intune
+ url: /internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune
+ - text: Install Internet Explorer 11 with third-party tools
+ url: /internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools
+
+ # Card
+ - title: Manage
+ linkLists:
+ - linkListType: tutorial
+ links:
+ - text: Group Policy for beginners
+ url: /previous-versions/windows/it-pro/windows-7/hh147307(v=ws.10)
+ - text: New Group Policy settings for IE11
+ url: /internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11
+ - text: Administrative templates for IE11
+ url: https://www.microsoft.com/download/details.aspx?id=40905
+ - text: Group Policy preferences for IE11
+ url: /internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11
+ - text: Configure Group Policy preferences
+ url: https://support.microsoft.com/help/2898604/how-to-configure-group-policy-preference-settings-for-internet-explorer-11-in-windows-8.1-or-windows-server-2012-r2
+ - text: Blocked out-of-date ActiveX controls
+ url: /internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls
+ - text: Out-of-date ActiveX control blocking
+ url: /internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking
+ - text: Update to block out-of-date ActiveX controls in Internet Explorer
+ url: https://support.microsoft.com/help/2991000/update-to-block-out-of-date-activex-controls-in-internet-explorer
+ - text: Script to join user to AD with automatic Local user Profile Migration
+ url: https://gallery.technet.microsoft.com/scriptcenter/script-to-join-active-7b16d9d3
+ - text: Scripts for IT professionals
+ url: https://gallery.technet.microsoft.com/scriptcenter/site/search?query=Microsoft%20Edge%20or%20Internet
+
+ # Card
+ - title: Support
+ linkLists:
+ - linkListType: get-started
+ links:
+ - text: Change or reset Internet Explorer settings
+ url: https://support.microsoft.com/help/17441/windows-internet-explorer-change-reset-settings
+ - text: Troubleshoot problems with setup, installation, auto configuration, and more
+ url: /internet-explorer/ie11-deploy-guide/troubleshoot-ie11
+ - text: Disable VBScript execution in Internet Explorer for Internet Zone and Restricted Sites Zone
+ url: https://support.microsoft.com/help/4012494/option-to-disable-vbscript-execution-in-internet-explorer-for-internet
+ - text: Frequently asked questions about IEAK 11
+ url: /internet-explorer/ie11-faq/faq-ieak11
+ - text: Internet Explorer 8, 9, 10, 11 forum
+ url: https://social.technet.microsoft.com/forums/ie/home?forum=ieitprocurrentver
+ - text: Contact a Microsoft support professional
+ url: https://support.microsoft.com/contactus
+ - text: Support options for Microsoft Partners
+ url: https://mspartner.microsoft.com/Pages/Support/get-support.aspx
+ - text: Microsoft Services Premier Support
+ url: https://www.microsoft.com/en-us/microsoftservices/support.aspx
+ - text: Microsoft Small Business Support Center
+ url: https://smallbusiness.support.microsoft.com/product/internet-explorer
+ - text: General support
+ url: https://support.microsoft.com/products/internet-explorer
+
+ # Card
+ - title: Stay informed
+ linkLists:
+ - linkListType: get-started
+ links:
+ - text: Sign up for the Windows IT Pro Insider
+ url: https://aka.ms/windows-it-pro-insider
+ - text: Microsoft Edge Dev blog
+ url: https://blogs.windows.com/msedgedev
+ - text: Microsoft Edge Dev on Twitter
+ url: https://twitter.com/MSEdgeDev
diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json
index 4f53494c32..5228341de6 100644
--- a/devices/hololens/docfx.json
+++ b/devices/hololens/docfx.json
@@ -48,9 +48,7 @@
}
},
"fileMetadata": {},
- "template": [
- null
- ],
+ "template": [],
"dest": "devices/hololens",
"markdownEngineName": "markdig"
},
diff --git a/images/sc-image402.png b/images/sc-image402.png
new file mode 100644
index 0000000000..8bfe73fd87
Binary files /dev/null and b/images/sc-image402.png differ
diff --git a/mdop/docfx.json b/mdop/docfx.json
index e6f79ff24a..abcead924c 100644
--- a/mdop/docfx.json
+++ b/mdop/docfx.json
@@ -34,7 +34,7 @@
"ms.topic": "article",
"ms.date": "04/05/2017",
"feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_github_repo": "https://github.com/MicrosoftDocs/mdop-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
index ff4fbd3363..082fa016f4 100644
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -33,19 +33,22 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD.
- a. Download the FOD .cab file for [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
+ 1. Download the FOD .cab file for [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
- >[!NOTE]
- >You must download the FOD .cab file that matches your operating system version.
+ > [!NOTE]
+ > You must download the FOD .cab file that matches your operating system version.
- b. Use `Add-Package` to add Windows Mixed Reality FOD to the image.
+ 1. Use `Add-Package` to add Windows Mixed Reality FOD to the image.
- ```powershell
- Add-Package
- Dism /Online /add-package /packagepath:(path)
- ```
+ ```powershell
+ Add-Package
+ Dism /Online /add-package /packagepath:(path)
+ ```
+
+ > [!NOTE]
+ > You must rename the FOD .CAB file to : **Microsoft-Windows-Holographic-Desktop-FOD-Package\~31bf3856ad364e35\~amd64\~\~.cab**
- c. In **Settings** > **Update & Security** > **Windows Update**, select **Check for updates**.
+ 1. In **Settings** > **Update & Security** > **Windows Update**, select **Check for updates**.
IT admins can also create [Side by side feature store (shared folder)](https://technet.microsoft.com/library/jj127275.aspx) to allow access to the Windows Mixed Reality FOD.
diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md
index adcf842841..91ef9b0c48 100644
--- a/windows/application-management/msix-app-packaging-tool.md
+++ b/windows/application-management/msix-app-packaging-tool.md
@@ -30,11 +30,11 @@ You can either run your installer interactively (through the UI) or create a pac
- Windows 10, version 1809 (or later)
- Participation in the Windows Insider Program (if you're using an Insider build)
-- A valid Microsoft account (MSA) alias to access the app from the Microsoft Store
+- A valid Microsoft work or school account to access the app from the Microsoft Store
- Admin privileges on your PC account
### Get the app from the Microsoft Store
-1. Use the MSA login associated with your Windows Insider Program credentials in the [Microsoft Store](https://www.microsoft.com/store/r/9N5LW3JBCXKF).
+1. Use the Microsoft work or school account login associated with your Windows Insider Program credentials in the [Microsoft Store](https://www.microsoft.com/store/r/9N5LW3JBCXKF).
2. Open the product description page.
3. Click the install icon to begin installation.
diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md
index 91bc510d5f..189e952207 100644
--- a/windows/client-management/administrative-tools-in-windows-10.md
+++ b/windows/client-management/administrative-tools-in-windows-10.md
@@ -29,7 +29,7 @@ The tools in the folder might vary depending on which edition of Windows you are
-These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.
+These tools were included in previous versions of Windows. The associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.
diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md
index 5de58be176..ee8a044508 100644
--- a/windows/client-management/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/change-default-removal-policy-external-storage-media.md
@@ -5,7 +5,6 @@ ms.prod: w10
author: Teresa-Motiv
ms.author: v-tea
ms.date: 12/13/2019
-ms.prod: w10
ms.topic: article
ms.custom:
- CI 111493
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index 413f6d9c1e..8e84d077d5 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -81,7 +81,7 @@ To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use
**Terms of Use endpoint**
Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user’s consent before the actual enrollment phase begins.
-It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g., users in certain geographies may be subject to stricter device management policies).
+It’s important to understand that the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g., users in certain geographies may be subject to stricter device management policies).
The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. It’s not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 3a1ecfb0f9..b84c02e4e8 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -1072,6 +1072,16 @@ Each server-side recovery key rotation is represented by a request ID. The serve
Value type is string. Supported operation is Execute. Request ID is expected as a parameter.
+> [!TIP]
+> Key rotation feature will only work when:
+>
+> - For Operating system drives:
+> - OSRequireActiveDirectoryBackup_Name is set to 1 ("Required")
+> - OSActiveDirectoryBackup_Name is set to true
+> - For Fixed data drives:
+> - FDVRequireActiveDirectoryBackup_Name is set to 1 = ("Required")
+> - FDVActiveDirectoryBackup_Name is set to true
+
**Status**
Interior node. Supported operation is Get.
diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md
index 6e878defd1..f709de39d0 100644
--- a/windows/client-management/mdm/certificatestore-csp.md
+++ b/windows/client-management/mdm/certificatestore-csp.md
@@ -17,7 +17,9 @@ ms.date: 02/28/2020
The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates.
-> **Note** The CertificateStore configuration service provider does not support installing client certificates.
+> [!Note]
+> The CertificateStore configuration service provider does not support installing client certificates.
+> The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive.
@@ -643,4 +645,3 @@ Configure the device to automatically renew an MDM client certificate with the s
-
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index 59751b300b..fb69460ed8 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -1108,7 +1108,7 @@ Additional lists:
Mobile Enterprise
-
+
@@ -2744,8 +2744,10 @@ The following list shows the CSPs supported in HoloLens devices:
## CSPs supported in Microsoft Surface Hub
+- [Accounts CSP](accounts-csp.md)9 **Note:** Support in Surface Hub is limited to **Domain\ComputerName**.
- [AccountManagement CSP](accountmanagement-csp.md)
- [APPLICATION CSP](application-csp.md)
+- [Bitlocker-CSP](bitlocker-csp.md)9
- [CertificateStore CSP](certificatestore-csp.md)
- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)
- [Defender CSP](defender-csp.md)
@@ -2757,18 +2759,21 @@ The following list shows the CSPs supported in HoloLens devices:
- [DMAcc CSP](dmacc-csp.md)
- [DMClient CSP](dmclient-csp.md)
- [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
+- [Firewall-CSP](firewall-csp.md)9
- [HealthAttestation CSP](healthattestation-csp.md)
- [NetworkQoSPolicy CSP](networkqospolicy-csp.md)
- [NodeCache CSP](nodecache-csp.md)
- [PassportForWork CSP](passportforwork-csp.md)
- [Policy CSP](policy-configuration-service-provider.md)
- [Reboot CSP](reboot-csp.md)
-- [RemoteWipe CSP](remotewipe-csp.md)
+- [RemoteWipe CSP](remotewipe-csp.md)9
- [Reporting CSP](reporting-csp.md)
- [RootCATrustedCertificates CSP](rootcacertificates-csp.md)
- [SurfaceHub CSP](surfacehub-csp.md)
- [UEFI CSP](uefi-csp.md)
+- [Wifi-CSP](wifi-csp.md)9
- [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
+- [Wirednetwork-CSP](wirednetwork-csp.md)9
## CSPs supported in Windows 10 IoT Core
@@ -2807,3 +2812,4 @@ The following list shows the CSPs supported in HoloLens devices:
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
+- 9 - Added in Windows 10 Team 2020 Update
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index ecfd84d7fa..cb96fa1fb1 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -10,11 +10,14 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 10/21/2019
+ms.date: 08/11/2020
---
# Defender CSP
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
The following image shows the Windows Defender configuration service provider in tree format.
@@ -48,7 +51,7 @@ Supported operation is Get.
**Detections/*ThreatId*/Severity**
Threat severity ID.
-The data type is a integer.
+The data type is integer.
The following list shows the supported values:
@@ -63,7 +66,7 @@ Supported operation is Get.
**Detections/*ThreatId*/Category**
Threat category ID.
-The data type is a integer.
+The data type is integer.
The following table describes the supported values:
@@ -125,7 +128,7 @@ Supported operation is Get.
**Detections/*ThreatId*/CurrentStatus**
Information about the current status of the threat.
-The data type is a integer.
+The data type is integer.
The following list shows the supported values:
@@ -146,7 +149,7 @@ Supported operation is Get.
**Detections/*ThreatId*/ExecutionStatus**
Information about the execution status of the threat.
-The data type is a integer.
+The data type is integer.
Supported operation is Get.
@@ -167,7 +170,7 @@ Supported operation is Get.
**Detections/*ThreatId*/NumberOfDetections**
Number of times this threat has been detected on a particular client.
-The data type is a integer.
+The data type is integer.
Supported operation is Get.
@@ -179,7 +182,7 @@ Supported operation is Get.
**Health/ProductStatus**
Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list.
-Data type is integer. Supported operation is Get.
+The data type is integer. Supported operation is Get.
Supported product status values:
- No status = 0
@@ -230,7 +233,7 @@ Example:
**Health/ComputerState**
Provide the current state of the device.
-The data type is a integer.
+The data type is integer.
The following list shows the supported values:
@@ -391,7 +394,7 @@ When enabled or disabled exists on the client and admin moves the setting to not
Enables or disables file hash computation feature.
When this feature is enabled Windows defender will compute hashes for files it scans.
-The data type is a integer.
+The data type is integer.
Supported operations are Add, Delete, Get, Replace.
@@ -399,6 +402,26 @@ Valid values are:
- 1 – Enable.
- 0 (default) – Disable.
+**Configuration/SupportLogLocation**
+The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (**MpCmdRun.exe**) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
+
+Data type is string.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Intune Support log location setting UX supports three states:
+
+- Not configured (default) - Does not have any impact on the default state of the device.
+- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
+- 0 - Disabled. Turns off the Support log location feature.
+
+When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
+
+More details:
+
+- [Microsoft Defender AV diagnostic data](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
+- [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices)
+
**Scan**
Node that can be used to start a Windows Defender scan on a device.
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index 60c2372aed..508d2f5d0d 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -1,6 +1,6 @@
---
title: Defender DDF file
-description: See how the the OMA DM device description framework (DDF) for the **Defender** configuration service provider is used.
+description: See how the OMA DM device description framework (DDF) for the **Defender** configuration service provider is used.
ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65
ms.reviewer:
manager: dansimp
@@ -10,7 +10,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 10/21/2019
+ms.date: 08/11/2020
---
# Defender DDF file
@@ -45,7 +45,7 @@ The XML below is the current version for this CSP.
- com.microsoft/1.2/MDM/Defender
+ com.microsoft/1.3/MDM/Defender
@@ -734,6 +734,29 @@ The XML below is the current version for this CSP.
+
+ SupportLogLocation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Scan
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index 2e5300fe0d..2f00912ad8 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -56,21 +56,16 @@ The supported operations are Add and Execute.
The data type is string.
Expected value:
-Set and Execute are functionality equivalent, and each accepts an XML snippet (as a string) describing what data to gather and where to upload it.
-
-The following is an example of the XML. This example instructs the CSP to gather:
-- All the keys and values under a registry path
-- All the *.etl files in a folder
-- The output of two commands
-- Additional files created by one of the commands
-- All the Application event log events.
-
-The results are zipped and uploaded to the specified SasUrl. The filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".
+Set and Execute are functionality equivalent, and each accepts a `Collection` XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified SasUrl. The zipped filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".
+
+The following is an example of a `Collection` XML.
``` xml
- server generated guid value such as f1e20cb4-9789-4f6b-8f6a-766989764c6d
- server generated url where the HTTP PUT will be accepted
+
+ f1e20cb4-9789-4f6b-8f6a-766989764c6d
+
+ HKLM\Software\Policies%ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl%windir%\system32\ipconfig.exe /all
@@ -83,15 +78,13 @@ The results are zipped and uploaded to the specified SasUrl. The filename format
The XML should include the following elements within the `Collection` element:
**ID**
-The ID value is a server-generated GUID string that identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value.
+The ID value uniquely identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. The CSP expects the value to be populated when the request is received, so it must be generated by the IT admin or the management server.
**SasUrl**
-The SasUrl value is the target URI to which the CSP uploads the results zip file. It is the responsibility of the management server to provision storage in such a way that the server accepts the HTTP PUT to this URL. For example, the device management service could:
-- Provision cloud storage, such as an Azure blob storage container or other storage managed by the device management server
-- Generate a dynamic https SAS token URL representing the storage location (and which is understood by the server to allow a one-time upload or time-limited uploads)
-- Pass this value to the CSP as the SasUrl value.
-
-Assuming a case where the management server's customer (such as an IT admin) is meant to access the data, the management server would also expose the stored data through its user interface or APIs.
+The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It is the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could:
+- Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container
+- Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container
+- Pass this value to the CSP on the target device through the `Collection` XML as the `SasUrl` value.
**One or more data gathering directives, which may include any of the following:**
@@ -1482,4 +1475,4 @@ To read a log file:
5. Set **BlockIndexToRead** to initialize read start point.
6. Get **BlockData** for upload log block.
7. Increase **BlockIndexToRead**.
-8. Repeat step 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)**.
\ No newline at end of file
+8. Repeat steps 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)**.
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index 15b21d0197..44ff431b60 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -1022,7 +1022,6 @@ The XML below is for Windows 10, version 1803.
-
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
index 00caaaa35d..1f420a71c4 100644
--- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -17,7 +17,7 @@ manager: dansimp
This is a step-by-step guide to configuring ADMX-backed policies in MDM.
-Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
+Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX-backed policies)](https://docs.microsoft.com/windows/client-management/mdm/policy-csps-admx-backed) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
Summary of steps to enable a policy:
- Find the policy from the list ADMX-backed policies.
diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
index 32ac15d67d..7ef806784f 100644
--- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
+++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
@@ -1,6 +1,6 @@
---
title: Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
-description: Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet.
+description: Overview of how to enable offline updates using Microsoft Endpoint Configuration Manager.
ms.assetid: ED3DAF80-847C-462B-BDB1-486577906772
ms.reviewer:
manager: dansimp
@@ -15,9 +15,9 @@ ms.date: 06/26/2017
# Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
-Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. Because of network restrictions or other enterprise policies, devices must download their updates from an internal location. This document describes how to enable offline updates using Microsoft Endpoint Configuration Manager.
+Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. There are also situations where network restrictions or other enterprise policies require that devices download updates from an internal location. This article describes how to enable offline updates using Microsoft Endpoint Configuration Manager.
-Here is a table of update path to Windows 10 Mobile.
+The following table describes the update path to Windows 10 Mobile.
@@ -47,9 +47,7 @@ Here is a table of update path to Windows 10 Mobile.
-To configure the MDM service provider and enable the mobile devices to download updates from a predefined internal location, an IT administrator or device administrator must perform a series of manual and automated steps.
-
-Here is the outline of the process:
+To configure the mobile device management (MDM) service provider and enable mobile devices to download updates from a predefined internal location, an IT administrator or device administrator must perform a series of manual and automated steps:
1. Prepare a test device that can connect to the Internet to download the released update packages.
2. After the updates are downloaded and before pressing the install button, retrieve an XML file on the device that contains all the metadata about each update package.
@@ -61,64 +59,65 @@ Here is the outline of the process:
8. Create two additional XML files that define the specific updates to download and the specific locations from which to download the updates, and deploy them onto the production device.
9. Start the update process from the devices.
-As a part of the update process, Windows will run data migrators to bring forward configured settings and data on the device. For instance, if the device was configured with a maintenance time or other update policy in Windows Embedded 8.1 Handheld, these settings will automatically get migrated to Windows 10 as part of the update process. If the Handheld device was configured for assigned access lockdown, then this configuration will also get migrated to Windows 10 as part of the update process. This includes ProductId & AumId conversion for all internal apps (including buttonremapping apps).
+As a part of the update process, Windows runs data migrators to bring forward configured settings and data on the device. For instance, if the device was configured with a maintenance time or other update policy in Windows Embedded 8.1 Handheld, these settings are automatically migrated to Windows 10 as part of the update process. If the handheld device was configured for assigned access lockdown, then this configuration is also migrated to Windows 10 as part of the update process. This includes ProductId and AumId conversion for all internal apps (including buttonremapping apps).
-Note that the migrators do not take care of the following:
+Be aware that the migrators do not take care of the following:
-- 3rd party apps provided by OEMs
-- deprecated 1st party apps, such as Bing News
-- deprecated system/application settings, such as Microsoft.Game, Microsoft.IE
+- Third-party apps provided by OEMs.
+- Deprecated first-party apps, such as Bing News.
+- Deprecated system or application settings, such as Microsoft.Game and Microsoft.IE.
In the event of an Enterprise Reset, these migrated settings are automatically persisted.
-Down the road, after the upgrade to Windows 10 is complete, if you decide to push down a new wehlockdown.xml, you would need to take the following steps to ensure that the updated settings are persisted through an Enterprise Reset:
+After the upgrade to Windows 10 is complete, if you decide to push down a new wehlockdown.xml, you need to take the following steps to ensure that the updated settings are persisted through an Enterprise Reset:
1. Delete the TPK\*ppkg and push down a new ppkg with your new configuration to the persistent folder.
-2. Push down a new ppkg with your new configuration with higher priority. Note that in ICD, Owner=Microsoft, Rank=0 is the lowest priority; and vise versa. With this step, the old assigned access lockdown configuration will be overwritten.
+2. Push down a new ppkg with your new configuration with higher priority. (Be aware that in ICD, Owner=Microsoft, Rank=0 is the lowest priority, and vice versa. With this step, the old assigned access lockdown configuration is overwritten.)
**Requirements:**
- The test device must be same as the other production devices that are receiving the updates.
-- Your test device must be enrolled with Microsoft Endpoint Configuration Manager.
-- Your device can connect to the Internet.
-- Your device must have an SD card with at least 0.5 GB of free space.
-- Ensure that the settings app and PhoneUpdate applet are available via Assigned Access.
+- The test device must be enrolled with Microsoft Endpoint Configuration Manager.
+- The test device must be connected to the Internet.
+- The test device must have an SD card with at least 0.5 GB of free space.
+- Ensure that the settings app and PhoneUpdate applet are available through Assigned Access.
-The following diagram is a high-level overview of the process.
+The following diagram shows a high-level overview of the process.
## Step 1: Prepare a test device to download updates from Microsoft Update
-Define the baseline update set that will be applied to other devices. Use a device that is running the most recent image as the test device.
+Define the baseline update set that you want to apply to other devices. Use a device that is running the most recent image as the test device.
Trigger the device to check for updates either manually or using Microsoft Endpoint Configuration Manager.
-**Manually**
+**Check for updates manually**
-1. From the device, go to **Settings** > **Phone updates** > **Check for updates**.
-2. Sync the device. Go to **Settings** > **Workplace** > **Enrolled** and click the refresh icon. Repeat as needed.
-3. Follow the prompts to download the updates, but do not press the install button.
+1. On the device, go to **Settings** > **Phone updates** > **Check for updates**.
+2. Sync the device, go to **Settings** > **Workplace** > **Enrolled**, and then select the refresh icon. Repeat as needed.
+3. Follow the prompts to download the updates, but do not select the **Install** button.
-> **Note** There is a bug in all OS versions up to GDR2 where the CSP will not set the assigned value. There is no way to change or set this until GDR2 is deployed onto the device.
+> [!NOTE]
+> There is a bug in all OS versions up to GDR2 where the Cloud Solution Provider (CSP) does not set the assigned value. There is no way to change or set this until GDR2 is deployed onto the device.
-**Using Microsoft Endpoint Configuration Manager**
+**Check for updates by using Microsoft Endpoint Configuration Manager**
-1. Remotely trigger a scan of the test device by deploying a Trigger Scan Configuration Baseline.
+1. Remotely trigger a scan of the test device by deploying a Trigger Scan configuration baseline.
-2. Set the value of this OMA-URI by browsing to the settings of this Configuration Item and selecting the newly created Trigger Scan settings from the previous step.
+2. Set the value of this OMA-URI by going to **Configuration Item**, and then selecting the newly created Trigger Scan settings from the previous step.
-3. Ensure that the value that is specified for this URI is greater than the value on the device(s) and that the Remediate noncompliant rules when supported option is checked. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
+3. Ensure that the value that is specified for this URI is greater than the value on the device(s), and that the **Remediate noncompliant rules when supported** option is selected. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
-4. Create a Configuration Baseline for TriggerScan and Deploy. It is recommended that this Configuration Baseline be deployed after the Controlled Updates Baseline has been applied to the device (the corresponding files are deployed on the device through a device sync session).
+4. Create a configuration baseline for Trigger Scan and Deploy. We recommend that this configuration baseline be deployed after the Controlled Updates baseline has been applied to the device. (The corresponding files are deployed on the device through a device sync session.)
5. Follow the prompts for downloading the updates, but do not install the updates on the device.
@@ -130,23 +129,24 @@ There are two ways to retrieve this file from the device; one pre-GDR1 and one p
**Pre-GDR1: Parse a compliance log from the device in ConfigMgr**
-1. Create a Configuration Item using ConfigMgr to look at the registry entry ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/ApprovedUpdatesXml.
+1. Use ConfigMgr to create a configuration item to look at the registry entry ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/ApprovedUpdatesXml.
- > **Note** In Microsoft Endpoint Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml. However, the process still completes even if the file is large.
+ > [!NOTE]
+ > In Microsoft Endpoint Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml, but the process still completes even if the file is large.
- If the XML file is greater than 32K you can also use ./Vendor/MSFT/FileSystem/<*filename*>.
-2. Set a baseline for this Configuration Item with a “dummy” value (such as zzz), and ensure that you do not remediate it.
+ If the XML file is greater than 32 KB, you can also use ./Vendor/MSFT/FileSystem/<*filename*>.
+2. Set a baseline for this configuration item with a “dummy” value (such as zzz), and ensure that you do not remediate it.
- The dummy value is not be set; it is only used for comparison.
+ The dummy value is not set; it is only used for comparison.
3. After the report XML is sent to the device, Microsoft Endpoint Configuration Manager displays a compliance log that contains the report information. The log can contain significant amount of data.
4. Parse this log for the report XML content.
-For a step-by-step walkthrough, see [How to retrieve a device update report using Microsoft Endpoint Configuration Manager logs](#how-to-retrieve-a-device-update-report-using-microsoft-endpoint-configuration-manager-logs).
+For a step-by-step walkthrough, see [Retrieve a device update report using Microsoft Endpoint Configuration Manager logs](#retrieve-a-device-update-report-using-microsoft-endpoint-configuration-manager-logs).
**Post-GDR1: Retrieve the report xml file using an SD card**
-1. Create a Configuration Item using ConfigMgr to set a registry value for ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/CopyUpdateReportToSDCard.
-2. The value that you define for this Configuration Item is defined by the relative path to the SD card which includes the filename of the XML file (such as SDCardRoot\\Update\\DUReport.xml).
+1. Use ConfigMgr to create a configuration item to set a registry value for ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/CopyUpdateReportToSDCard.
+2. The value that you define for this configuration item is defined by the relative path to the SD card, which includes the filename of the XML file (such as SDCardRoot\\Update\\DUReport.xml).
3. Remove the SD card from device and copy the XML file to your PC.
## Step 3: Check the status code in the XML file
@@ -197,46 +197,49 @@ Here are the two files.
-For a walkthrough of these steps, [How to deploy controlled updates](#how-to-deploy-controlled-updates). Ensure that the trigger scan configuration baseline HAS NOT been deployed.
+For a walkthrough of these steps, see [Deploy controlled updates](#deploy-controlled-updates). Ensure that the Trigger Scan configuration baseline has NOT been deployed.
-### How to deploy controlled updates
-This process has three parts:
+### Deploy controlled updates
-- Create a configuration item for DUControlledUpdates.xml
-- Create a configuration item for DUCustomContentURIs.xml
+The deployment process has three parts:
+
+- Create a configuration item for DUControlledUpdates.xml.
+- Create a configuration item for DUCustomContentURIs.xml.
- Create a configuration item for approved updates.
+
**Create a configuration item for DUControlledUpdates.xml**
-1. Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then click **Select**.
+1. Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then select **Select**.
-2. Browse to the DUControlledUpdates.xml that was created from the test device and specify that file path and name on the device as `NonPersistent\DUControlledUpdates.xml`.
+2. Browse to the DUControlledUpdates.xml that was created from the test device, and then specify the file path and name on the device as `NonPersistent\DUControlledUpdates.xml`.
-3. Check the box **Remediate noncompliant settings**.
-4. Click **OK**.
+3. Select **Remediate noncompliant settings**, and then select **OK**.
+
**Create a configuration item for DUCustomContentURIs.xml**
-1. Create a configuration item and specify that file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
-2. Check the box **Remediate noncompliant settings**.
+1. Create a configuration item and specify the file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
+2. Select **Remediate noncompliant settings**.
-3. Click **OK**.
+3. Select **OK**.
+
**Create a configuration baseline for approved updates**
1. Create a configuration baseline item and give it a name (such as ControlledUpdates).
-2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then click **OK**.
+2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then select **OK**.
@@ -244,20 +247,20 @@ This process has three parts:
-4. Click **OK**.
+4. Select **OK**.
## Step 7: Trigger the other devices to scan, download, and install updates
Now that the other "production" or "in-store" devices have the necessary information to download updates from an internal share, the devices are ready for updates.
-### Use this process for unmanaged devices
+### Update unmanaged devices
If the update policy of the device is not managed or restricted by Microsoft Endpoint Configuration Manager, an update process can be initiated on the device in one of the following ways:
-- Initiated by a periodic scan that the device automatically performs.
-- Initiated manually through **Settings** -> **Phone Update** -> **Check for Updates**.
+- A periodic scan that the device automatically performs.
+- Manually through **Settings** > **Phone Update** > **Check for Updates**.
-### Use this process for managed devices
+### Update managed devices
If the update policy of the device is managed or restricted by MDM, an update process can be initiated on the device in one of the following ways:
@@ -265,12 +268,13 @@ If the update policy of the device is managed or restricted by MDM, an update pr
Ensure that the trigger scan has successfully executed, and then remove the trigger scan configuration baseline.
- > **Note** Ensure that the PhoneUpdateRestriction Policy is set to a value of 0, to ensure that the device will not perform an automatic scan.
+ > [!NOTE]
+ > Ensure that the PhoneUpdateRestriction Policy is set to a value of 0 so that the device doesn't perform an automatic scan.
- Trigger the device to scan as part of a Maintenance Window defined by the IT Admin in Microsoft Endpoint Configuration Manager.
-After the installation of updates is completed, the IT Admin can use the DUReport generated in the production devices to determine if the device successfully installed the list of updates. If the device did not, error codes are provided in the DUReport.xml. To retrieve the device update report from a device, perform the same steps defined in [Step 2](#step2).
+After the updates are installed, the IT Admin can use the DUReport generated in the production devices to determine whether the device successfully installed the list of updates. If the device did not, error codes are provided in the DUReport.xml. To retrieve the device update report from a device, perform the same steps defined in [Step 2](#step2).
## Example PowerShell script
@@ -456,71 +460,70 @@ DownloadFiles $inputFile $downloadCache $localCacheURL
```
-## How to retrieve a device update report using Microsoft Endpoint Configuration Manager logs
-
-Use this procedure for pre-GDR1 devices.
+## Retrieve a device update report using Microsoft Endpoint Configuration Manager logs
**For pre-GDR1 devices**
+Use this procedure for pre-GDR1 devices:
-1. Trigger a device scan. Go to **Settings** -> **Phone Update** -> **Check for Updates**.
+1. Trigger a device scan by going to **Settings** > **Phone Update** > **Check for Updates**.
Since the DUReport settings have not been remedied, you should see a non-compliance.
-2. In Microsoft Endpoint Configuration Manager under **Assets and Compliance** > **Compliance Settings**, right-click on **Configuration Items**.
+2. In Microsoft Endpoint Configuration Manager, under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Items**.
3. Select **Create Configuration Item**.
-4. Enter a filename (such as GetDUReport) and then choose **Mobile Device**.
-5. In the **Mobile Device Settings** page, check the box **Configure Additional Settings that are not in the default settings group**, and the click **Next**.
+4. Enter a filename (such as GetDUReport), and then select **Mobile Device**.
+5. On the **Mobile Device Settings** page, select **Configure Additional Settings that are not in the default settings group**, and then select **Next**.
-6. In the **Additional Settings** page, click **Add**.
+6. On the **Additional Settings** page, select **Add**.
-7. In the **Browse Settings** page, click **Create Setting**.
+7. On the **Browse Settings** page, select **Create Setting**.
-8. Enter a unique **Name**. For the **Setting type**, select **OMA-URI** and for the **Data type**, select **String**.
-9. In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, the click **OK**.
+8. Enter a unique **Name**. For **Setting type**, select **OMA-URI**, and for **Data type**, select **String**.
+9. In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, and then select **OK**.
-10. In the **Browse Settings** page, click **Close**.
-11. In the **Create Configuration Item Wizard** page, check **All Windows Embedded 8.1 Handheld** as the supported platform, and then click **Next**.
+10. On the **Browse Settings** page, select **Close**.
+11. On the **Create Configuration Item Wizard** page, select **All Windows Embedded 8.1 Handheld** as the supported platform, and then select **Next**.
12. Close the **Create Configuration Item Wizard** page.
13. Right-click on the newly create configuration item, and then select the **Compliance Rules** tab.
-14. Click the new created mobile device setting (such as DUReport) and then click **Select**.
+14. Select the new created mobile device setting (such as DUReport), and then select **Select**.
15. Enter a dummy value (such as zzz) that is different from the one on the device.
-16. Disable remediation by unchecking the **Remediate noncompliant rules when supported** option.
-17. Click **OK** to close the Edit Rule page.
-18. Create a new configuration baseline. Under **Assets and Compliance** > **Compliance Settings**, right-click on **Configuration Baselines**.
+16. Disable remediation by deselecting the **Remediate noncompliant rules when supported** option.
+17. Select **OK** to close the **Edit Rule** page.
+18. Create a new configuration baseline. Under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Baselines**.
19. Select **Create Configuration Item**.
20. Enter a baseline name (such as RetrieveDUReport).
-21. Add the configuration item that you just created. Select **Add** and then select the configuration item that you just created (such as DUReport).
+21. Add the configuration item that you just created. Select **Add**, and then select the configuration item that you just created (such as DUReport).
-22. Click **OK**, then click **OK** again to complete the configuration baseline.
-23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created and the select **Deploy**.
+22. Select **OK**, and then select **OK** again to complete the configuration baseline.
+23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created, and then select **Deploy**.
-24. Check the check box **Remediate noncompliant rules when supported**.
+24. Select **Remediate noncompliant rules when supported**.
25. Select the appropriate device collection and define the schedule.
-26. To view the DUReport content, select the appropriate deployment for the configuration saseline that you created. Right-click on the deployment and select **View Status**.
-27. Click **Run Summarization** and then click **Refresh**. On the Non-Compliant tab, the test device(s) should be listed.
+26. To view the DUReport content, select the appropriate deployment for the configuration baseline that you created. Right-click on the deployment, and then select **View Status**.
+27. Select **Run Summarization**, and then select **Refresh**. The test device(s) should be listed on the **Non-Compliant** tab.
28. Under **Asset Details**, right-click on the test device, and then select **Mode Details**.
-29. In the Non-compliant tab, you will see the DUReport, but you cannot retrieve the content from here.
+29. On the **Non-compliant** tab, you can see the DUReport, but you cannot retrieve the content from here.
-30. To retrieve the DUReport, open an Explorer windows to C:\\Program Files\\SMS\_CCM\\SMS\_DM.log.
-31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz" where zzz is the dummy value. Just above this copy the information for UpdateData and use this information to create the DUControlledUpdates.xml.
+30. To retrieve the DUReport, open C:\\Program Files\\SMS\_CCM\\SMS\_DM.log.
+31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz," where zzz is the dummy value. Just above this, copy the information for UpdateData and use this information to create the DUControlledUpdates.xml.
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index b03d28832e..f45e20d377 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 07/29/2019
+ms.date:
ms.reviewer:
manager: dansimp
---
@@ -80,7 +80,7 @@ The following steps demonstrate required settings using the Intune service:
-7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is properly deployed to all devices which should be enrolled into Intune.
+7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune.
You may contact your domain administrators to verify if the group policy has been deployed successfully.
8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal).
@@ -114,7 +114,7 @@ Requirements:
-5. Click **Enable**, then click **OK**.
+5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**.
> [!NOTE]
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
@@ -165,27 +165,43 @@ Requirements:
- Enterprise AD must be integrated with Azure AD.
- Ensure that PCs belong to same computer group.
-[!IMPORTANT]
-If you do not see the policy, it may be because you don’t have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):
- 1. Download:
- 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or
- 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or
- 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
- 2. Install the package on the Domain Controller.
- 3. Navigate, depending on the version to the folder:
- 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or
- 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or
- 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
- 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
- 5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**.
- (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain).
- 6. Restart the Domain Controller for the policy to be available.
+> [!IMPORTANT]
+> If you do not see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible.
- This procedure will work for any future version as well.
+1. Download:
+
+ - 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880)
+
+ - 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576)
+
+ - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
+
+2. Install the package on the Domain Controller.
+
+3. Navigate, depending on the version to the folder:
+
+ - 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**
+
+ - 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**
+
+ - 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
+
+4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
+
+5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**.
+
+ If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain.
+
+6. Restart the Domain Controller for the policy to be available.
+
+This procedure will work for any future version as well.
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
+
2. Create a Security Group for the PCs.
+
3. Link the GPO.
+
4. Filter using Security Groups.
## Troubleshoot auto-enrollment of devices
@@ -194,7 +210,7 @@ Investigate the log file if you have issues even after performing all the mandat
To collect Event Viewer logs:
1. Open Event Viewer.
-2. Navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin.
+2. Navigate to **Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin**.
> [!Tip]
> For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc).
@@ -208,14 +224,14 @@ To collect Event Viewer logs:
To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](https://support.microsoft.com/en-ph/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for more information.
- The auto-enrollment did not trigger at all. In this case, you will not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section.
- The auto-enrollment process is triggered by a task (Microsoft > Windows > EnterpriseMgmt) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is successfully deployed to the target machine as shown in the following screenshot:
+ The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot:
> [!Note]
> This task isn't visible to standard users - run Scheduled Tasks with administrative credentials to find the task.
This task runs every 5 minutes for the duration of 1 day. To confirm if the task succeeded, check the task scheduler event logs:
- Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational.
+ **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**.
Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107.
@@ -226,11 +242,11 @@ To collect Event Viewer logs:
Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment.
If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required.
- One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (HKLM > Software > Microsoft > Enrollments). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
+ One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
- By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational event log file under event ID 7016.
+ By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016.
A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display less entries as shown in the following screenshot:
diff --git a/windows/client-management/mdm/images/Provisioning_CSP_Defender.png b/windows/client-management/mdm/images/Provisioning_CSP_Defender.png
deleted file mode 100644
index 6ee31a8f16..0000000000
Binary files a/windows/client-management/mdm/images/Provisioning_CSP_Defender.png and /dev/null differ
diff --git a/windows/client-management/mdm/images/autoenrollment-policy.png b/windows/client-management/mdm/images/autoenrollment-policy.png
index 61421babee..1de089a0c6 100644
Binary files a/windows/client-management/mdm/images/autoenrollment-policy.png and b/windows/client-management/mdm/images/autoenrollment-policy.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-defender.png b/windows/client-management/mdm/images/provisioning-csp-defender.png
index 793b1568ff..ccf57208df 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-defender.png and b/windows/client-management/mdm/images/provisioning-csp-defender.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png
index 5d8eaab42f..5896b7c1df 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png and b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png differ
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index 44d416b67a..aef061ccd2 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -33,7 +33,7 @@ With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM secur
The MDM security baseline includes policies that cover the following areas:
-- Microsoft inbox security technology (not deprecated) such as Bitlocker, Windows Defender Smartscreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall
+- Microsoft inbox security technology (not deprecated) such as BitLocker, Windows Defender SmartScreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall
- Restricting remote access to devices
- Setting credential requirements for passwords and PINs
- Restricting use of legacy technology
@@ -42,12 +42,13 @@ The MDM security baseline includes policies that cover the following areas:
For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see:
+- [MDM Security baseline for Windows 10, version 2004](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/2004-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1909](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1909-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1903](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1903-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip)
-For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows)
+For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows).
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index eb3f8eb24e..5e23762281 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -562,11 +562,11 @@ The following diagram shows the Policy configuration service provider in tree fo
-### Bitlocker policies
+### BitLocker policies
@@ -4061,6 +4061,9 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md)
- [ADMX-backed policy CSPs](policy-csps-admx-backed.md)
+> [!NOTE]
+> Not all Policy CSPs supported by Group Policy are ADMX-backed. For more details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
## Policy CSPs supported by HoloLens devices
- [Policy CSPs supported by HoloLens 2](policy-csps-supported-by-hololens2.md)
- [Policy CSPs supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index bcc38faea5..ebc28b415c 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -161,14 +161,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index 83d4831dcb..fad4a74ad7 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -248,14 +248,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index 7a981c49d8..9c2b674cee 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -103,14 +103,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 8171271589..ccc641c6a3 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -219,14 +219,14 @@ This setting supports a range of values between 0 and 1.
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index b2bfd70f15..6b55aa34e3 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -1102,13 +1102,13 @@ XSD:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md
index faf5c4b079..6e15e10e88 100644
--- a/windows/client-management/mdm/policy-csp-appruntime.md
+++ b/windows/client-management/mdm/policy-csp-appruntime.md
@@ -101,14 +101,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index e995b03a11..29788ea127 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -2060,14 +2060,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index b68b6cc6cc..cb2130e778 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -253,14 +253,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index a789c492c3..ffd4519182 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -4794,14 +4794,14 @@ The following are the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 09c3eaa3ce..96f9787790 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -569,14 +569,14 @@ Value type is string.
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index bf7a6a2b3c..36a05de8df 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -269,14 +269,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index 751c0e3c9c..2f4c7acf11 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -97,14 +97,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md
index 9024caaee9..2bcc10ea45 100644
--- a/windows/client-management/mdm/policy-csp-bits.md
+++ b/windows/client-management/mdm/policy-csp-bits.md
@@ -542,14 +542,14 @@ Supported values range: 0 - 999
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 74dbe86c25..28123a7dc0 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -460,14 +460,14 @@ For more information on allowed key sizes, refer to Bluetooth Core Specification
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 3f68b4b8cb..206e99f3db 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -4297,13 +4297,13 @@ Most restricted value: 0
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index 98202881f8..0def6900f0 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -99,14 +99,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index dfd4e76549..3d156b1c89 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -372,14 +372,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index 5a058b41e4..ee83ad3d00 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -1020,14 +1020,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index d3c88d948c..a822c7a831 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -118,14 +118,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index d9cc3f9647..425fcf361a 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -243,14 +243,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
index e59b5c4f9b..c8416c3bb9 100644
--- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md
+++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
@@ -103,14 +103,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index 7a91173c71..349800035d 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -179,14 +179,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 536c9f26f4..55ceb74581 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -166,14 +166,14 @@ Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index 48da5e5f49..4c71a876a5 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -152,14 +152,14 @@ Setting used by Windows 8.1 Selective Wipe.
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index f77f3b029f..28f919ead9 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -123,14 +123,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 5898f5bb48..c2fb83fe51 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1725,14 +1725,14 @@ Valid values: 0–90
This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
-If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
+If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
-If you enable this setting, catch-up scans for scheduled full scans will be disabled.
+If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off.
Supported values:
-- 0 - Disabled
-- 1 - Enabled (default)
+- 1 - Disabled (default)
+- 0 - Enabled
OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/DisableCatchupFullScan
@@ -1811,8 +1811,8 @@ If you disable or do not configure this setting, catch-up scans for scheduled qu
Supported values:
-- 0 - Disabled
-- 1 - Enabled (default)
+- 1 - Disabled (default)
+- 0 - Enabled
OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/DisableCatchupQuickScan
@@ -3101,14 +3101,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 902ef8e8be..bdf3985bb6 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -2027,14 +2027,14 @@ This policy allows an IT Admin to define the following:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 5bd60e0feb..0ade992a1d 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -101,14 +101,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index c728512377..163655f59f 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -317,14 +317,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index 3d3d4bb035..8277ae0425 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -227,14 +227,14 @@ In most cases, an IT Pro does not need to define this policy. Instead, it is exp
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 7cd828fb5c..5d67b14d8d 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -946,14 +946,14 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 295364f046..f95a796932 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -1119,14 +1119,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index e0c4a7e431..9645a371ac 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -393,14 +393,14 @@ To validate on Desktop, do the following:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
index 0f3bb358f2..e5511ffaa0 100644
--- a/windows/client-management/mdm/policy-csp-dmaguard.md
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -113,14 +113,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index df04232bea..9e12bc04e4 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -274,14 +274,14 @@ The policy value is expected to be a `````` separated list of printer na
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index 9916989938..c450267337 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -376,14 +376,14 @@ The default value is an empty string. Otherwise, the value should contain a URL.
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index 751350e7ae..79bbb1b92f 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -407,14 +407,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index 36e7be1042..17080a877e 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -322,14 +322,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index f00b37efad..ff50088666 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -1492,14 +1492,14 @@ Supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index 4a13105f17..1e1b072f7d 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -120,14 +120,14 @@ Here is an example:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md
index 0b74f58211..993073f411 100644
--- a/windows/client-management/mdm/policy-csp-fileexplorer.md
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@@ -166,14 +166,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index eb633b2e2e..63eb04a5c3 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -89,14 +89,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index 00a2e84360..8893695276 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -103,14 +103,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 4a4b22eef5..a1b9bb2b78 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -19457,14 +19457,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 19eb607a74..06023ba3f8 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -464,14 +464,14 @@ Devices joined to Azure Active Directory in a hybrid environment need to interac
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index 4275bfaa7a..5bbe648950 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -429,14 +429,14 @@ The value is an int 1-1440 that specifies the amount of minutes the session is i
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
index e4183f08b5..011b60a5d7 100644
--- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@@ -100,14 +100,14 @@ This setting supports a range of values between 0 and 1.
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index d99c044bcb..c4e988fd6d 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -166,14 +166,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 1426fad1c3..8920a8ba90 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -3834,13 +3834,13 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index 0858f3de45..81f3ae2ca6 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -99,14 +99,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index 1824c9956a..87ede82676 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -164,14 +164,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index 5887db04eb..43fe8e0e47 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -98,14 +98,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md
index 15c99eedf9..7835ef3d3c 100644
--- a/windows/client-management/mdm/policy-csp-mssecurityguide.md
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@@ -424,14 +424,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md
index 768f18e3e2..ad6734ce70 100644
--- a/windows/client-management/mdm/policy-csp-msslegacy.md
+++ b/windows/client-management/mdm/policy-csp-msslegacy.md
@@ -292,14 +292,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 0613b4b8d8..3f42c5653f 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -544,14 +544,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 76818866d9..fb3651acb0 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -264,14 +264,14 @@ Validation:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 377bc2e1b2..5da2930e76 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -1731,14 +1731,14 @@ Default value for unattended sleep timeout (plugged in):
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index 315f762dff..e93f27025d 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -287,14 +287,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 52e0e7fde5..9b20cf82c2 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -5964,14 +5964,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index e36df3ff42..39e59b9ba2 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -371,14 +371,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index 5f404f8750..e4fefcbc62 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -498,14 +498,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index 692699bfb9..6c88c68b12 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -1152,14 +1152,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index dde7ff458c..d6b5c1ab71 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -190,14 +190,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index e233f89f47..534584eca6 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -543,14 +543,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 24b822bab5..86a64acdd0 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -170,13 +170,13 @@ The following table describes how this policy setting behaves in different Windo
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 340ced4d5b..e23ac51307 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -959,14 +959,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index 03d507debd..81eb2aa84e 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -707,14 +707,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
index 337b071faf..f1ac63ed5f 100644
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@@ -112,14 +112,14 @@ Supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 63725c1e2e..6052b904e8 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -897,13 +897,13 @@ To validate on Desktop, do the following:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 0c11e9b882..2c2fceffc1 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -239,14 +239,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index 3e6b2173c0..aca2851f58 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -97,14 +97,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 1431f9c0b2..31872e9f67 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -2094,14 +2094,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index 823f724dd8..0afd39b6c8 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -731,14 +731,14 @@ See [Use custom settings for Windows 10 devices in Intune](https://docs.microsof
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 84be3c8c4d..73f8d6586a 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -861,14 +861,11 @@ The following list shows the supported values:
-Allow the device to send diagnostic and usage telemetry data, such as Watson.
+Allows the device to send diagnostic and usage telemetry data, such as Watson.
For more information about diagnostic data, including what is and what is not collected by Windows, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
-The following tables describe the supported values:
-
-Windows 8.1 Values:
-
+The following list shows the supported values for Windows 8.1:
- 0 - Not allowed.
- 1 – Allowed, except for Secondary Data Requests.
- 2 (default) – Allowed.
@@ -896,13 +893,12 @@ Windows 8.1 Values:
-->
-Windows 10 Values:
-
-- 0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
- Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
-- 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.
-- 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.
-- 3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.
+In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. The following list shows the supported values for Windows 10:
+- 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender.
+ **Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
+- 1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data.
+- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data.
+- 3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices.
+
+The following list shows the supported values:
+- 0 (default) - Enable telemetry change notifications
+- 1 - Disable telemetry change notifications
+
@@ -1413,7 +1414,7 @@ If you set this policy setting to "Disable Telemetry opt-in Settings", telemetry
If you set this policy setting to "Enable Telemetry opt-in Settings" or don't configure this policy setting, people can change their own telemetry levels in Settings.
> [!Note]
-> Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's limit.
+> Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's acceptable level of data disclosure.
@@ -1425,6 +1426,11 @@ ADMX Info:
- GP ADMX file name: *DataCollection.admx*
+
+The following list shows the supported values:
+- 0 (default) - Enable Telemetry opt-in Settings
+- 1 - Disable Telemetry opt-in Settings
+
@@ -2058,14 +2064,13 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index 8318b0cc11..19836d1ca5 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -388,14 +388,14 @@ GP Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md
index 186e946c60..9787467c21 100644
--- a/windows/client-management/mdm/policy-csp-taskmanager.md
+++ b/windows/client-management/mdm/policy-csp-taskmanager.md
@@ -97,14 +97,14 @@ When the policy is set to 0 - users CANNOT execute 'End task' on processes in Ta
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md
index 2e1ccf2db8..44a8f08bdd 100644
--- a/windows/client-management/mdm/policy-csp-taskscheduler.md
+++ b/windows/client-management/mdm/policy-csp-taskscheduler.md
@@ -82,13 +82,13 @@ Added in Windows 10, version 1803. This setting determines whether the specific
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index 79e47c91f8..e1799a0c16 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -1708,14 +1708,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index 506b7fce62..d029929145 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -91,14 +91,14 @@ Specifies the time zone to be applied to the device. This is the standard Window
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md
index 125cc2149f..881b9b3a43 100644
--- a/windows/client-management/mdm/policy-csp-troubleshooting.md
+++ b/windows/client-management/mdm/policy-csp-troubleshooting.md
@@ -140,14 +140,14 @@ By default, this policy is not configured and the SKU based defaults are used fo
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 7fd2c3cd5a..d9187a1854 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3256,7 +3256,7 @@ The following list shows the supported values:
> [!NOTE]
-> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
+> This policy is *only* recommended for managing mobile devices. If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
@@ -4442,14 +4442,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 69a0f091d0..73f3dfd843 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -1881,12 +1881,12 @@ GP Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 1d300f2268..770316e0bc 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -436,14 +436,14 @@ Supported operations are Add, Delete, Get, and Replace.
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
index 12e05d914f..4cbed0f5f3 100644
--- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
+++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
@@ -109,14 +109,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index ab032c05be..d2c74ba941 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -1602,14 +1602,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index 3306ca9d6e..bc97e2e774 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -168,14 +168,14 @@ Value type is int. The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index ec19f8ef3e..d3793a4bb7 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -606,14 +606,14 @@ To validate on Desktop, do the following:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md
index 7ad19cb828..cc4f87b917 100644
--- a/windows/client-management/mdm/policy-csp-windowspowershell.md
+++ b/windows/client-management/mdm/policy-csp-windowspowershell.md
@@ -106,14 +106,14 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index e261f4ec6b..eb74f99772 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -540,14 +540,14 @@ The following list shows the supported values:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens2.md b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md
index 0a0040f58c..e5cdb0f0ca 100644
--- a/windows/client-management/mdm/policy-csps-supported-by-hololens2.md
+++ b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md
@@ -97,14 +97,14 @@ ms.date: 05/11/2020
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-- 7 - Added in Windows 10, version 1909.
-- 8 - Added in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
## Related topics
diff --git a/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md b/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md
index ec48042286..1d89eb88de 100644
--- a/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md
@@ -9,11 +9,15 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 07/18/2019
+ms.date: 07/22/2020
---
# Policy CSPs supported by Microsoft Surface Hub
+
+- [ApplicationManagement/AllowAppStoreAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate)
+- [ApplicationManagement/AllowDeveloperUnlock](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowdeveloperunlock)
+- [Accounts/AllowMicrosoftAccountConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection)
- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera)
- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui)
- [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy)
@@ -61,6 +65,7 @@ ms.date: 07/18/2019
- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
+- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md)
- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging)
- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess)
- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel)
@@ -72,7 +77,21 @@ ms.date: 07/18/2019
- [TextInput/ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208andeudc)
- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#textinput-excludejapaneseimeexceptshiftjis)
+- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing)
+- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
+- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi)
- [WiFi/AllowWiFiHotSpotReporting](policy-csp-wifi.md#wifi-allowwifihotspotreporting)
+- [WiFi/WLANScanMode](policy-csp-wifi.md#wifi-wlanscanmode)
+- [Wifi/AllowWiFiDirect](policy-csp-wifi.md#wifi-allowwifidirect)
+- [WirelessDisplay/AllowMdnsAdvertisement](policy-csp-wirelessdisplay.md#wirelessdisplay-allowmdnsadvertisement)
+- [WirelessDisplay/AllowMdnsDiscovery](policy-csp-wirelessdisplay.md#wirelessdisplay-allowmdnsdiscovery)
+- [WirelessDisplay/AllowProjectionFromPC](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectionfrompc)
+- [WirelessDisplay/AllowProjectionFromPCOverInfrastructure](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectionfrompcoverinfrastructure)
+- [WirelessDisplay/AllowProjectionToPC](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc)
+- [WirelessDisplay/AllowProjectionToPCOverInfrastructure](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopcoverinfrastructure)
+- [WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver](policy-csp-wirelessdisplay.md#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver)
+- [WirelessDisplay/RequirePinForPairing](policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing)
+
## Related topics
diff --git a/windows/client-management/mdm/registry-csp.md b/windows/client-management/mdm/registry-csp.md
index 61d34774a7..38bd56ba6d 100644
--- a/windows/client-management/mdm/registry-csp.md
+++ b/windows/client-management/mdm/registry-csp.md
@@ -17,7 +17,8 @@ ms.date: 06/26/2017
The Registry configuration service provider is used to update registry settings. However, if there is configuration service provider that is specific to the settings that need to be updated, use the specific configuration service provider.
-> **Note** The Registry CSP is only supported in Windows 10 Mobile for OEM configuration. Do not use this CSP for enterprise remote management.
+> [!NOTE]
+> The Registry CSP is only supported in Windows 10 Mobile for OEM configuration. Do not use this CSP for enterprise remote management.
For Windows 10 Mobile only, this configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
@@ -32,13 +33,12 @@ For OMA Client Provisioning, the follows notes apply:
- This documentation describes the default characteristics. Additional characteristics may be added.
-- Because the **Registry** configuration service provider uses the backslash (\) character as a separator between key names, backslashes which occur in the name of a registry key must be escaped. Backslashes can be escaped by using two sequential backslashes (\\\).
+- Because the **Registry** configuration service provider uses the backslash (\\) character as a separator between key names, backslashes which occur in the name of a registry key must be escaped. Backslashes can be escaped by using two sequential backslashes (\\\\).
The default security role maps to each subnode unless specific permission is granted to the subnode. The security role for subnodes is implementation specific, and can be changed by OEMs and mobile operators.
## Microsoft Custom Elements
-
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
@@ -75,11 +75,10 @@ The following table shows the Microsoft custom elements that this configuration
-
Use these elements to build standard OMA Client Provisioning configuration XML. For information about specific elements, see MSPROV DTD elements.
-## Supported Data Types
+## Supported Data Types
The following table shows the data types this configuration service provider supports.
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index bacfd4f923..310b0192c6 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -16,6 +16,9 @@ ms.date: 02/23/2018
The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
+> [!Note]
+> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
+
The following diagram shows the Update configuration service provider in tree format.
diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md
index eecc7c7075..c0e32c95b7 100644
--- a/windows/client-management/mdm/vpnv2-profile-xsd.md
+++ b/windows/client-management/mdm/vpnv2-profile-xsd.md
@@ -1,25 +1,23 @@
---
title: ProfileXML XSD
-description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples.
+description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples.
ms.assetid: 2F32E14B-F9B9-4760-AE94-E57F1D4DFDB3
-ms.reviewer:
+ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 02/05/2018
+ms.date: 07/14/2020
---
# ProfileXML XSD
-
-Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples.
+Here's the XSD for the ProfileXML node in the VPNv2 CSP and VpnManagementAgent::AddProfileFromXmlAsync for Windows 10 and some profile examples.
## XSD for the VPN profile
-
```xml
@@ -27,6 +25,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
+
@@ -36,6 +35,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
+
@@ -51,15 +51,15 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
-
+
-
-
-
-
+
+
+
+
@@ -89,7 +89,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
-
+
@@ -109,13 +109,20 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
+
-
+
+
+
+
+
+
+
@@ -123,6 +130,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
+
@@ -134,6 +142,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
+
@@ -148,34 +157,37 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
+
@@ -187,16 +199,79 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
## Native profile example
+```xml
+
+ corp.contoso.com
+ true
+ false
+ corp.contoso.com
+ contoso.com
-```
-
-
- testServer.VPN.com
- IKEv2
-
- Eap
-
-
+
+ Helloworld.Com
+
+ HelloServer
+
+
+
+
+ true
+
+ true
+ This is my Eku
+ This is my issuer hash
+
+
+
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+
+
+
+ C:\windows\system32\ping.exe
+
+
+
+
+ hrsite.corporate.contoso.com
+ 1.2.3.4,5.6.7.8
+ 5.5.5.5
+ true
+
+
+ .corp.contoso.com
+ 10.10.10.10,20.20.20.20
+ 100.100.100.100
+
+
+
+
+ %ProgramFiles%\Internet Explorer\iexplore.exe
+
+ 6
+ 10,20-50,100-200
+ 20-50,100-200,300
+ 30.30.0.0/16,10.10.10.10-20.20.20.20
+ ForceTunnel
+
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+ 3.3.3.3/32,1.1.1.1-2.2.2.2
+
+
+
+ testServer.VPN.com
+ SplitTunnel
+ IKEv2
+ true
+
+ Eap
+
+ 25
@@ -261,178 +336,110 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
-
-
- SplitTunnel
- true
-
-
-
- 192.168.0.0
- 24
-
-
- 10.10.0.0
- 16
-
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
-
-
-
- C:\windows\system32\ping.exe
-
-
-
-
-
-
- %ProgramFiles%\Internet Explorer\iexplore.exe
-
- 6
- 10,20-50,100-200
- 20-50,100-200,300
- 30.30.0.0/16,10.10.10.10-20.20.20.20
- ForceTunnel
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
- 3.3.3.3/32,1.1.1.1-2.2.2.2
-
-
-
-
- hrsite.corporate.contoso.com
- 1.2.3.4,5.6.7.8
- 5.5.5.5
- true
-
-
- .corp.contoso.com
- 10.10.10.10,20.20.20.20
- 100.100.100.100
-
-
- corp.contoso.com
- true
- false
- corp.contoso.com
- contoso.com
-
-
- HelloServer
-
- Helloworld.Com
-
-
-
- true
-
- true
- This is my Eku
- This is my issuer hash
-
-
-
+
+
+
+
+
+ 192.168.0.0
+ 24
+
+
+ 10.10.0.0
+ 16
+
+
```
## Plug-in profile example
-
```xml
-
- testserver1.contoso.com;testserver2.contoso..com
- JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy
- true
-
-
- 192.168.0.0
- 24
-
-
- 10.10.0.0
- 16
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
-
-
-
- %ProgramFiles%\Internet Explorer\iexplore.exe
-
-
-
-
- %ProgramFiles%\Internet Explorer\iexplore.exe
-
- 6
- 10,20-50,100-200
- 20-50,100-200,300
- 30.30.0.0/16,10.10.10.10-20.20.20.20
-
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
- 3.3.3.3/32,1.1.1.1-2.2.2.2
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
- O:SYG:SYD:(A;;CC;;;AU)
-
-
-
- corp.contoso.com
- 1.2.3.4,5.6.7.8
- 5.5.5.5
- false
-
-
- corp.contoso.com
- 10.10.10.10,20.20.20.20
- 100.100.100.100
-
-
- true
- false
- false
- false
- corp.contoso.com
- contoso.com,test.corp.contoso.com
-
-
- HelloServer
-
- Helloworld.Com
-
-
-
-
-
-
-
-
-
-
-```
+
+ true
+ false
+ corp.contoso.com
+ contoso.com,test.corp.contoso.com
+ false
+ false
-
+
+ Helloworld.Com
+
+ HelloServer
+
-
+
+
+
+
+
+
+ true
+
+
+
+ testserver1.contoso.com;testserver2.contoso..com
+ true
+ JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy
+
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+
+
+
+ %ProgramFiles%\Internet Explorer\iexplore.exe
+
+
+
+ corp.contoso.com
+ 1.2.3.4,5.6.7.8
+ 5.5.5.5
+ false
+
+
+ corp.contoso.com
+ 10.10.10.10,20.20.20.20
+ 100.100.100.100
+
+
+
+ %ProgramFiles%\Internet Explorer\iexplore.exe
+
+ 6
+ 10,20-50,100-200
+ 20-50,100-200,300
+ 30.30.0.0/16,10.10.10.10-20.20.20.20
+
+
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+ 3.3.3.3/32,1.1.1.1-2.2.2.2
+
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+ O:SYG:SYD:(A;;CC;;;AU)
+
+
+
+ 192.168.0.0
+ 24
+
+
+ 10.10.0.0
+ 16
+
+
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 28421dc466..63373c2a34 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -1,22 +1,19 @@
---
title: WindowsDefenderApplicationGuard CSP
-description: Configure the settings in Windows Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP).
+description: Configure the settings in Microsoft Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 09/10/2018
+ms.date: 07/07/2020
ms.reviewer:
manager: dansimp
---
# WindowsDefenderApplicationGuard CSP
-> [!WARNING]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Windows Defender Application Guard. This CSP was added in Windows 10, version 1709.
+The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.
The following diagram shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
@@ -29,129 +26,275 @@ Root node. Supported operation is Get.
Interior node. Supported operation is Get.
**Settings/AllowWindowsDefenderApplicationGuard**
-Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Turn on Microsoft Defender Application Guard in Enterprise Mode.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+The following list shows the supported values:
- 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment.
- 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container.
**Settings/ClipboardFileType**
-Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
-- 0 - Disables content copying.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+The following list shows the supported values:
- 1 - Allow text copying.
- 2 - Allow image copying.
- 3 - Allow text and image copying.
-**Settings/ClipboardSettings**
-This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete
+
+ADMX Info:
+- GP English name: *Configure Microsoft Defender Application Guard clipboard settings*
+- GP name: *AppHVSIClipboardFileType*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
+
+**Settings/ClipboardSettings**
+This policy setting allows you to decide how the clipboard behaves while in Application Guard.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+The following list shows the supported values:
- 0 (default) - Completely turns Off the clipboard functionality for the Application Guard.
-- 1 - Turns On clipboard operation from an isolated session to the host
-- 2 - Turns On clipboard operation from the host to an isolated session
-- 3 - Turns On clipboard operation in both the directions
+- 1 - Turns On clipboard operation from an isolated session to the host.
+- 2 - Turns On clipboard operation from the host to an isolated session.
+- 3 - Turns On clipboard operation in both the directions.
> [!IMPORTANT]
> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
+
+ADMX Info:
+- GP English name: *Configure Microsoft Defender Application Guard clipboard settings*
+- GP name: *AppHVSIClipboardSettings*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
+
+
**Settings/PrintingSettings**
-This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-- 0 - Disables all print functionality (default)
-- 1 - Enables only XPS printing
-- 2 - Enables only PDF printing
-- 3 - Enables both PDF and XPS printing
-- 4 - Enables only local printing
-- 5 - Enables both local and XPS printing - 6 - Enables both local and PDF printing
-- 7 - Enables local, PDF, and XPS printing
-- 8 - Enables only network printing
-- 9 - Enables both network and XPS printing
-- 10 - Enables both network and PDF printing
-- 11 - Enables network, PDF, and XPS printing
-- 12 - Enables both network and local printing
-- 13 - Enables network, local, and XPS printing
-- 14 - Enables network, local, and PDF printing
-- 15 - Enables all printing
-
-**Settings/BlockNonEnterpriseContent**
-This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge..
-- 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard.
-
-**Settings/AllowPersistence**
-This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
-- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
-
-**Settings/AllowVirtualGPU**
-Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual GPU to process graphics. Supported operations are Add, Get, Replace, and Delete. Value type is integer.
-
-- 0 (default) - Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0).
-- 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container.
-
-**Settings/SaveFilesToHost**
-Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. Supported operations are Add, Get, Replace, and Delete. Value type is integer.
-
-- 0 (default) - The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0).
-- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.
-
-**Settings/FileTrustCriteria**
-Placeholder for future use. Do not use in production code.
-
-**Settings/FileTrustOriginRemovableMedia**
-Placeholder for future use. Do not use in production code.
-
-**Settings/FileTrustOriginNetworkShare**
-Placeholder for future use. Do not use in production code.
-
-**Settings/FileTrustOriginMarkOfTheWeb**
-Placeholder for future use. Do not use in production code.
-
-**Settings/CertificateThumbprints**
-Added in Windows 10, version 1809. This policy setting allows certain Root Certificates to be shared with the Windows Defender Application Guard container.
-
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. You can specify multiple certificates using a comma to separate the thumbprints for each certificate you want to transfer.
-
-Example: b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924
-
-If you disable or don’t configure this setting, certificates are not shared with the Windows Defender Application Guard container.
-
-**Settings/AllowCameraMicrophoneRedirection**
-Added in Windows 10, version 1809. The policy allows you to determine whether applications inside Windows Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device.
+This policy setting allows you to decide how the print functionality behaves while in Application Guard.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-If you enable this policy, applications inside Windows Defender Application Guard will be able to access the camera and microphone on the user’s device.
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
-If you disable or don't configure this policy, applications inside Windows Defender Application Guard will be unable to access the camera and microphone on the user’s device.
+The following list shows the supported values:
+- 0 (default) - Disables all print functionality.
+- 1 - Enables only XPS printing.
+- 2 - Enables only PDF printing.
+- 3 - Enables both PDF and XPS printing.
+- 4 - Enables only local printing.
+- 5 - Enables both local and XPS printing.
+- 6 - Enables both local and PDF printing.
+- 7 - Enables local, PDF, and XPS printing.
+- 8 - Enables only network printing.
+- 9 - Enables both network and XPS printing.
+- 10 - Enables both network and PDF printing.
+- 11 - Enables network, PDF, and XPS printing.
+- 12 - Enables both network and local printing.
+- 13 - Enables network, local, and XPS printing.
+- 14 - Enables network, local, and PDF printing.
+- 15 - Enables all printing.
+
+
+ADMX Info:
+- GP English name: *Configure Microsoft Defender Application Guard print settings*
+- GP name: *AppHVSIPrintingSettings*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
+
+
+**Settings/BlockNonEnterpriseContent**
+This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+The following list shows the supported values:
+- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
+- 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.
+
+> [!NOTE]
+> This policy setting is no longer supported in the new Microsoft Edge browser.
+
+
+ADMX Info:
+- GP English name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer*
+- GP name: *BlockNonEnterpriseContent*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
+
+
+**Settings/AllowPersistence**
+This policy setting allows you to decide whether data should persist across different sessions in Application Guard.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+The following list shows the supported values:
+- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
+- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
+
+
+ADMX Info:
+- GP English name: *Allow data persistence for Microsoft Defender Application Guard*
+- GP name: *AllowPersistence*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
+
+
+**Settings/AllowVirtualGPU**
+Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.
+
+The following list shows the supported values:
+- 0 (default) - Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0).
+- 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container.
+
+> [!WARNING]
+> Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
+
+
+ADMX Info:
+- GP English name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard*
+- GP name: *AllowVirtualGPU*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
+
+
+**Settings/SaveFilesToHost**
+Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+The following list shows the supported values:
+- 0 (default) - The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0).
+- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.
+
+
+ADMX Info:
+- GP English name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard*
+- GP name: *SaveFilesToHost*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
+
+
+**Settings/CertificateThumbprints**
+Added in Windows 10, version 1809. This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer.
+
+Here's an example:
+b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924
+
+If you disable or don’t configure this setting, certificates are not shared with the Microsoft Defender Application Guard container.
+
+
+ADMX Info:
+- GP English name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device*
+- GP name: *CertificateThumbprints*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
+
+
+**Settings/AllowCameraMicrophoneRedirection**
+Added in Windows 10, version 1809. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user’s device.
+
+If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user’s device.
+
+The following list shows the supported values:
+- 0 (default) - Microsoft Defender Application Guard cannot access the device’s camera and microphone. When the policy is not configured, it is the same as disabled (0).
+- 1 - Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone.
> [!IMPORTANT]
-> If you turn on this policy, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.
+> If you turn on this policy setting, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.
+
+
+ADMX Info:
+- GP English name: *Allow camera and microphone access in Microsoft Defender Application Guard*
+- GP name: *AllowCameraMicrophoneRedirection*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
+
**Status**
-Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get.
+Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device.
-- Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode
-- Bit 1 - Set to 1 when the client machine is Hyper-V capable
-- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU
-- Bit 3 - Set to 1 when WDAG installed on the client machine
-- Bit 4 - Set to 1 when required Network Isolation Policies are configured
-- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements
+Value type is integer. Supported operation is Get.
+
+- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
+- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
+- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
+- Bit 3 - Set to 1 when Application Guard installed on the client machine.
+- Bit 4 - Set to 1 when required Network Isolation Policies are configured.
+- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
+- Bit 6 - Set to 1 when system reboot is required.
+
+**PlatformStatus**
+Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device.
+
+Value type is integer. Supported operation is Get.
+
+- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
+- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
+- Bit 2 - Reserved for Microsoft.
+- Bit 3 - Set to 1 when Application Guard is installed on the client machine.
+- Bit 4 - Reserved for Microsoft.
+- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
**InstallWindowsDefenderApplicationGuard**
-Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.
+Initiates remote installation of Application Guard feature.
-- Install - Will initiate feature install
-- Uninstall - Will initiate feature uninstall
+Supported operations are Get and Execute.
+
+The following list shows the supported values:
+- Install - Will initiate feature install.
+- Uninstall - Will initiate feature uninstall.
**Audit**
-Interior node. Supported operation is Get
+Interior node. Supported operation is Get.
**Audit/AuditApplicationGuard**
-This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete.
+This policy setting allows you to decide whether auditing events can be collected from Application Guard.
-- 0 (default) - - Audit event logs aren't collected for Application Guard.
-- 1 - Application Guard inherits its auditing policies from Microsoft Edge and starts to audit system events specifically for Application Guard.
+Value type in integer. Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+The following list shows the supported values:
+- 0 (default) - Audit event logs aren't collected for Application Guard.
+- 1 - Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.
+
+
+ADMX Info:
+- GP English name: *Allow auditing events in Microsoft Defender Application Guard*
+- GP name: *AuditApplicationGuard*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
+
\ No newline at end of file
diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md
index 739c11d55d..f708897928 100644
--- a/windows/client-management/troubleshoot-tcpip-netmon.md
+++ b/windows/client-management/troubleshoot-tcpip-netmon.md
@@ -16,6 +16,9 @@ manager: dansimp
In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic.
+> [Note]
+> Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](https://docs.microsoft.com/message-analyzer/microsoft-message-analyzer-operating-guide).
+
To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image.
diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
index 7017e40876..e8a8cb2a19 100644
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -12,7 +12,7 @@ ms.sitesec: library
ms.pagetype: mobile, devices, security
ms.localizationpriority: medium
author: dansimp
-ms.date: 01/26/2019
+ms.date:
ms.topic: article
---
@@ -24,7 +24,7 @@ ms.topic: article
This guide helps IT professionals plan for and deploy Windows 10 Mobile devices.
Employees increasingly depend on smartphones to complete daily work tasks, but these devices introduce unique management and security challenges. Whether providing corporate devices or allowing people to use their personal devices, IT needs to deploy and manage mobile devices and apps quickly to meet business goals. However, they also need to ensure that the apps and data on those mobile devices are protected against cybercrime or loss. Windows 10 Mobile helps organizations directly address these challenges with robust, flexible, built-in mobile device and app management technologies.
-Windows 10 supports end-to-end device lifecycle management to give companies control over their devices, data, and apps. Devices can easily be incorporated into standard lifecycle practices, from device enrollment, configuration, and application management to maintenance, monitoring, and retirement using a comprehensive mobile device management solution.
+Windows 10 supports end-to-end device lifecycle management to give companies control over their devices, data, and apps. Devices can easily be incorporated into standard lifecycle practices, from device enrollment, configuration, and application management to maintenance, monitoring, and retirement, by using a comprehensive mobile device management solution.
**In this article**
- [Deploy](#deploy)
@@ -36,8 +36,8 @@ Windows 10 supports end-to-end device lifecycle management to give companies con
## Deploy
-Windows 10 Mobile has a built-in device management client to deploy, configure, maintain, and support smartphones. Common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT), this client provides a single interface through which Mobile Device Management (MDM) solutions can manage any device that runs Windows 10. Because the MDM client integrates with identity management, the effort required to manage devices throughout the lifecycle is greatly reduced.
-Windows 10 includes comprehensive MDM capabilities that can be managed by Microsoft management solutions, such as Microsoft Intune or Microsoft Endpoint Configuration Manager, as well as many third-party MDM solutions. There is no need to install an additional, custom MDM app to enroll devices and bring them under MDM control. All MDM system vendors have equal access to Windows 10 Mobile device management application programming interfaces (APIs), giving IT organizations the freedom to select whichever system best fits their management requirements, whether Microsoft Intune or a third-party MDM product. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=734050).
+Windows 10 Mobile has a built-in device management client to deploy, configure, maintain, and support smartphones. Common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT), this client provides a single interface through which mobile device management (MDM) solutions can manage any device that runs Windows 10. Because the MDM client integrates with identity management, the effort required to manage devices throughout the lifecycle is greatly reduced.
+Windows 10 includes comprehensive MDM capabilities that can be managed by Microsoft management solutions, such as Microsoft Intune or Microsoft Endpoint Configuration Manager, as well as many third-party MDM solutions. There is no need to install an additional, custom MDM app to enroll devices and bring them under MDM control. All MDM system vendors have equal access to Windows 10 Mobile device management application programming interfaces (APIs), giving IT organizations the freedom to select the system that best fits their management requirements, whether Microsoft Intune or a third-party MDM product. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=734050).
### Deployment scenarios
@@ -47,7 +47,7 @@ The built-in MDM client is common to all editions of the Windows 10 operating s
Organizations typically have two scenarios to consider when it comes to device deployment: Bring Your Own (BYO) personal devices and Choose Your Own (CYO) company-owned devices. In both cases, the device must be enrolled in an MDM system, which would configure it with settings appropriate for the organization and the employee.
Windows 10 Mobile device management capabilities support both personal devices used in the BYO scenario and corporate devices used in the CYO scenario. The operating system offers a flexible approach to registering devices with directory services and MDM systems. IT organizations can provision comprehensive device-configuration profiles based on their business needs to control and protect mobile business data. Apps can be provisioned easily to personal or corporate devices through the Microsoft Store for Business, or by using their MDM system, which can also work with the Microsoft Store for Business for public store apps.
-Knowing who owns the device and what the employee will use it for are the major factors in determining your management strategy and which controls your organization should put in place. Whether personal devices, corporate devices, or a mixture of the two, deployment processes and configuration policies may differ.
+Knowing who owns the device and what the employee uses it for are the major factors in determining your management strategy and which controls your organization should put in place. Whether personal devices, corporate devices, or a mixture of the two, deployment processes and configuration policies may differ.
For **personal devices**, companies need to be able to manage corporate apps and data on the device without impeding the employee’s ability to personalize it to meet their individual needs. The employee owns the device and corporate policy allows them to use it for both business and personal purposes, with the ability to add personal apps at their discretion. The main concern with personal devices is how organizations can prevent corporate data from being compromised, while still keeping personal data private and under the sole control of the employee. This requires that the device be able to support separation of apps and data with strict control of business and personal data traffic.
@@ -69,46 +69,47 @@ The way in which personal and corporate devices are enrolled into an MDM system
-
-
Personal devices
-
Corporate devices
+
+
Personal devices
+
Corporate devices
-
Ownership
+
Ownership
Employee
Organization
Device Initialization
-In the Out-of-the-Box Experience (OOBE), the first time the employee starts the device, they are requested to add a cloud identity to the device.
+In the out-of-box experience (OOBE), the first time the employee starts the device, they are requested to add a cloud identity to the device.
The primary identity on the device is a personal identity. Personal devices are initiated with a Microsoft Account (MSA), which uses a personal email address.
The primary identity on the device is an organizational identity. Corporate devices are initialized with an organizational account (account@corporatedomain.ext).
-Initialization of a device with a corporate account is unique to Windows 10. No other mobile platform currently offers this capability. The default option is to use an Azure Active Directory organizational identity.
-Skipping the account setup in OOBE will result in the creation of a local account. The only option to add a cloud account later is to add an MSA, putting this device into a personal device deployment scenario. To start over, the device will have to be reset.
+Initialization of a device with a corporate account is unique to Windows 10. No other mobile platform currently offers this capability. The default option is to use an Azure Active Directory (Azure AD) organizational identity.
+Skipping the account setup in OOBE results in the creation of a local account. The only option to add a cloud account later is to add an MSA, putting this device into a personal device deployment scenario. To start over, the device must be reset.
Device Enrollment
Enrolling devices in an MDM system helps control and protect corporate data while keeping workers productive.
-
Device enrollment can be initiated by employees. They can add an Azure account as a secondary account to the Windows 10 Mobile device. Provided the MDM system is registered with your Azure AD, the device is automatically enrolled in the MDM system when the user adds an Azure AD account as a secondary account (MSA+AAD+MDM). If your organization does not have Azure AD, the employee’s device will automatically be enrolled into your organization’s MDM system (MSA+MDM).
+
Device enrollment can be initiated by employees. They can add an Azure account as a secondary account to the Windows 10 Mobile device. Provided the MDM system is registered with your Azure AD, the device is automatically enrolled in the MDM system when the user adds an Azure AD account as a secondary account (MSA+Azure AD+MDM). If your organization does not have Azure AD, the employee’s device is automatically enrolled into your organization’s MDM system (MSA+MDM).
MDM enrollment can also be initiated with a provisioning package. This option enables IT to offer easy-to-use self-service enrollment of personal devices. Provisioning is currently only supported for MDM-only enrollment (MSA+MDM).
-
The user initiates MDM enrollment by joining the device to the Azure AD instance of their organization. The device is automatically enrolled in the MDM system when the device registers in Azure AD. This requires your MDM system to be registered with your Azure AD (AAD+MDM).
+
The user initiates MDM enrollment by joining the device to the Azure AD instance of their organization. The device is automatically enrolled in the MDM system when the device registers in Azure AD. This requires your MDM system to be registered with your Azure AD (Azure AD+MDM).
-**Recommendation:** Microsoft recommends Azure AD registration and automatic MDM enrollment for corporate devices (AAD+MDM) and personal devices (MSA+AAD+MDM). This requires Azure AD Premium.
+Microsoft recommends Azure AD registration and automatic MDM enrollment for corporate devices (Azure AD+MDM) and personal devices (MSA+Azure AD+MDM). This requires Azure AD Premium.
### Identity management
*Applies to: Corporate and personal devices*
-Employees can use only one account to initialize a device so it’s imperative that your organization controls which account is enabled first. The account chosen will determine who controls the device and influence your management capabilities.
+Employees can use only one account to initialize a device so it’s imperative that your organization controls which account is enabled first. The account chosen determines who controls the device and influences your management capabilities.
->**Note:** Why must the user add an account to the device in OOBE? Windows 10 Mobile are single user devices and the user accounts give access to a number of default cloud services that enhance the productivity and entertainment value of the phone for the user. Such services are: Store for downloading apps, Groove for music and entertainment, Xbox for gaming, etc. Both an [MSA](https://www.microsoft.com/account/) and an [Azure AD account](https://www.microsoft.com/server-cloud/products/azure-active-directory/?WT.srch=1&WT.mc_id=SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=azure%20ad&utm_campaign=Enterprise_Mobility_Suite) give access to these services.
+> [!NOTE]
+> Why must the user add an account to the device in OOBE? Windows 10 Mobile are single user devices and the user accounts give access to a number of default cloud services that enhance the productivity and entertainment value of the phone for the user. Such services are: Store for downloading apps, Groove for music and entertainment, Xbox for gaming, and so on. Both an [MSA](https://www.microsoft.com/account/) and an [Azure AD account](https://www.microsoft.com/server-cloud/products/azure-active-directory/?WT.srch=1&WT.mc_id=SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=azure%20ad&utm_campaign=Enterprise_Mobility_Suite) provide access to these services.
The following table describes the impact of identity choice on device management characteristics of the personal and corporate device scenarios.
@@ -133,13 +134,13 @@ The following table describes the impact of identity choice on device management
Ease of enrollment
-
Employees use their Microsoft Account to activate the device. Then, they use their Azure AD account (organizational identity) to register the device in Azure AD and enroll it with the company’s MDM solution (MSA+AAD+MDM).
-
Employees use their Azure AD account to register the device in Azure AD and automatically enroll it with the organization’s MDM solution (AAD+MDM – requires Azure AD Premium).
+
Employees use their Microsoft Account to activate the device. Then, they use their Azure AD account (organizational identity) to register the device in Azure AD and enroll it with the company’s MDM solution (MSA+Azure AD+MDM).
+
Employees use their Azure AD account to register the device in Azure AD and automatically enroll it with the organization’s MDM solution (Azure AD+MDM – requires Azure AD Premium).
Credential management
Employees sign in to the device with Microsoft Account credentials.
-Users cannot sign in to devices with Azure AD credentials, even if they add the credentials after initial activation with a Microsoft account.
+Users cannot sign in to devices with Azure AD credentials, even if they add the credentials after initial activation with a Microsoft Account.
Employees sign in to the device with Azure AD credentials.
IT can block the addition of a personal identity, such as an MSA or Google Account. IT controls all devices access policies, without limitations.
@@ -153,7 +154,7 @@ IT can block the addition of a personal identity, such as an MSA or Google Accou
User settings and data roaming across multiple Windows devices
User and app settings roam across all devices activated with the same personal identity through OneDrive.
-
If the device is activated with an MSA, then adds an Azure AD account, user an app settings roam. If you add your MSA to an Azure AD- joined device, this will not be the case. Microsoft is investigating Enterprise roaming for a future release.
+
If the device is activated with an MSA, then adds an Azure AD account, user an app settings roam. If you add your MSA to an Azure AD-joined device, this is not the case. Microsoft is investigating Enterprise roaming for a future release.
Level of control
@@ -174,23 +175,25 @@ IT can block the addition of a personal identity, such as an MSA or Google Accou
->**Note:** In the context of [Windows-as-a-Service](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing), differentiation of MDM capabilities will change in the future.
+> [!NOTE]
+> In the context of [Windows-as-a-Service](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing), differentiation of MDM capabilities may change in the future.
### Infrastructure choices
*Applies to: Corporate and personal devices*
-For both personal and corporate deployment scenarios, an MDM system is the essential infrastructure required to deploy and manage Windows 10 Mobile devices. An Azure AD premium subscription is recommended as an identity provider and required to support certain capabilities. Windows 10 Mobile allows you to have a pure cloud-based infrastructure or a hybrid infrastructure that combines Azure AD identity management with an on-premises management system to manage devices. Microsoft now also supports a pure on-premises solution to manage Windows 10 Mobile devices with [Configuration Manager](https://technet.microsoft.com/library/mt627908.aspx).
+For both personal and corporate deployment scenarios, an MDM system is the essential infrastructure required to deploy and manage Windows 10 Mobile devices. An Azure AD Premium subscription is recommended as an identity provider and required to support certain capabilities. Windows 10 Mobile allows you to have a pure cloud-based infrastructure or a hybrid infrastructure that combines Azure AD identity management with an on-premises management system to manage devices. Microsoft now also supports a pure on-premises solution to manage Windows 10 Mobile devices with [Configuration Manager](https://technet.microsoft.com/library/mt627908.aspx).
**Azure Active Directory**
Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid identity solution. Organizations that use Microsoft Office 365 or Intune are already using Azure AD, which has three editions: Free Basic, and Premium (see [Azure Active Directory editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state.
**Mobile Device Management**
-Microsoft [Intune](https://www.microsoft.com/server-cloud/products/microsoft-intune/overview.aspx), part of the Enterprise Mobility + Security, is a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management so employees use the same credentials to enroll devices in Intune that they use to sign into Office 365. Intune supports devices that run other operating systems, such as iOS and Android, to provide a complete MDM solution.
-Multiple MDM systems support Windows 10 and most support personal and corporate device deployment scenarios. MDM providers that support Windows 10 Mobile currently include: AirWatch, Citrix, MobileIron, SOTI, Blackberry and others. Most industry-leading MDM vendors already support integration with Azure AD. You can find the MDM vendors that support Azure AD in [Azure Marketplace](https://azure.microsoft.com/marketplace/). If your organization doesn’t use Azure AD, the user must use an MSA during OOBE before enrolling the device in your MDM using a corporate account.
+Microsoft [Intune](https://www.microsoft.com/server-cloud/products/microsoft-intune/overview.aspx), part of the Enterprise Mobility + Security, is a cloud-based MDM system that manages devices off premises. Intune uses Azure AD for identity management so employees use the same credentials to enroll devices in Intune that they use to sign into Microsoft 365. Intune supports devices that run other operating systems, such as iOS and Android, to provide a complete MDM solution.
+Multiple MDM systems support Windows 10 and most support personal and corporate device deployment scenarios. Most industry-leading MDM vendors already support integration with Azure AD. You can find the MDM vendors that support Azure AD in [Azure Marketplace](https://azure.microsoft.com/marketplace/). If your organization doesn’t use Azure AD, the user must use an MSA during OOBE before enrolling the device in your MDM using a corporate account.
->**Note:** Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365.
-In addition, Microsoft recently added MDM capabilities powered by Intune to Office 365. MDM for Office 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. MDM for Office 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (e.g., passcode requirements). For more information about MDM for Office 365 capabilities, see [Overview of Mobile Device Management for Office 365](https://technet.microsoft.com/library/ms.o365.cc.devicepolicy.aspx).
+> [!NOTE]
+> Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Microsoft 365.
+In addition, Microsoft recently added MDM capabilities powered by Intune to Microsoft 365, called Basic Mobility and Security for Microsoft 365. Basic Mobility and Security for Microsoft 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. Basic Mobility and Security for Microsoft 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (e.g., passcode requirements). For more information, see [Overview of Basic Mobility and Security for Microsoft 365](https://technet.microsoft.com/library/ms.o365.cc.devicepolicy.aspx).
**Cloud services**
On mobile devices that run Windows 10 Mobile, users can easily connect to cloud services that provide user notifications and collect diagnostic and usage data. Windows 10 Mobile enables organizations to manage how devices consume these cloud services.
@@ -210,19 +213,20 @@ The Microsoft Store for Business is the place where IT administrators can find,
## Configure
-MDM administrators can define and implement policy settings on any personal or corporate device enrolled in an MDM system. What configuration settings you use will differ based on the deployment scenario, and corporate devices will offer IT the broadest range of control.
+MDM administrators can define and implement policy settings on any personal or corporate device enrolled in an MDM system. The configuration settings you use depend on the deployment scenario, and corporate devices offer IT the broadest range of control.
->**Note:** This guide helps IT professionals understand management options available for the Windows 10 Mobile OS. Please consult your MDM system documentation to understand how these policies are enabled by your MDM vendor.
+> [!NOTE]
+> This guide helps IT professionals understand management options available for the Windows 10 Mobile OS. Please consult your MDM system documentation to understand how these policies are enabled by your MDM vendor.
Not all MDM systems support every setting described in this guide. Some support custom policies through OMA-URI XML files. See [Microsoft Intune support for Custom Policies](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#custom-uri-settings-for-windows-10-devices). Naming conventions may also vary among MDM vendors.
### Account profile
*Applies to: Corporate devices*
-Enforcing what accounts employees can use on a corporate device is important for avoiding data leaks and protecting privacy. Limiting the device to just one account controlled by the organization will reduce the risk of a data breach. However, you can choose to allow employees to add a personal Microsoft Account or other consumer email accounts.
+Enforcing what accounts employees can use on a corporate device is important for avoiding data leaks and protecting privacy. Limiting the device to just one account controlled by the organization reduces the risk of a data breach. However, you can choose to allow employees to add a personal Microsoft Account or other consumer email accounts.
- **Allow Microsoft Account** Specifies whether users are allowed to add a Microsoft Account to the device and use this account to authenticate to cloud services, such as purchasing apps in Microsoft Store, Xbox, or Groove.
-- **Allow Adding Non-Microsoft Accounts** Specifies whether users are allowed to add email accounts other than Microsoft accounts.
+- **Allow Adding Non-Microsoft Accounts** Specifies whether users are allowed to add email accounts other than a Microsoft Account.
### Email accounts
@@ -230,7 +234,7 @@ Enforcing what accounts employees can use on a corporate device is important for
Email and associated calendar and contacts are the primary apps that users access on their smartphones. Configuring them properly is key to the success of any mobility program. In both corporate and personal device deployment scenarios, these email account settings get deployed immediately after enrollment. Using your corporate MDM system, you can define corporate email account profiles, deploy them to devices, and manage inbox policies.
-- Most corporate email systems leverage **Exchange ActiveSync (EAS)**. For more details on configuring EAS email profiles, see the [ActiveSync CSP](https://msdn.microsoft.com/library/windows/hardware/dn920017(v=vs.85).aspx).
+- Most corporate email systems leverage **Exchange ActiveSync (EAS)**. For more details on configuring EAS email profiles, see the [Exchange ActiveSync CSP](https://msdn.microsoft.com/library/windows/hardware/dn920017(v=vs.85).aspx).
- **Simple Mail Transfer Protocol (SMTP)** email accounts can also be configured with your MDM system. For more detailed information on SMTP email profile configuration, see the [Email CSP](https://msdn.microsoft.com/library/windows/hardware/dn904953(v=vs.85).aspx). Microsoft Intune does not currently support the creation of an SMTP email profile.
### Device Lock restrictions
@@ -239,41 +243,42 @@ Email and associated calendar and contacts are the primary apps that users acces
It’s common practice to protect a device that contains corporate information with a passcode when it is not in use. As a best practice, Microsoft recommends that you implement a device lock policy for Windows 10 Mobile devices for securing apps and data. You can use a complex password or numeric PIN to lock devices. Introduced with Windows 10, [Windows Hello](https://windows.microsoft.com/en-us/windows-10/getstarted-what-is-hello) allows you to use a PIN, a companion device (like Microsoft band), or biometrics to validate your identity to unlock Windows 10 Mobile devices.
->**Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
-To use Windows Hello with biometrics, specialized hardware, including fingerprint reader, illuminated IR sensor, or other biometric sensors is required. Hardware based protection of the Windows Hello credentials requires TPM 1.2 or greater; if no TPM exists or is configured, credentials/keys protection will be software-based.
-Companion devices must be paired with Windows 10 PC’s via Bluetooth. To use a Windows Hello companion device that enables the user to roam with their Windows Hello credentials requires Pro or Enterprise edition on the Windows 10 PC being signed into.
+> [!NOTE]
+> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+To use Windows Hello with biometrics, specialized hardware, including fingerprint reader, illuminated IR sensor, or other biometric sensors is required. Hardware-based protection of the Windows Hello credentials requires TPM 1.2 or greater; if no TPM exists or is configured, credentials/keys protection will be software-based.
+Companion devices must be paired with a Windows 10 PC using Bluetooth. To use a Windows Hello companion device that enables the user to roam with their Windows Hello credentials requires the Pro or Enterprise edition of Windows 10.
-Most of the device lock restriction policies have been available via ActiveSync and MDM since Windows Phone 7 and are still available today for Windows 10 Mobile. If you are deploying Windows 10 devices in a personal device deployment scenario, these settings would apply.
+Most of the device lock restriction policies have been available through Exchange ActiveSync and MDM since Windows Phone 7 and are still available today for Windows 10 Mobile. If you are deploying Windows 10 devices in a personal device deployment scenario, these settings would apply:
- **Device Password Enabled** Specifies whether users are required to use a device lock password.
-- **Allow Simple Device Password** Whether users can use a simple password (e.g., 1111 or 1234).
-- **Alphanumeric Device Password Required** Whether users need to use an alphanumeric password. When configured, Windows prompts the user with a full device keyboard to enter a complex password. When not configured, the user will be able to enter a numeric PIN on the keyboard.
-- **Min Device Password Complex Characters** The number of password element types (i.e., uppercase letters, lowercase letters, numbers, or punctuation) required to create strong passwords.
-- **Device Password History** The number of passwords Windows 10 Mobile remembers in the password history (Users cannot reuse passwords in the history to create new passwords.)
+- **Allow Simple Device Password** Specifies whether users can use a simple password (for example, 1111 or 1234).
+- **Alphanumeric Device Password Required** Specifies whether users need to use an alphanumeric password. When configured, Windows prompts the user with a full device keyboard to enter a complex password. When not configured, the user can enter a numeric PIN on the keyboard.
+- **Min Device Password Complex Characters** The number of password element types (uppercase letters, lowercase letters, numbers, or punctuation) required to create strong passwords.
+- **Device Password History** The number of passwords Windows 10 Mobile remembers in the password history. (Users cannot reuse passwords in the history to create new passwords.)
- **Min Device Password Length** The minimum number of characters required to create new passwords.
- **Max Inactivity Time Device Lock** The number of minutes of inactivity before devices are locked and require a password to unlock.
-- **Allow Idle Return Without Password** Whether users are required to re-authenticate when their devices return from a sleep state before the inactivity time was reached.
-- **Max Device Password Failed Attempts** The number of authentication failures allowed before a device is wiped (A value of zero disables device wipe functionality.)
-- **Screen Timeout While Locked** The number of minutes before the lock screen times out (this policy influences device power management).
-- **Allow Screen Timeout While Locked User Configuration** Whether users can manually configure screen timeout while the device is on the lock screen (Windows 10 Mobile ignores the **Screen Timeout While Locked** setting if you disable this setting).
+- **Allow Idle Return Without Password** Specifies whether users are required to re-authenticate when their devices return from a sleep state before the inactivity time was reached.
+- **Max Device Password Failed Attempts** The number of authentication failures allowed before a device is wiped. (A value of zero disables device wipe functionality.)
+- **Screen Timeout While Locked** The number of minutes before the lock screen times out. (This policy influences device power management.)
+- **Allow Screen Timeout While Locked User Configuration** Specifies whether users can manually configure screen timeout while the device is on the lock screen. (Windows 10 Mobile ignores the **Screen Timeout While Locked** setting if you disable this setting.)
Settings related to Windows Hello would be important device lock settings to configure if you are deploying devices using the corporate deployment scenario.
-Microsoft made it a requirement for all users to create a numeric passcode as part of Azure AD Join. This policy default requires users to select a four-digit passcode, but this can be configured with an AAD-registered MDM system to whatever passcode complexity your organization desires. If you are using Azure AD with an automatic MDM enrollment mechanism, these policy settings are automatically applied during device enrollment.
+Microsoft made it a requirement for all users to create a numeric passcode as part of Azure AD Join. This policy default requires users to select a four-digit passcode, but this can be configured with an Azure AD-registered MDM system to whatever passcode complexity your organization desires. If you are using Azure AD with an automatic MDM enrollment mechanism, these policy settings are automatically applied during device enrollment.
-You will notice that some of the settings are very similar, specifically those related to passcode length, history, expiration, and complexity. If you set the policy in multiple places, both policies will be applied, with the strongest policy retained. Read [PassportForWork CSP](https://msdn.microsoft.com/library/windows/hardware/dn987099(v=vs.85).aspx), [DeviceLock CSP](https://msdn.microsoft.com/library/windows/hardware/dn904945(v=vs.85).aspx) (Windows Phone 8.1), and [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#DeviceLock_AllowIdleReturnWithoutPassword) for more detailed information.
+You may notice that some of the settings are very similar, specifically those related to passcode length, history, expiration, and complexity. If you set the policy in multiple places, both policies are applied, with the strongest policy retained. Read [PassportForWork CSP](https://msdn.microsoft.com/library/windows/hardware/dn987099(v=vs.85).aspx), [DeviceLock CSP](https://msdn.microsoft.com/library/windows/hardware/dn904945(v=vs.85).aspx) (Windows Phone 8.1), and [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#DeviceLock_AllowIdleReturnWithoutPassword) for more detailed information.
### Prevent changing of settings
*Applies to: Corporate devices*
-Employees are usually allowed to change certain personal device settings that you may want to lock down on corporate devices. Employees can interactively adjust certain settings of the phone through the settings applets. Using MDM, you can limit what users are allowed to change.
+Employees are usually allowed to change certain personal device settings that you may want to lock down on corporate devices. Employees can interactively adjust certain settings of the phone through the settings applets. Using MDM, you can limit what users are allowed to change, including:
-- **Allow Your Account** Specifies whether users are able to change account configuration in the Your Email and Accounts panel in Settings
-- **Allow VPN** Allows the user to change VPN settings
-- **Allow Data Sense** Allows the user to change Data Sense settings
-- **Allow Date Time** Allows the user to change data and time setting
-- **Allow Edit Device Name** Allows users to change the device name
-- **Allow Speech Model Update** Specifies whether the device will receive updates to the speech recognition and speech synthesis models (to improve accuracy and performance)
+- **Allow Your Account** Specifies whether users are allowed to change account configuration in the **Your Email and Accounts** panel in Settings
+- **Allow VPN** Specifies whether users are allowed to change VPN settings
+- **Allow Data Sense** Specifies whether users are allowed to change Data Sense settings
+- **Allow Date Time** Specifies whether users are allowed to change data and time setting
+- **Allow Edit Device Name** Specifies whether users are allowed to change the device name
+- **Allow Speech Model Update** Specifies whether the device receives updates to the speech recognition and speech synthesis models (to improve accuracy and performance)
### Hardware restrictions
@@ -281,35 +286,37 @@ Employees are usually allowed to change certain personal device settings that yo
Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi-Fi. You can use hardware restrictions to control the availability of these features.
-The following lists the MDM settings that Windows 10 Mobile supports to configure hardware restrictions.
+The following is a list of the MDM settings that Windows 10 Mobile supports to configure hardware restrictions:
->**Note:** Some of these hardware restrictions provide connectivity and assist in data protection.
+> [!NOTE]
+> Some of these hardware restrictions provide connectivity and assist in data protection.
-- **Allow NFC:** Whether the NFC radio is enabled
-- **Allow USB Connection:** Whether the USB connection is enabled (doesn’t affect USB charging)
-- **Allow Bluetooth:** Whether users can enable and use the Bluetooth radio on their devices
-- **Allow Bluetooth Advertising:** Whether the device can act as a source for Bluetooth advertisements and be discoverable to other devices
-- **Allow Bluetooth Discoverable Mode:** Whether the device can discover other devices (e.g., headsets)
-- **Allow Bluetooth pre-pairing** Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device
+- **Allow NFC:** Specifies whether the NFC radio is enabled
+- **Allow USB Connection:** Specifies whether the USB connection is enabled (doesn’t affect USB charging)
+- **Allow Bluetooth:** Specifies whether users can enable and use the Bluetooth radio on their devices
+- **Allow Bluetooth Advertising:** Specifies whether the device can act as a source for Bluetooth advertisements and be discoverable to other devices
+- **Allow Bluetooth Discoverable Mode:** Specifies whether the device can discover other devices (such as headsets)
+- **Allow Bluetooth pre-pairing** Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device
- **Bluetooth Services Allowed List:** The list of Bluetooth services and profiles to which the device can connect
- **Set Bluetooth Local Device Name:** The local Bluetooth device name
-- **Allow Camera:** Whether the camera is enabled
-- **Allow Storage Card:** Whether the storage card slot is enabled
-- **Allow Voice Recording:** Whether the user can use the microphone to create voice recordings
-- **Allow Location:** Whether the device can use the GPS sensor or other methods to determine location so applications can use location information
+- **Allow Camera:** Specifies whether the camera is enabled
+- **Allow Storage Card:** Specifies whether the storage card slot is enabled
+- **Allow Voice Recording:** Specifies whether the user can use the microphone to create voice recordings
+- **Allow Location:** Specifies whether the device can use the GPS sensor or other methods to determine location so applications can use location information
### Certificates
*Applies to: Personal and corporate devices*
Certificates help improve security by providing account authentication, Wi-Fi authentication, VPN encryption, and SSL encryption of web content. Although users can manage certificates on devices manually, it’s a best practice to use your MDM system to manage those certificates throughout their entire lifecycle – from enrollment through renewal and revocation.
-To install certificates manually, you can post them on Microsoft Edge website or send them directly via email, which is ideal for testing purposes.
-Using SCEP and MDM systems, certificate management is completely transparent and requires no user intervention, helping improve user productivity, and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device (as long as the MDM system supports the Simple Certificate Enrollment Protocol (SCEP) or Personal Information Exchange (PFX)). The MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired.
+To install certificates manually, you can post them on Microsoft Edge website or send them directly by using email, which is ideal for testing purposes.
+Using Simple Certificate Enrollment Protocol (SCEP) and MDM systems, certificate management is completely transparent and requires no user intervention, helping improve user productivity, and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device, as long as the MDM system supports the SCEP or Personal Information Exchange (PFX). The MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired.
In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates. The table below lists the Windows 10 Mobile PFX certificate deployment settings.
-Get more detailed information about MDM certificate management in the [Client Certificate Install CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023(v=vs.85).aspx) and [Install digital certificates on Windows 10 Mobile](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile).
+For more detailed information about MDM certificate management, see [Client Certificate Install CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023(v=vs.85).aspx) and [Install digital certificates on Windows 10 Mobile](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile).
Use the Allow Manual Root Certificate Installation setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidentally.
-> **Note:** To diagnose certificate-related issues on Windows 10 Mobile devices, use the free Certificates app in Microsoft Store. This Windows 10 Mobile app can help you:
+> [!NOTE]
+> To diagnose certificate-related issues on Windows 10 Mobile devices, use the free Certificates app in Microsoft Store. This Windows 10 Mobile app can help you:
> - View a summary of all personal certificates
> - View the details of individual certificates
> - View the certificates used for VPN, Wi-Fi, and email authentication
@@ -322,7 +329,7 @@ Use the Allow Manual Root Certificate Installation setting to prevent users from
*Applies to: Corporate and personal devices*
Wi-Fi is used on mobile devices as much as, or more than, cellular data connections. Most corporate Wi-Fi networks require certificates and other complex information to restrict and secure user access. This advanced Wi-Fi information is difficult for typical users to configure, but MDM systems can fully configure these Wi-Fi profiles without user intervention.
-You can create multiple Wi-Fi profiles in your MDM system. The below table lists the Windows 10 Mobile Wi Fi connection profile settings that can be configured by administrators.
+You can create multiple Wi-Fi profiles in your MDM system. The Windows 10 Mobile Wi-Fi connection profile settings that can be configured by administrators include:
- **SSID** The case-sensitive name of the Wi-Fi network Service Set Identifier
- **Security type** The type of security the Wi-Fi network uses; can be one of the following authentication types:
@@ -345,14 +352,14 @@ You can create multiple Wi-Fi profiles in your MDM system. The below table lists
- **Proxy auto-configuration URL** A URL that specifies the proxy auto-configuration file
- **Enable Web Proxy Auto-Discovery Protocol (WPAD)** Specifies whether WPAD is enabled
-In addition, you can set a few device wide Wi-Fi settings.
-- **Allow Auto Connect to Wi-Fi Sense Hotspots** Whether the device will automatically detect and connect to Wi-Fi networks
-- **Allow Manual Wi-Fi Configuration** Whether the user can manually configure Wi-Fi settings
-- **Allow Wi-Fi** Whether the Wi-Fi hardware is enabled
-- **Allow Internet Sharing** Allow or disallow Internet sharing
-- **WLAN Scan Mode** How actively the device scans for Wi-Fi networks
+In addition, you can set the following device wide Wi-Fi settings:
+- **Allow Auto Connect to Wi-Fi Sense Hotspots** Specifies whether the device automatically detects and connects to Wi-Fi networks
+- **Allow Manual Wi-Fi Configuration** Specifies whether the user can manually configure Wi-Fi settings
+- **Allow Wi-Fi** Specifies whether the Wi-Fi hardware is enabled
+- **Allow Internet Sharing** Allows or disallows Internet sharing
+- **WLAN Scan Mode** Specifies how actively the device scans for Wi-Fi networks
-Get more detailed information about Wi-Fi connection profile settings in the [Wi-Fi CSP](https://msdn.microsoft.com/library/windows/hardware/dn904981(v=vs.85).aspx) and [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx).
+For more detailed information about Wi-Fi connection profile settings, see [Wi-Fi CSP](https://msdn.microsoft.com/library/windows/hardware/dn904981(v=vs.85).aspx) and [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx).
### APN profiles
@@ -360,7 +367,7 @@ Get more detailed information about Wi-Fi connection profile settings in the [Wi
An Access Point Name (APN) defines network paths for cellular data connectivity. Typically, you define just one APN for a device in collaboration with a mobile operator, but you can define multiple APNs if your company uses multiple mobile operators.
An APN provides a private connection to the corporate network that is unavailable to other companies on the mobile operator network.
-You can define and deploy APN profiles in MDM systems that configure cellular data connectivity for Windows 10 Mobile. Devices running Windows 10 Mobile can have only one APN profile. The following lists the MDM settings that Windows 10 Mobile supports for APN profiles.
+You can define and deploy APN profiles in MDM systems that configure cellular data connectivity for Windows 10 Mobile. Devices running Windows 10 Mobile can have only one APN profile. The following lists the MDM settings that Windows 10 Mobile supports for APN profiles:
- **APN name** The APN name
- *IP connection type* The IP connection type; set to one of the following values:
@@ -368,7 +375,7 @@ You can define and deploy APN profiles in MDM systems that configure cellular da
- IPv6 only
- IPv4 and IPv6 concurrently
- IPv6 with IPv4 provided by 46xlat
-- **LTE attached** Whether the APN should be attached as part of an LTE Attach
+- **LTE attached** Specifies whether the APN should be attached as part of an LTE Attach
- **APN class ID** The globally unique identifier that defines the APN class to the modem
- **APN authentication type** The APN authentication type; set to one of the following values:
- None
@@ -379,22 +386,22 @@ You can define and deploy APN profiles in MDM systems that configure cellular da
- **User name** The user account when users select Password Authentication Protocol (PAP), CHAP, or MSCHAPv2 authentication in APN authentication type
- **Password** The password for the user account specified in User name
- **Integrated circuit card ID** The integrated circuit card ID associated with the cellular connection profile
-- **Always on** Whether the connection manager will automatically attempt to connect to the APN whenever it is available
+- **Always on** Specifies whether the connection manager automatically attempts to connect to the APN when it is available
- **Connection enabled** Specifies whether the APN connection is enabled
- **Allow user control** Allows users to connect with other APNs than the enterprise APN
-- **Hide view** Whether the cellular UX will allow the user to view enterprise APNs
+- **Hide view** Specifies whether the cellular UX allows the user to view enterprise APNs
-Get more detailed information about APN settings in the [APN CSP](https://msdn.microsoft.com/library/windows/hardware/dn958617(v=vs.85).aspx).
+For more detailed information about APN settings, see [APN CSP](https://msdn.microsoft.com/library/windows/hardware/dn958617(v=vs.85).aspx).
### Proxy
*Applies to: Corporate devices*
-The below lists the Windows 10 Mobile settings for managing APN proxy settings for Windows 10 Mobile device connectivity.
+The following lists the Windows 10 Mobile settings for managing APN proxy settings for Windows 10 Mobile device connectivity:
- **Connection name** Specifies the name of the connection the proxy is associated with (this is the APN name of a configured connection)
-- **Bypass Local** Specifies if the proxy should be bypassed when local hosts are accessed by the device
-- **Enable** Specifies if the proxy is enabled
+- **Bypass Local** Specifies whether the proxy should be bypassed when local hosts are accessed by the device
+- **Enable** Specifies whether the proxy is enabled
- **Exception** Specifies a semi-colon delimited list of external hosts which should bypass the proxy when accessed
- **User Name** Specifies the username used to connect to the proxy
- **Password** Specifies the password used to connect to the proxy
@@ -408,15 +415,15 @@ For more details on proxy settings, see [CM_ProxyEntries CSP](https://msdn.micro
*Applies to: Corporate and personal devices*
-Organizations often use a VPN to control access to apps and resources on their company’s intranet. In addition to native Microsoft Point to Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Internet Key Exchange Protocol version 2 (IKEv2) VPNs, Windows 10 Mobile supports SSL VPN connections, which require a downloadable plugin from the Microsoft Store and are specific to the VPN vendor of your choice. These plugins work like apps and can be installed directly from the Microsoft Store using your MDM system (see App Management).
+Organizations often use a VPN to control access to apps and resources on their company’s intranet. In addition to native Microsoft Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Internet Key Exchange Protocol version 2 (IKEv2) VPNs, Windows 10 Mobile supports SSL VPN connections, which require a downloadable plugin from the Microsoft Store and are specific to the VPN vendor of your choice. These plugins work like apps and can be installed directly from the Microsoft Store using your MDM system (see App Management).
You can create and provision multiple VPN connection profiles and then deploy them to managed devices that run Windows 10 Mobile.
To create a VPN profile that uses native Windows 10 Mobile VPN protocols (such as IKEv2, PPTP, or L2TP), you can use the following settings:
- **VPN Servers** The VPN server for the VPN profile
- **Routing policy type** The type of routing policy the VPN profile uses can be set to one of the following values:
- - Split tunnel. Only network traffic destined to the intranet goes through the VPN connection
- - Force tunnel. All traffic goes through the VPN connection
+ - Split tunnel: Only network traffic destined to the intranet goes through the VPN connection
+ - Force tunnel: All traffic goes through the VPN connection
- **Tunneling protocol type** The tunneling protocol used for VPN profiles that use native Windows 10 Mobile VPN protocols can be one the following values: PPTP, L2TP, IKEv2, Automatic
- **User authentication method** The user authentication method for the VPN connection can have a value of EAP or MSChapv2 (Windows 10 Mobile does not support the value MSChapv2 for IKEv2-based VPN connections)
- **Machine certificate** The machine certificate used for IKEv2-based VPN connections
@@ -424,24 +431,25 @@ To create a VPN profile that uses native Windows 10 Mobile VPN protocols (such a
- **L2tpPsk** The pre-shared key used for an L2TP connection
- **Cryptography Suite** Enable the selection of cryptographic suite attributes used for IPsec tunneling
->**Note:** The easiest way to create a profile for a single sign-on experience with an EAP configuration XML is through the rasphone tool on a Windows 10 PC. Once you run the rasphone.exe, the configuration wizard will walk you through the necessary steps. For step-by-step instructions on creating the EAP configuration XML blob, see EAP configuration. You can use the resulting XML blob in the MDM system to create the VPN profile on Windows 10 Mobile phone. If you have multiple certificates on the devices, you may want to configure filtering conditions for automatic certificate selection, so the employee does not need to select an authentication certificate every time the VPN is turned on. See this article for details. Windows 10 for PCs and Windows 10 Mobile have the same VPN client.
+> [!NOTE]
+> The easiest way to create a profile for a single sign-on experience with an EAP configuration XML is through the rasphone tool on a Windows 10 PC. Once you run the rasphone.exe, the configuration wizard walks you through the necessary steps. For step-by-step instructions on creating the EAP configuration XML blob, see EAP configuration. You can use the resulting XML blob in the MDM system to create the VPN profile on Windows 10 Mobile phone. If you have multiple certificates on the devices, you may want to configure filtering conditions for automatic certificate selection, so the employee does not need to select an authentication certificate every time the VPN is turned on. See this article for details. Windows 10 for PCs and Windows 10 Mobile have the same VPN client.
Microsoft Store–based VPN plugins for the VPN connection allow you to create a VPN plugin profile with the following attributes:
- **VPN server** A comma-separated list of VPN servers; you can specify the servers with a URL, fully qualified host name, or IP address
-- **Custom configuration** An HTML-encoded XML blob for SSL–VPN plugin–specific configuration information (e.g., authentication information) that the plugin provider requires
+- **Custom configuration** An HTML-encoded XML blob for SSL–VPN plugin–specific configuration information (such as authentication information) that the plugin provider requires
- **Microsoft Store VPN plugin family name** Specifies the Microsoft Store package family name for the Microsoft Store–based VPN plugin
-In addition, you can specify per VPN Profile:
+In addition, you can specify per VPN profile:
-- **App Trigger List** You can add an App Trigger List to every VPN profile. The app specified in the list will automatically trigger the VPN profile for intranet connectivity. When multiple VPN profiles are needed to serve multiple apps, the operating system automatically establishes the VPN connection when the user switches between apps. Only one VPN connection at a time can be active. In the event the device drops the VPN connection, Windows 10 Mobile automatically reconnects to the VPN without user intervention.
+- **App Trigger List** You can add an App Trigger List to every VPN profile. The app specified in the list automatically triggers the VPN profile for intranet connectivity. When multiple VPN profiles are needed to serve multiple apps, the operating system automatically establishes the VPN connection when the user switches between apps. Only one VPN connection at a time can be active. In the event the device drops the VPN connection, Windows 10 Mobile automatically reconnects to the VPN without user intervention.
- **Route List** List of routes to be added to the routing table for the VPN interface. This is required for split tunneling cases where the VPN server site has more subnets that the default subnet based on the IP assigned to the interface.
- **Domain Name Information List** Name Resolution Policy Table (NRPT) rules for the VPN profile.
- **Traffic Filter List** Specifies a list of rules. Only traffic that matches these rules can be sent via the VPN Interface.
- **DNS suffixes** A comma-separated list of DNS suffixes for the VPN connection. Any DNS suffixes in this list are automatically added to Suffix Search List.
- **Proxy** Any post-connection proxy support required for the VPN connection; including Proxy server name and Automatic proxy configuration URL. Specifies the URL for automatically retrieving proxy server settings.
- **Always on connection** Windows 10 Mobile features always-on VPN, which makes it possible to automatically start a VPN connection when a user signs in. The VPN stays connected until the user manually disconnects it.
-- **Remember credentials** Whether the VPN connection caches credentials.
+- **Remember credentials** Specifies whether the VPN connection caches credentials.
- **Trusted network detection** A comma-separated list of trusted networks that causes the VPN not to connect when the intranet is directly accessible (Wi-Fi).
- **Enterprise Data Protection Mode ID** Enterprise ID, which is an optional field that allows the VPN to automatically trigger based on an app defined with a Windows Information Protection policy.
- **Device Compliance** To set up Azure AD-based Conditional Access for VPN and allow that SSO with a certificate different from the VPN Authentication certificate for Kerberos Authentication in the case of Device Compliance.
@@ -452,12 +460,12 @@ In addition, you can specify per VPN Profile:
- No other VPN profiles can be connected or modified.
- **ProfileXML** In case your MDM system does not support all the VPN settings you want to configure, you can create an XML file that defines the VPN profile you want to apply to all the fields you require.
-For more details about VPN profiles, see the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776(v=vs.85).aspx)
+For more details about VPN profiles, see [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776(v=vs.85).aspx).
-Some device-wide settings for managing VPN connections can help you manage VPNs over cellular data connections, which in turn helps reduce costs associated with roaming or data plan charges.
-- **Allow VPN** Whether users can change VPN settings
-- **Allow VPN Over Cellular** Whether users can establish VPN connections over cellular networks
-- **Allow VPN Over Cellular when Roaming** Whether users can establish VPN connections over cellular networks when roaming
+Some device-wide settings for managing VPN connections can help you manage VPNs over cellular data connections, which in turn helps reduce costs associated with roaming or data plan charges:
+- **Allow VPN** Specifies whether users can change VPN settings
+- **Allow VPN Over Cellular** Specifies whether users can establish VPN connections over cellular networks
+- **Allow VPN Over Cellular when Roaming** Specifies whether users can establish VPN connections over cellular networks when roaming
### Storage management
@@ -471,16 +479,16 @@ The SD card is uniquely paired with a device. No other devices can see the apps
You can disable the **Allow Storage Card** setting if you wish to prevent users from using SD cards entirely. If you choose not to encrypt storage, you can help protect your corporate apps and data by using the Restrict app data to the system volume and Restrict apps to the system volume settings. These help ensure that users cannot copy your apps and data to SD cards.
-Here is a list of MDM storage management settings that Windows 10 Mobile provides.
+Here is a list of MDM storage management settings that Windows 10 Mobile provides:
-- **Allow Storage Card** Whether the use of storage cards for data storage is allowed
-- **Require Device Encryption** Whether internal storage is encrypted (when a device is encrypted, you cannot use a policy to turn encryption off)
+- **Allow Storage Card** Specifies whether the use of storage cards for data storage is allowed
+- **Require Device Encryption** Specifies whether internal storage is encrypted (when a device is encrypted, you cannot use a policy to turn encryption off)
- **Encryption method** Specifies the BitLocker drive encryption method and cipher strength; can be one of the following values:
- AES-Cipher Block Chaining (CBC) 128-bit
- AES-CBC 256-bit
- XEX-based tweaked-codebook mode with cipher text stealing (XTS)–AES (XTS-AES) 128-bit (this is the default)
- XTS-AES-256-bit
-- **Allow Federal Information Processing Standard (FIPS) algorithm policy** Whether the device allows or disallows the FIPS algorithm policy
+- **Allow Federal Information Processing Standard (FIPS) algorithm policy** Specifies whether the device allows or disallows the FIPS algorithm policy
- **SSL cipher suites** Specifies a list of the allowed cryptographic cipher algorithms for SSL connections
- **Restrict app data to the system volume** Specifies whether app data is restricted to the system drive
- **Restrict apps to the system volume** Specifies whether apps are restricted to the system drive
@@ -513,11 +521,11 @@ Azure AD authenticated managers have access to Microsoft Store for Business func
Microsoft Store for Business supports app distribution under two licensing models: online and offline.
The online model (store-managed) is the recommended method, and supports both personal device and corporate device management scenarios. To install online apps, the device must have Internet access at the time of installation. On corporate devices, an employee can be authenticated with an Azure AD account to install online apps. On personal devices, an employee must register their device with Azure AD to be able to install corporate licensed online apps.
-Corporate device users will find company licensed apps in the Store app on their phone in a private catalog. When an MDM system is associated with the Store for Business, IT administrators can present Store apps within the MDM system app catalog where users can find and install their desired apps. IT administrators can also push required apps directly to employee devices without the employee’s intervention.
+Corporate device users can find company licensed apps in the Store app on their phone in a private catalog. When an MDM system is associated with the Store for Business, IT administrators can present Store apps within the MDM system App Catalog where users can find and install their desired apps. IT administrators can also push required apps directly to employee devices without the employee’s intervention.
Employees with personal devices can install apps licensed by their organization using the Store app on their device. They can use either the Azure AD account or Microsoft Account within the Store app if they wish to purchase personal apps. If you allow employees with corporate devices to add a secondary Microsoft Account (MSA), the Store app on the device provides a unified method for installing personal and corporate apps.
-Online licensed apps do not need to be transferred or downloaded from the Microsoft Store to the MDM system to be distributed and managed. When an employee chooses a company-owned app, it will automatically be installed from the cloud. Also, apps will be automatically updated when a new version is available or can be removed if needed. When an app is removed from a device by the MDM system or the user, Microsoft Store for Business reclaims the license so it can be used for another user or on another device.
+Online licensed apps do not need to be transferred or downloaded from the Microsoft Store to the MDM system to be distributed and managed. When an employee chooses a company-owned app, it's automatically installed from the cloud. Also, apps are automatically updated when a new version is available or can be removed if needed. When an app is removed from a device by the MDM system or the user, Microsoft Store for Business reclaims the license so it can be used for another user or on another device.
To distribute an app offline (organization-managed), the app must be downloaded from the Microsoft Store for Business. This can be accomplished in the Microsoft Store for Business portal by an authorized administrator. Offline licensing requires the app developer to opt-in to the licensing model, as the Microsoft Store is no longer able to track licenses for the developer. If the app developer doesn’t allow download of the app from Microsoft Store, then you must obtain the files directly from the developer or use the online licensing method.
@@ -525,7 +533,7 @@ To install acquired Microsoft Store or LOB apps offline on a Windows 10 Mobile d
Microsoft Store apps or LOB apps that have been uploaded to the Microsoft Store for Business are automatically trusted on all Windows devices, as they are cryptographically signed with Microsoft Store certificates. LOB apps that are uploaded to the Microsoft Store for Business are private to your organization and are never visible to other companies or consumers. If you do not want to upload your LOB apps, you have to establish trust for the app on your devices. To establish this trust, you’ll need to generate a signing certificate with your Public Key Infrastructure and add your chain of trust to the trusted certificates on the device (see the certificates section). You can install up to 20 self-signed LOB apps per device with Windows 10 Mobile. To install more than 20 apps on a device, you can purchase a signing certificate from a trusted public Certificate Authority, or upgrade your devices to Windows 10 Mobile Enterprise edition.
-Learn more about the [Microsoft Store for Business](/microsoft-store/index).
+For more information, see [Microsoft Store for Business](/microsoft-store/index).
### Managing apps
@@ -535,23 +543,23 @@ IT administrators can control which apps are allowed to be installed on Windows
Windows 10 Mobile includes AppLocker, which enables administrators to create allow or disallow lists of apps from the Microsoft Store. This capability extends to built-in apps, as well, such as Xbox, Groove, text messaging, email, and calendar, etc. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. However, it is not always an easy approach to find a balance between what employees need or request and security concerns. Creating allow or disallow lists also requires keeping up with the changing app landscape in the Microsoft Store.
-For more details, see [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx).
+For more information, see [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx).
-In addition to controlling which apps are allowed, IT professionals can also implement additional app management settings on Windows 10 Mobile, using an MDM.
+In addition to controlling which apps are allowed, IT professionals can also implement additional app management settings on Windows 10 Mobile, using an MDM:
-- **Allow All Trusted Apps** Whether users can sideload apps on the device.
-- **Allow App Store Auto Update** Whether automatic updates of apps from Microsoft Store are allowed.
-- **Allow Developer Unlock** Whether developer unlock is allowed.
-- **Allow Shared User App Data** Whether multiple users of the same app can share data.
-- **Allow Store** Whether Microsoft Store app is allowed to run. This will completely block the user from installing apps from the Store, but will still allow app distribution through an MDM system.
+- **Allow All Trusted Apps** Specifies whether users can sideload apps on the device.
+- **Allow App Store Auto Update** Specifies whether automatic updates of apps from Microsoft Store are allowed.
+- **Allow Developer Unlock** Specifies whether developer unlock is allowed.
+- **Allow Shared User App Data** Specifies whether multiple users of the same app can share data.
+- **Allow Store** Specifies whether Microsoft Store app is allowed to run. This completely blocks the user from installing apps from the Store, but still allows app distribution through an MDM system.
- **Application Restrictions** An XML blob that defines the app restrictions for a device. The XML blob can contain an app allow or deny list. You can allow or deny apps based on their app ID or publisher. See AppLocker above.
- **Disable Store Originated Apps** Disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded before the policy was applied.
-- **Require Private Store Only** Whether the private store is exclusively available to users in the Store app on the device. If enabled, only the private store is available. If disabled, the retail catalog and private store are both available.
-- **Restrict App Data to System Volume** Whether app data is allowed only on the system drive or can be stored on an SD card.
-- **Restrict App to System Volume** Whether app installation is allowed only to the system drive or can be installed on an SD card.
-- **Start screen layout** An XML blob used to configure the Start screen (see [Start layout for Windows 10 Mobile](https://msdn.microsoft.com/library/windows/hardware/mt171093(v=vs.85).aspx) for more information).
+- **Require Private Store Only** Specifies whether the private store is exclusively available to users in the Store app on the device. If enabled, only the private store is available. If disabled, the retail catalog and private store are both available.
+- **Restrict App Data to System Volume** Specifies whether app data is allowed only on the system drive or can be stored on an SD card.
+- **Restrict App to System Volume** Specifies whether app installation is allowed only to the system drive or can be installed on an SD card.
+- **Start screen layout** An XML blob used to configure the Start screen (for more information, see [Start layout for Windows 10 Mobile](https://msdn.microsoft.com/library/windows/hardware/mt171093(v=vs.85).aspx)).
-Find more details on application management options in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#ApplicationManagement_AllowAllTrustedApps)
+Find more details on application management options in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#ApplicationManagement_AllowAllTrustedApps).
### Data leak prevention
@@ -561,7 +569,7 @@ One of the biggest challenges in protecting corporate information on mobile devi
Windows 10 Mobile includes Windows Information Protection to transparently keep corporate data protected and personal data private. It automatically tags personal and corporate data and applies policies for those apps that can access data classified as corporate. This includes when data is at rest on local or removable storage. Because corporate data is always protected, users cannot copy it to public locations like social media or personal email.
-Windows Information Protection works with all apps, which are classified into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on policies. Corporate data will be encrypted at all times and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps consider all data corporate and encrypt everything by default.
+Windows Information Protection works with all apps, which are classified into two categories: enlightened and unenlightened. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on policies. Corporate data is encrypted at all times and any attempt to copy/paste or share this information with non-corporate apps or users fails. Unenlightened apps consider all data corporate and encrypt everything by default.
Any app developed on the UWA platform can be enlightened. Microsoft has made a concerted effort to enlighten several of its most popular apps, including:
- Microsoft Edge
@@ -581,19 +589,19 @@ The following table lists the settings that can be configured for Windows Inform
- Override mode (encrypt, prompt, and audit)
- Block mode (encrypt, block, and audit)
- **Enterprise protected domain names*** A list of domains used by the enterprise for its user identities. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected.
-- **Allow user decryption** Allows the user to decrypt files. If not allowed, the user will not be able to remove protection from enterprise content through the OS or app user experience.
+- **Allow user decryption** Allows the user to decrypt files. If not allowed, the user is not able to remove protection from enterprise content through the OS or app user experience.
- **Require protection under lock configuration** Specifies whether the protection under lock feature (also known as encrypt under PIN) should be configured.
- **Data recovery certificate*** Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through MDM instead of Group Policy.
-- **Revoke on unenroll** Whether to revoke the information protection keys when a device unenrolls from the management service.
+- **Revoke on unenroll** Specifies whether to revoke the information protection keys when a device unenrolls from the management service.
- **RMS template ID for information protection** Allows the IT admin to configure the details about who has access to RMS-protected files and for how long.
- **Allow Azure RMS for information protection** Specifies whether to allow Azure RMS encryption for information protection.
-- **Show information protection icons** Determines whether overlays are added to icons for information protection secured files in web browser and enterprise-only app tiles in the Start menu.
+- **Show information protection icons** Determines whether overlays are added to icons for information protection secured files in web browser and enterprise-only app tiles in the **Start** menu.
- **Status** A read-only bit mask that indicates the current state of information protection on the device. The MDM service can use this value to determine the current overall state of information protection.
-- **Enterprise IP Range*** The enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected.
-- **Enterprise Network Domain Names*** the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected.
+- **Enterprise IP Range*** The enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers is considered part of the enterprise and protected.
+- **Enterprise Network Domain Names*** the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device is considered enterprise data and is protected.
- **Enterprise Cloud Resources** A list of Enterprise resource domains hosted in the cloud that need to be protected.
->**Note:** * Are mandatory Windows Information Protection policies. To make Windows Information Protection functional, AppLocker and network isolation settings - specifically Enterprise IP Range and Enterprise Network Domain Names – must be configured. This defines the source of all corporate data that needs protection and also ensures data written to these locations won’t be encrypted by the user’s encryption key (so that others in the company can access it.
+* Mandatory Windows Information Protection policies. To make Windows Information Protection functional, AppLocker and network isolation settings (specifically Enterprise IP Range and Enterprise Network Domain Names) must be configured. This defines the source of all corporate data that needs protection and also ensures data written to these locations won’t be encrypted by the user’s encryption key so that others in the company can access it.
For more information on Windows Information Protection, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634(v=vs.85).aspx) and the following in-depth article series [Protect your enterprise data using Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip).
@@ -601,18 +609,18 @@ For more information on Windows Information Protection, see the [EnterpriseDataP
*Applies to: Corporate devices*
-On corporate devices, some user activities expose corporate data to unnecessary risk. For example, users might create a screen capture of corporate information out of an internal LOB app. To mitigate the risk, you can restrict the Windows 10 Mobile user experience to help protect corporate data and prevent data leaks. The following demonstrates those capabilities that can be used to help prevent data leaks.
+On corporate devices, some user activities expose corporate data to unnecessary risk. For example, users might create a screen capture of corporate information out of an internal LOB app. To mitigate the risk, you can restrict the Windows 10 Mobile user experience to help protect corporate data and prevent data leaks. The following demonstrates those capabilities that can be used to help prevent data leaks:
-- **Allow copy and paste** Whether users can copy and paste content
-- **Allow Cortana** Whether users can use Cortana on the device (where available)
-- **Allow device discovery** Whether the device discovery user experience is available on the lock screen (for example, controlling whether a device could discover a projector [or other devices] when the lock screen is displayed)
-- **Allow input personalization** Whether personally identifiable information can leave the device or be saved locally (e.g., Cortana learning, inking, dictation)
-- **Allow manual MDM unenrollment** Whether users are allowed to delete the workplace account (i.e., unenroll the device from the MDM system)
-- **Allow screen capture** Whether users are allowed to capture screenshots on the device
+- **Allow copy and paste** Specifies whether users can copy and paste content
+- **Allow Cortana** Specifies whether users can use Cortana on the device (where available)
+- **Allow device discovery** Specifies whether the device discovery user experience is available on the lock screen (for example, controlling whether a device could discover a projector [or other devices] when the lock screen is displayed)
+- **Allow input personalization** Specifies whether personally identifiable information can leave the device or be saved locally (e.g., Cortana learning, inking, dictation)
+- **Allow manual MDM unenrollment** Specifies whether users are allowed to delete the workplace account (i.e., unenroll the device from the MDM system)
+- **Allow screen capture** Specifies whether users are allowed to capture screenshots on the device
- **Allow SIM error dialog prompt** Specifies whether to display a dialog prompt when no SIM card is installed
-- **Allow sync my settings** Whether the user experience settings are synchronized between devices (works with Microsoft accounts only)
-- **Allow toasts notifications above lock screen** Whether users are able to view toast notification on the device lock screen
-- **Allow voice recording** Whether users are allowed to perform voice recordings
+- **Allow sync my settings** Specifies whether the user experience settings are synchronized between devices (works with Microsoft accounts only)
+- **Allow toasts notifications above lock screen** Specifies whether users are able to view toast notification on the device lock screen
+- **Allow voice recording** Specifies whether users are allowed to perform voice recordings
- **Do Not Show Feedback Notifications** Prevents devices from showing feedback questions from Microsoft
- **Allow Task Switcher** Allows or disallows task switching on the device to prevent visibility of App screen tombstones in the task switcher
- **Enable Offline Maps Auto Update** Disables the automatic download and update of map data
@@ -626,19 +634,19 @@ You can find more details on the experience settings in Policy CSP.
MDM systems also give you the ability to manage Microsoft Edge on mobile devices. Microsoft Edge is the only browser available on Windows 10 Mobile devices. It differs slightly from the desktop version as it does not support Flash or Extensions. Edge is also an excellent PDF viewer as it can be managed and integrates with Windows Information Protection.
-The following settings for Microsoft Edge on Windows 10 Mobile can be managed.
+The following settings for Microsoft Edge on Windows 10 Mobile can be managed:
-- **Allow Browser** Whether users can run Microsoft Edge on the device
-- **Allow Do Not Track headers** Whether Do Not Track headers are allowed
-- **Allow InPrivate** Whether users can use InPrivate browsing
-- **Allow Password Manager** Whether users can use Password Manager to save and manage passwords locally
-- **Allow Search Suggestions in Address Bar** Whether search suggestions are shown in the address bar
-- **Allow Windows Defender SmartScreen** Whether Windows Defender SmartScreen is enabled
-- **Cookies** Whether cookies are allowed
+- **Allow Browser** Specifies whether users can run Microsoft Edge on the device
+- **Allow Do Not Track headers** Specifies whether Do Not Track headers are allowed
+- **Allow InPrivate** Specifies whether users can use InPrivate browsing
+- **Allow Password Manager** Specifies whether users can use Password Manager to save and manage passwords locally
+- **Allow Search Suggestions in Address Bar** Specifies whether search suggestions are shown in the address bar
+- **Allow Windows Defender SmartScreen** Specifies whether Windows Defender SmartScreen is enabled
+- **Cookies** Specifies whether cookies are allowed
- **Favorites** Configure Favorite URLs
- **First Run URL** The URL to open when a user launches Microsoft Edge for the first time
-- **Prevent Windows Defender SmartScreen Prompt Override** Whether users can override the Windows Defender SmartScreen warnings for URLs
-- **Prevent Smart Screen Prompt Override for Files** Whether users can override the Windows Defender SmartScreen warnings for files
+- **Prevent Windows Defender SmartScreen Prompt Override** Specifies whether users can override the Windows Defender SmartScreen warnings for URLs
+- **Prevent Smart Screen Prompt Override for Files** Specifies whether users can override the Windows Defender SmartScreen warnings for files
## Manage
@@ -646,7 +654,7 @@ In enterprise IT environments, the need for security and cost control must be ba
### Servicing options
-**A streamlined update process**
+#### A streamlined update process
*Applies to: Corporate and personal devices*
@@ -682,11 +690,11 @@ Microsoft has streamlined the Windows product engineering and release cycle so n
-Microsoft will also deliver and install monthly updates for security and stability directly to Windows 10 Mobile devices. These Quality Updates, released under Microsoft control via Windows Update, are available for all devices running Windows 10 Mobile. Windows 10 Mobile devices consume Feature Updates and Quality Updates as part of the same standard update process.
+Microsoft also delivers and installs monthly updates for security and stability directly to Windows 10 Mobile devices. These Quality Updates, released under Microsoft control via Windows Update, are available for all devices running Windows 10 Mobile. Windows 10 Mobile devices consume Feature Updates and Quality Updates as part of the same standard update process.
-Quality Updates are usually smaller than Feature Updates, but the installation process and experience is very similar, though larger updates will take more time to install. Enterprise customers can manage the update experience and process on Windows 10 Mobile devices using an MDM system, after upgrading the devices to Enterprise edition. In most cases, policies to manage the update process will apply to both feature and quality updates.
+Quality Updates are usually smaller than Feature Updates, but the installation process and experience is very similar, though larger updates take more time to install. Enterprise customers can manage the update experience and process on Windows 10 Mobile devices using an MDM system, after upgrading the devices to Enterprise edition. In most cases, policies to manage the update process apply to both feature and quality updates.
-Microsoft aspires to update Windows 10 Mobile devices with the latest updates automatically and without being disruptive for all customers. Out-of-the-box, a Windows 10 Mobile device will Auto Scan for available updates. However, depending on the device’s network and power status, update methods and timing will vary.
+Microsoft aspires to update Windows 10 Mobile devices with the latest updates automatically and without being disruptive for all customers. Out-of-the-box, a Windows 10 Mobile device uses Auto Scan to search for available updates. However, depending on the device’s network and power status, update methods and timing may vary.
@@ -717,8 +725,8 @@ Microsoft aspires to update Windows 10 Mobile devices with the latest updates au
Cellular
Device is only connected to a cellular network (standard data charges apply)
-
Will skip a daily scan if scan was successfully completed in the last 5 days
-
Will only occur if update package is small and does not exceed the mobile operator data limit.
+
Skips a daily scan if scan was successfully completed in the last 5 days
+
Only occurs if update package is small and does not exceed the mobile operator data limit.
Yes
Idem
@@ -733,22 +741,22 @@ Microsoft aspires to update Windows 10 Mobile devices with the latest updates au
-**Keeping track of updates releases**
+#### Keeping track of updates releases
*Applies to: Corporate and Personal devices*
Microsoft publishes new feature updates for Windows 10 and Windows 10 Mobile on a regular basis. The [Windows release information page](https://technet.microsoft.com/windows/release-info) is designed to help you determine if your devices are current with the latest Windows 10 feature and quality updates. The release information published on this page, covers both Windows 10 for PCs and Windows 10 Mobile. In addition, the [Windows update history page](https://windows.microsoft.com/en-us/windows-10/update-history-windows-10) helps you understand what these updates are about.
->**Note:**
-We invite IT Professionals to participate in the Windows Insider Program to test updates before they are officially released to make Windows 10 Mobile even better. If you find any issues, please send us feedback via the Feedback Hub
+> [!NOTE]
+> We invite IT Professionals to participate in the Windows Insider Program to test updates before they are officially released to make Windows 10 Mobile even better. If you find any issues, please send us feedback by using the Feedback Hub.
-**Windows as a Service**
+#### Windows as a Service
*Applies to: Corporate and Personal devices*
Microsoft created a new way to deliver and install updates to Windows 10 Mobile directly to devices without Mobile Operator approval. This capability helps to simplify update deployments and ongoing management, broadens the base of employees who can be kept current with the latest Windows features and experiences, and lowers total cost of ownership for organizations who no longer have to manage updates to keep devices secure.
-Update availability depends on what servicing option you choose for the device. These servicing options are outlined in the chart below:
+Update availability depends on what servicing option you choose for the device. These servicing options are outlined in the following chart.
@@ -790,7 +798,7 @@ Update availability depends on what servicing option you choose for the device.
-**Enterprise Edition**
+#### Enterprise edition
*Applies to: Corporate devices*
@@ -805,11 +813,12 @@ To learn more about diagnostic, see [Configure Windows diagnostic data in your o
To activate Windows 10 Mobile Enterprise, use your MDM system or a provisioning package to inject the Windows 10 Enterprise license on a Windows 10 Mobile device. Licenses can be obtained from the Volume Licensing portal. For testing purposes, you can obtain a licensing file from the MSDN download center. A valid MSDN subscription is required.
-Details on updating a device to Enterprise edition with [WindowsLicensing CSP](https://msdn.microsoft.com/library/windows/hardware/dn904983(v=vs.85).aspx)
+For more information on updating a device to Enterprise edition, see [WindowsLicensing CSP](https://msdn.microsoft.com/library/windows/hardware/dn904983(v=vs.85).aspx).
->**Recommendation:** Microsoft recommends using Enterprise edition only on corporate devices. Once a device has been upgraded, it cannot be downgraded. Even a device wipe or reset will not remove the enterprise license from personal devices.
+> [!NOTE]
+> We recommend using Enterprise edition only on corporate devices. Once a device has been upgraded, it cannot be downgraded. Even a device wipe or reset will not remove the enterprise license from personal devices.
-**Deferring and Approving Updates with MDM**
+#### Deferring and approving updates with MDM
*Applies to: Corporate devices with Enterprise edition*
@@ -845,11 +854,11 @@ The following table summarizes applicable update policy settings by version of W
Subscribe device to CBB, to defer Feature Updates
RequireDeferUpgrade
-Defers Feature Update until next CBB release. Device will receive quality updates from Current Branch for Business (CBB).
+Defers Feature Update until next CBB release. Device receives quality updates from Current Branch for Business (CBB).
Defers feature update for minimum of 4 months after Current Branch was release.
BranchReadinessLevel
-Defers Feature Update until next CBB release. Device will receive quality updates from Current Branch for Business (CBB).
+Defers Feature Update until next CBB release. Device receives quality updates from Current Branch for Business (CBB).
Defers feature update for minimum of 4 months after Current Branch was release.
Defer Updates
@@ -880,7 +889,7 @@ Pause Feature Updates for up to 35 days
-**Managing the Update Experience**
+#### Managing the update experience
*Applies to: Corporate devices with Enterprise edition*
@@ -892,33 +901,33 @@ This can include:
- Automatically downloading and restarting devices with user notification.
- Automatically downloading and restarting devices at a specified time.
- Automatically downloading and restarting devices without user interaction.
-- Turning off automatic updates. This option should be used only for systems under regulatory compliance. The device will not receive any updates.
+- Turning off automatic updates. This option should be used only for systems under regulatory compliance. The device does not receive any updates.
-In addition, in version 1607, you can configure when the update is applied to the employee device to ensure updates installs or reboots don’t interrupt business or worker productivity. Update installs and reboots can be scheduled [outside of active hours](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ActiveHoursEnd) (supported values are 0-23, where 0 is 12am, 1 is 1am, etc.) or on a specific what [day of the week](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ScheduledInstallDay) (supported values are 0-7, where 0 is every day, 1 is Sunday, 2 is Monday, etc.).
+In addition, in version 1607, you can configure when the update is applied to the employee device to ensure updates installs or reboots don’t interrupt business or worker productivity. Update installs and reboots can be scheduled [outside of active hours](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ActiveHoursEnd) (supported values are 0-23, where 0 is 12am, 1 is 1am, and so on) or on a specific [day of the week](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ScheduledInstallDay) (supported values are 0-7, where 0 is every day, 1 is Sunday, 2 is Monday, and so on).
-**Managing the source of updates with MDM**
+#### Managing the source of updates with MDM
*Applies to: Corporate devices with Enterprise edition*
Although Windows 10 Enterprise enables IT administrators to defer installation of new updates from Windows Update, enterprises may also want additional control over update processes. With this in mind, Microsoft created Windows Update for Business. Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing updates. If you are using a MDM system, the use of Windows Update for Business is not a requirement, as you can manage these features from your MDM system.
-Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
+For more information, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
-IT administrators can specify where the device gets updates from with AllowUpdateService. This could be Microsoft Update, Windows Update for Business, or Windows Server Update Services (WSUS.
+IT administrators can specify where the device gets updates from with AllowUpdateService. This could be Microsoft Update, Windows Update for Business, or Windows Server Update Services (WSUS).
-**Managing Updates with Windows Update Server**
+#### Managing Updates with Windows Update Server
*Applies to: Corporate devices with Enterprise edition*
When using WSUS, set **UpdateServiceUrl** to allow the device to check for updates from a WSUS server instead of Windows Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet, usually handheld devices used for task completion, or other Windows IoT devices.
-Learn more about [managing updates with Windows Server Update Services (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx)
+For more information, see [managing updates with Windows Server Update Services (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx).
-**Querying the device update status**
+#### Querying the device update status
*Applies to: Personal and corporate devices*
-In addition to configuring how Windows 10 Mobile Enterprise obtains updates, the MDM administrator can query devices for Windows 10 Mobile update information so that update status can be checked against a list of approved updates.
+In addition to configuring how Windows 10 Mobile Enterprise obtains updates, the MDM administrator can query devices for Windows 10 Mobile update information so that update status can be checked against a list of approved updates:
The device update status query provides an overview of:
- Installed updates: A list of updates that are installed on the device.
@@ -936,7 +945,7 @@ Device Health Attestation (DHA) is another line of defense that is new to Window
Windows 10 Mobile makes it easy to integrate with Microsoft Intune or third-party MDM solutions for an overall view of device health and compliance. Using these solutions together, you can detect jailbroken devices, monitor device compliance, generate compliance reports, alert users or administrators to issues, initiate corrective action, and manage conditional access to resources like Office 365 or VPN.
-The first version of Device Health Attestation (DHA) was released in June 2015 for Windows 10 devices that supported TPM 2.0 and operated in an enterprise cloud-based topology. In the Windows 10 anniversary release, Device Health Attestation (DHA) capabilities are extended to legacy devices that support TPM 1.2, hybrid, and on-premises environments that have access to the Internet or operate in an air-gapped network.
+The first version of DHA was released in June 2015 for Windows 10 devices that supported TPM 2.0 and operated in an enterprise cloud-based topology. In the Windows 10 anniversary release, DHA capabilities are extended to legacy devices that support TPM 1.2, hybrid, and on-premises environments that have access to the Internet or operate in an air-gapped network.
The health attestation feature is based on Open Mobile Alliance (OMA) standards. IT managers can use DHA to validate devices that:
- Run Windows 10 operating system (mobile phone or PC)
@@ -953,26 +962,27 @@ DHA-enabled device management solutions help IT managers create a unified securi
- Trigger further investigation and monitoring (route the device to a honeypot for further monitoring)
- Simply alert the user or the admin to fix the issue
->**Note:** Windows Device Health Attestation Service can be used for conditional access scenarios which may be enabled by Mobile Device Management solutions (e.g.: Microsoft Intune) and other types of management systems (e.g.: SCCM) purchased separately.
+> [!NOTE]
+> Windows Device Health Attestation Service can be used for conditional access scenarios that may be enabled by Mobile Device Management solutions (such as Microsoft Intune) and other types of management systems (such as SCCM) purchased separately.
For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](/windows/device-security/windows-10-mobile-security-guide).
-This is a list of attributes that are supported by DHA and can trigger the corrective actions mentioned above.
+This is a list of attributes that are supported by DHA and can trigger the corrective actions mentioned above:
- **Attestation Identity Key (AIK) present** Indicates that an AIK is present (i.e., the device can be trusted more than a device without an AIK).
-- **Data Execution Prevention (DEP) enabled** Whether a DEP policy is enabled for the device, indicating that the device can be trusted more than a device without a DEP policy.
+- **Data Execution Prevention (DEP) enabled** Specifies whether a DEP policy is enabled for the device, indicating that the device can be trusted more than a device without a DEP policy.
- **BitLocker status** BitLocker helps protect the storage on the device. A device with BitLocker can be trusted more than a device without BitLocker.
-- **Secure Boot enabled** Whether Secure Boot is enabled on the device. A device with Secure Boot enabled can be trusted more than a device without Secure Boot. Secure Boot is always enabled on Windows 10 Mobile devices.
-- **Code integrity enabled** Whether the code integrity of a drive or system file is validated each time it’s loaded into memory. A device with code integrity enabled can be trusted more than a device without code integrity.
-- **Safe mode** Whether Windows is running in safe mode. A device that is running Windows in safe mode isn’t as trustworthy as a device running in standard mode.
-- **Boot debug enabled** Whether the device has boot debug enabled. A device that has boot debug enabled is less secure (trusted) than a device without boot debug enabled.
-- **OS kernel debugging enabled** Whether the device has operating system kernel debugging enabled. A device that has operating system kernel debugging enabled is less secure (trusted) than a device with operating system kernel debugging disabled.
-- **Test signing enabled** Whether test signing is disabled. A device that has test signing disabled is more trustworthy than a device that has test signing enabled.
+- **Secure Boot enabled** Specifies whether Secure Boot is enabled on the device. A device with Secure Boot enabled can be trusted more than a device without Secure Boot. Secure Boot is always enabled on Windows 10 Mobile devices.
+- **Code integrity enabled** Specifies whether the code integrity of a drive or system file is validated each time it’s loaded into memory. A device with code integrity enabled can be trusted more than a device without code integrity.
+- **Safe mode** Specifies whether Windows is running in safe mode. A device that is running Windows in safe mode isn’t as trustworthy as a device running in standard mode.
+- **Boot debug enabled** Specifies whether the device has boot debug enabled. A device that has boot debug enabled is less secure (trusted) than a device without boot debug enabled.
+- **OS kernel debugging enabled** Specifies whether the device has operating system kernel debugging enabled. A device that has operating system kernel debugging enabled is less secure (trusted) than a device with operating system kernel debugging disabled.
+- **Test signing enabled** Specifies whether test signing is disabled. A device that has test signing disabled is more trustworthy than a device that has test signing enabled.
- **Boot Manager Version** The version of the Boot Manager running on the device. The HAS can check this version to determine whether the most current Boot Manager is running, which is more secure (trusted).
- **Code integrity version** Specifies the version of code that is performing integrity checks during the boot sequence. The HAS can check this version to determine whether the most current version of code is running, which is more secure (trusted).
-- **Secure Boot Configuration Policy (SBCP) present** Whether the hash of the custom SBCP is present. A device with an SBCP hash present is more trustworthy than a device without an SBCP hash.
+- **Secure Boot Configuration Policy (SBCP) present** Specifies whether the hash of the custom SBCP is present. A device with an SBCP hash present is more trustworthy than a device without an SBCP hash.
- **Boot cycle whitelist** The view of the host platform between boot cycles as defined by the manufacturer compared to a published allow list. A device that complies with the allow list is more trustworthy (secure) than a device that is noncompliant.
-**Example scenario**
+#### Example scenario
Windows 10 mobile has protective measures that work together and integrate with Microsoft Intune or third-party Mobile Device Management (MDM) solutions. IT administrators can monitor and verify compliance to ensure corporate resources are protected end-to–end with the security and trust rooted in the physical hardware of the device.
@@ -988,9 +998,9 @@ Here is what occurs when a smartphone is turned on:
*Applies to: Corporate devices with Enterprise edition*
-Device inventory helps organizations better manage devices because it provides in-depth information about those devices. MDM systems collect inventory information remotely and provide reporting capabilities to analyze device resources and information. This data informs IT about the current hardware and software resources of the device (e.g., installed updates).
+Device inventory helps organizations better manage devices because it provides in-depth information about those devices. MDM systems collect inventory information remotely and provide reporting capabilities to analyze device resources and information. This data informs IT about the current hardware and software resources of the device (such as installed updates).
-The following list shows examples of the Windows 10 Mobile software and hardware information that a device inventory provides. In addition to this information, the MDM system can read any of the configuration settings described in this guide.
+The following list shows examples of the Windows 10 Mobile software and hardware information that a device inventory provides. In addition to this information, the MDM system can read any of the configuration settings described in this guide:
- **Installed enterprise apps** List of the enterprise apps installed on the device
- **Device name** The device name configured for the device
@@ -1004,7 +1014,7 @@ The following list shows examples of the Windows 10 Mobile software and hardware
- **Device language** Language in use on the device
- **Phone number** Phone number assigned to the device
- **Roaming status** Indicates whether the device has a roaming cellular connection
-- **International mobile equipment identity (IMEI) and international mobile subscriber identity (IMSI) Unique identifiers for the cellular connection for the phone; Global System for Mobile Communications networks identify valid devices by using the IMEI, and all cellular networks use the IMSI to identify the device and user
+- **International mobile equipment identity (IMEI) and international mobile subscriber identity (IMSI)** Unique identifiers for the cellular connection for the phone (Global System for Mobile Communications networks identify valid devices by using the IMEI, and all cellular networks use the IMSI to identify the device and user)
- **Wi-Fi IP address** IPv4 and IPv6 addresses currently assigned to the Wi-Fi adapter in the device
- **Wi-Fi media access control (MAC) address** MAC address assigned to the Wi-Fi adapter in the device
- **Wi-Fi DNS suffix and subnet mask** DNS suffix and IP subnet mask assigned to the Wi-Fi adapter in the device
@@ -1021,14 +1031,15 @@ You can control the level of data that diagnostic data systems collect. To confi
For more information, see [Configure Windows diagnostic data in Your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
->**Note:** Diagnostic data can only be managed when the device is upgraded to Windows 10 Mobile Enterprise edition.
+> [!NOTE]
+> Diagnostic data can only be managed when the device is upgraded to Windows 10 Mobile Enterprise edition.
### Remote assistance
*Applies to: Personal and corporate devices*
The remote assistance features in Windows 10 Mobile help resolve issues that users might encounter even when the help desk does not have physical access to the device. These features include:
-- **Remote lock** Support personnel can remotely lock a device. This ability can help when a user loses his or her mobile device and can retrieve it, but not immediately (e.g., leaving the device at a customer site).
+- **Remote lock** Support personnel can remotely lock a device. This ability can help when a user loses his or her mobile device and can retrieve it, but not immediately (such as leaving the device at a customer site).
- **Remote PIN reset** Support personnel can remotely reset the PIN, which helps when users forget their PIN and are unable to access their device. No corporate or user data is lost and users are able to quickly gain access to their devices.
- **Remote ring** Support personnel can remotely make devices ring. This ability can help users locate misplaced devices and, in conjunction with the Remote Lock feature, help ensure that unauthorized users are unable to access the device if they find it.
- **Remote find** Support personnel can remotely locate a device on a map, which helps identify the geographic location of the device. Remote find parameters can be configured via phone settings (see table below). The remote find feature returns the most current latitude, longitude, and altitude of the device.
@@ -1040,7 +1051,8 @@ The remote assistance features in Windows 10 Mobile help resolve issues that use
These remote management features help organizations reduce the IT effort required to manage devices. They also help users quickly regain use of their device should they misplace it or forget the device password.
->**Remote control software** Microsoft does not provide build-in remote control software, but works with partners to deliver these capabilities and services. With version 1607, remote assistant and control applications are available in the Microsoft Store.
+> [!NOTE]
+> Microsoft does not provide build-in remote control software, but works with partners to deliver these capabilities and services. With version 1607, remote assistant and control applications are available in the Microsoft Store.
## Retire
@@ -1050,19 +1062,20 @@ Device retirement is the last phase of the device lifecycle, which in today’s
Windows 10 Mobile IT supports device retirement in both personal and corporate scenarios, allowing IT to be confident that corporate data remains confidential and user privacy is protected.
->**Note:** All these MDM capabilities are in addition to the device’s software and hardware factory reset features, which employees can use to restore devices to their factory configuration.
+> [!NOTE]
+> All these MDM capabilities are in addition to the device’s software and hardware factory reset features, which employees can use to restore devices to their factory configuration.
**Personal devices:** Windows 10 mobile supports the USA regulatory requirements for a “kill switch” in case your phone is lost or stolen. Reset protection is a free service on account.microsoft.com that helps ensure that the phone cannot be easily reset and reused. All you need to do to turn on **Reset Protection** is sign in with your Microsoft account and accept the recommended settings. To manually turn it on, you can find it under Settings > Updates & security > Find my phone. At this point, Reset Protection is only available with an MSA, not with Azure AD account. It is also only available in the USA and not in other regions of the world.
If you choose to completely wipe a device when lost or when an employee leaves the company, make sure you obtain consent from the user and follow any local legislation that protects the user’s personal data.
-A better option than wiping the entire device is to use Windows Information Protection to clean corporate-only data from a personal device. As explained in the Apps chapter, all corporate data will be tagged and when the device is unenrolled from your MDM system of your choice, all enterprise encrypted data, apps, settings and profiles will immediately be removed from the device without affecting the employee’s existing personal data. A user can initiate unenrollment via the settings screen or unenrollment action can be taken by IT from within the MDM management console. Unenrollment is a management event and will be reported to the MDM system.
+A better option than wiping the entire device is to use Windows Information Protection to clean corporate-only data from a personal device. As explained in the Apps chapter, all corporate data is tagged and when the device is unenrolled from your MDM system of your choice, all enterprise encrypted data, apps, settings and profiles are immediately removed from the device without affecting the employee’s existing personal data. A user can initiate unenrollment via the settings screen or unenrollment action can be taken by IT from within the MDM management console. Unenrollment is a management event and is reported to the MDM system.
-**Corporate device:** You can certainly remotely expire the user’s encryption key in case of device theft, but please remember that will also make the encrypted data on other Windows devices unreadable for the user. A better approach for retiring a discarded or lost device is to execute a full device wipe. The help desk or device users can initiate a full device wipe. When the wipe is complete, Windows 10 Mobile returns the device to a clean state and restarts the OOBE process.
+**Corporate device:** You can certainly remotely expire the user’s encryption key in case of device theft, but please remember that also makes the encrypted data on other Windows devices unreadable for the user. A better approach for retiring a discarded or lost device is to execute a full device wipe. The help desk or device users can initiate a full device wipe. When the wipe is complete, Windows 10 Mobile returns the device to a clean state and restarts the OOBE process.
**Settings for personal or corporate device retirement**
-- **Allow manual MDM unenrollment** Whether users are allowed to delete the workplace account (i.e., unenroll the device from the MDM system)
-- **Allow user to reset phone** Whether users are allowed to use Settings or hardware key combinations to return the device to factory defaults
+- **Allow manual MDM unenrollment** Specifies whether users are allowed to delete the workplace account (unenroll the device from the MDM system)
+- **Allow user to reset phone** Specifies whether users are allowed to use Settings or hardware key combinations to return the device to factory defaults
## Related topics
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index 5158bc4ada..5d8a6999f8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -32,11 +32,11 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the
>[!NOTE]
>A microphone isn't required to use Cortana.
-|**Software** |**Minimum version** |
+| Software | Minimum version |
|---------|---------|
|Client operating system | Desktop: - Windows 10, version 2004 (recommended)
- Windows 10, version 1703 (legacy version of Cortana)
Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)
For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-overview#how-is-my-data-processed-by-cortana) below. |
-|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn’t required. |
-|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word (“Cortana”) for hands-free activation or voice commands to easily ask for help. |
+|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required. |
+|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
## Signing in using Azure AD
@@ -55,7 +55,7 @@ Cortana enterprise services that can be accessed using Azure AD through Cortana
The table below describes the data handling for Cortana enterprise services.
-|**Name** |**Description** |
+| Name | Description |
|---------|---------|
|**Storage** |Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. Speech audio is not retained. |
|**Stays in Geo** |Customer Data is stored on Microsoft servers inside the Office 365 cloud in Geo. Your data is part of your tenant. |
@@ -66,7 +66,7 @@ The table below describes the data handling for Cortana enterprise services.
#### How does the wake word (Cortana) work? If I enable it, is Cortana always listening?
>[!NOTE]
->The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon. You can still click on the microphone button to use your voice with Cortana.
+>The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
Cortana only begins listening for commands or queries when the wake word is detected, or the microphone button has been selected.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index de5e546244..e2dfea47f8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -1,5 +1,5 @@
---
-title: Sign-in to Azure AD and manage notebook with Cortana (Windows 10)
+title: Sign into Azure AD, enable the wake word, and try a voice query
description: A test scenario walking you through signing in and managing the notebook.
ms.prod: w10
ms.mktglfcycl: manage
@@ -7,7 +7,6 @@ ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
-ms.date: 10/05/2017
ms.reviewer:
manager: dansimp
---
@@ -15,7 +14,7 @@ manager: dansimp
# Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query
>[!NOTE]
->The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon.
+>The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
1. Select the **Cortana** icon in the task bar and sign in using your Azure AD account.
@@ -23,13 +22,13 @@ manager: dansimp
3. Toggle **Wake word** to **On** and close Cortana.
-4. Say **Cortana, what can you do?**.
+4. Say **Cortana, what can you do?**
-When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word.
+ When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word.
-:::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
+ :::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
-Once you finish saying your query, Cortana will open with the result.
+ Once you finish saying your query, Cortana will open with the result.
>[!NOTE]
->If you've disabled the wake word using MDM or Group Policy, you will need to manually activate the microphone by selecting Cortana, then the mic button.
\ No newline at end of file
+>If you've disabled the wake word using MDM or Group Policy, you will need to manually activate the microphone by selecting Cortana, then the mic button.
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index aaa526a014..f4825a951e 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -158,7 +158,7 @@ The following table describes some features that have interoperability issues we
Key sequences blocked by assigned access
When in assigned access, some key combinations are blocked for assigned access users.
-
Alt+F4, Alt+Shift+TaB, Alt+Tab are not blocked by Assigned Access, it is recommended you use Keyboard Filter to block these key combinations.
+
Alt+F4, Alt+Shift+Tab, Alt+Tab are not blocked by Assigned Access, it is recommended you use Keyboard Filter to block these key combinations.
Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in WEKF_Settings.
diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
index afb1fa0310..340219baab 100644
--- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md
+++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
@@ -17,7 +17,7 @@ manager: dansimp
# Use Windows Configuration Designer to configure Windows 10 Mobile devices
-Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using provisioning packages, ayou can easily specify desired configuration, settings, and information required to enroll the devices into management, and then apply that configuration to target devices in a matter of minutes.
+Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using provisioning packages, you can easily specify desired configuration, settings, and information required to enroll the devices into management, and then apply that configuration to target devices in a matter of minutes.
A provisioning package (.ppkg) is a container for a collection of configuration settings. Using Windows Configuration Designer, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 641af623c3..5fe68ff0bd 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -1,6 +1,6 @@
---
-title: Intro to configuration service providers for IT pros (Windows 10)
-description: Configuration service providers (CSPs) expose device configuration settings in Windows 10.
+title: Configuration service providers for IT pros (Windows 10)
+description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices.
ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6
ms.reviewer:
manager: dansimp
@@ -14,25 +14,23 @@ ms.localizationpriority: medium
ms.date: 07/27/2017
---
-# Introduction to configuration service providers (CSPs) for IT pros
+# Configuration service providers for IT pros
**Applies to**
- Windows 10
- Windows 10 Mobile
-Configuration service providers (CSPs) expose device configuration settings in Windows 10. This topic is written for people who have no experience with CSPs.
+This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows 10 and Windows 10 Mobile in their organizations. CSPs expose device configuration settings in Windows 10. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Hardware Dev Center](https://go.microsoft.com/fwlink/p/?LinkId=717390).
-The CSPs are documented on the [Hardware Dev Center](https://go.microsoft.com/fwlink/p/?LinkId=717390) because CSPs are used by mobile device management (MDM) service providers. This topic explains how IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations.
-
->[!NOTE]
->This explanation of CSPs and CSP documentation also applies to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
+> [!NOTE]
+> The information provided here about CSPs and CSP documentation also applies to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
[See what's new for CSPs in Windows 10, version 1809.](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1809)
## What is a CSP?
-A CSP is an interface in the client operating system, between configuration settings specified in a provisioning document, and configuration settings on the device. CSPs are similar to Group Policy client-side extensions, in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files or permissions. Some of these settings are configurable, and some are read-only.
+In the client operating system, a CSP is the interface between configuration settings that are specified in a provisioning document and configuration settings that are on the device. CSPs are similar to Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files, or permissions. Some of these settings are configurable, and some are read-only.
Starting with Windows Mobile 5.0, CSPs were used to manage Windows mobile devices. On the Windows 10 platform, the management approach for both desktop and mobile devices converges, taking advantage of the same CSPs to configure and manage all devices running Windows 10.
@@ -42,15 +40,15 @@ CSPs are behind many of the management tasks and policies for Windows 10, both i
-CSPs receive configuration policies in the XML-based SyncML format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side WMI-to-CSP bridge.
+CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge.
### Synchronization Markup Language (SyncML)
-The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based Synchronization Markup Language (SyncML) for data exchange between compliant servers and clients. SyncML offers an open standard to use as an alternative to vendor-specific management solutions (such as WMI). The value for enterprises adopting industry standard management protocols is that it allows the management of a broader set of vendor devices using a single platform (such as Microsoft Intune). Device policies, including VPN connection profiles, are delivered to client devices formatted as in SyncML. The target CSP reads this information and applies the necessary configurations.
+The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based SyncML for data exchange between compliant servers and clients. SyncML offers an open standard to use as an alternative to vendor-specific management solutions (such as WMI). The value for enterprises adopting industry standard management protocols is that it allows the management of a broader set of vendor devices using a single platform (such as Microsoft Intune). Device policies, including VPN connection profiles, are delivered to client devices formatted as in SyncML. The target CSP reads this information and applies the necessary configurations.
### The WMI-to-CSP Bridge
-The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs via scripts and traditional enterprise management software, such as Configuration Manager using Windows Management Instrumentation (WMI). The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.
+The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.
[Learn how to use the WMI Bridge Provider with PowerShell.](https://go.microsoft.com/fwlink/p/?LinkId=761090)
@@ -60,7 +58,7 @@ Generally, enterprises rely on Group Policy or MDM to configure and manage devic
In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management. You may also want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried.
-Some of the topics in the [Windows 10 and Windows 10 Mobile](/windows/windows-10) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](../cortana-at-work/cortana-at-work-overview.md), which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
+Some of the articles in the [Windows 10 and Windows 10 Mobile](/windows/windows-10) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](../cortana-at-work/cortana-at-work-overview.md), which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
### CSPs in Windows Configuration Designer
@@ -74,7 +72,7 @@ Many settings in Windows Configuration Designer will display documentation for t
### CSPs in MDM
-Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and cannot find that capability in your MDM service, contact your MDM provider for assistance. It might simply be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](https://go.microsoft.com/fwlink/p/?LinkId=717390).
+Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and cannot find that capability in your MDM service, contact your MDM provider for assistance. It might be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](https://go.microsoft.com/fwlink/p/?LinkId=717390).
When a CSP is available but is not explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](https://go.microsoft.com/fwlink/p/?LinkID=616316) to deploy settings. Intune documents [a partial list of settings](https://go.microsoft.com/fwlink/p/?LinkID=616317) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](https://go.microsoft.com/fwlink/p/?LinkId=717390) to locate that information.
@@ -116,13 +114,13 @@ The documentation for most CSPs will also include an XML example.
## CSP examples
-CSPs provide access to a number of settings useful to enterprises. This section introduces two CSPs that an enterprise might find particularly useful.
+CSPs provide access to a number of settings useful to enterprises. This section introduces the CSPs that an enterprise might find useful.
- [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601)
- The EnterpriseAssignedAccess configuration service provider allows IT administrators to configure settings on a Windows 10 Mobile device. An enterprise can make use of this CSP to create single-use or limited-use mobile devices, such as a handheld device that only runs a price-checking app.
+ The EnterpriseAssignedAccess CSP lets IT administrators configure settings on a Windows 10 Mobile device. An enterprise can make use of this CSP to create single-use or limited-use mobile devices, such as a handheld device that only runs a price-checking app.
- In addition to lockscreen wallpaper, theme, time zone, and language, the EnterpriseAssignedAccess CSP includes AssignedAccessXml which can be used to lock down the device through the following settings:
+ In addition to lock screen wallpaper, theme, time zone, and language, the EnterpriseAssignedAccess CSP includes AssignedAccessXml that can be used to lock down the device through the following settings:
- Enabling or disabling the Action Center.
- Configuring the number of tile columns in the Start layout.
@@ -132,27 +130,28 @@ CSPs provide access to a number of settings useful to enterprises. This section
- Restricting access to the context menu.
- Enabling or disabling tile manipulation.
- Creating role-specific configurations.
+
- [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244)
- The Policy configuration service provider enables the enterprise to configure policies on Windows 10 and Windows 10 Mobile. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings.
+ The Policy CSP enables the enterprise to configure policies on Windows 10 and Windows 10 Mobile. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings.
Some of the settings available in the Policy CSP include the following:
- - **Accounts**, such as whether a non-Microsoft account can be added to the device
- - **Application management**, such as whether only Microsoft Store apps are allowed
- - **Bluetooth**, such as the services allowed to use it
- - **Browser**, such as restricting InPrivate browsing
- - **Connectivity**, such as whether the device can be connected to a computer by USB
- - **Defender** (for desktop only), such as day and time to scan
- - **Device lock**, such as the type of PIN or password required to unlock the device
- - **Experience**, such as allowing Cortana
- - **Security**, such as whether provisioning packages are allowed
- - **Settings**, such as allowing the user to change VPN settings
- - **Start**, such as applying a standard Start layout
- - **System**, such as allowing the user to reset the device
- - **Text input**, such as allowing the device to send anonymized user text input data samples to Microsoft
- - **Update**, such as specifying whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store
- - **WiFi**, such as whether to enable Internet sharing
+ - **Accounts**, such as whether a non-Microsoft account can be added to the device.
+ - **Application management**, such as whether only Microsoft Store apps are allowed.
+ - **Bluetooth**, such as the services allowed to use it.
+ - **Browser**, such as restricting InPrivate browsing.
+ - **Connectivity**, such as whether the device can be connected to a computer by USB.
+ - **Defender** (for desktop only), such as day and time to scan.
+ - **Device lock**, such as the type of PIN or password required to unlock the device.
+ - **Experience**, such as allowing Cortana.
+ - **Security**, such as whether provisioning packages are allowed.
+ - **Settings**, such as enabling the user to change VPN settings.
+ - **Start**, such as applying a standard Start layout.
+ - **System**, such as allowing the user to reset the device.
+ - **Text input**, such as allowing the device to send anonymized user text input data samples to Microsoft.
+ - **Update**, such as whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.
+ - **WiFi**, such as whether Internet sharing is enabled.
Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile Enterprise, or both:
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index af989096a8..8ef07ace21 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -38,10 +38,10 @@ The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://develop
- The tool for creating provisioning packages is renamed Windows Configuration Designer, replacing the Windows Imaging and Configuration Designer (ICD) tool. The components for creating images have been removed from Windows Configuration Designer, which now provides access to runtime settings only.
- Windows Configuration Designer can still be installed from the Windows ADK. You can also install it from the Microsoft Store.
- Windows Configuration Designer adds more wizards to make it easier to create provisioning packages for specific scenarios. See [What you can configure](#configuration-designer-wizards) for wizard descriptions.
-- The wizard **Provision desktop devices** (previously called **Simple provisioning**) now enables joining Azure Active Directory (Azure AD) domains and also allows you to remove non-Microsoft software from Windows desktop devices during provisioning.
+- The Provision desktop devices wizard (previously called Simple provisioning) now enables joining Azure Active Directory (Azure AD) domains and also allows you to remove non-Microsoft software from Windows desktop devices during provisioning.
- When provisioning packages are applied to a device, a status screen indicates successful or failed provisioning.
- Windows 10 includes PowerShell cmdlets that simplify scripted provisioning. Using these cmdlets, you can add provisioning packages, remove provisioning packages and generate log files to investigate provisioning errors.
-- The **Provision school devices** wizard is removed from Windows Configuration Designer. Instead, use the [Setup School PCs app](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) from the Microsoft Store.
+- The Provision school devices wizard is removed from Windows Configuration Designer. Instead, use the [Setup School PCs app](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) from the Microsoft Store.
@@ -119,8 +119,8 @@ For details about the settings you can customize in provisioning packages, see [
## Changes to provisioning in Windows 10, version 1607
->[!NOTE]
->This section is retained for customers using Windows 10, version 1607, on the Current Branch for Business. Some of this information is not applicable in Windows 10, version 1703.
+> [!NOTE]
+> This section is retained for customers using Windows 10, version 1607, on the Current Branch for Business. Some of this information is not applicable in Windows 10, version 1703.
Windows ICD for Windows 10, version 1607, simplified common provisioning scenarios.
@@ -130,7 +130,7 @@ Windows ICD in Windows 10, version 1607, supported the following scenarios for I
* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner.
- > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md)
+[Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md)
* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices.
@@ -146,9 +146,11 @@ Windows ICD in Windows 10, version 1607, supported the following scenarios for I
## Learn more
-- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+For more information about provisioning, watch the following videos:
-- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+- [Provisioning Windows 10 devices with new tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
## Related topics
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index fa8b0e3378..5fcc9f5c5c 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -44,7 +44,7 @@ For managed devices running Windows 10 Enterprise and Windows 10 Education, en
- **Feature suggestions, fun facts, tips**
- The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
+ The lock screen background will occasionally make recommendations on how to enhance your productivity and enjoyment of Microsoft products including suggesting other relevant Microsoft products and services.
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 7c17c5720e..27f6ebfdc9 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -43,6 +43,8 @@
href: update/plan-determine-app-readiness.md
- name: Define your servicing strategy
href: update/plan-define-strategy.md
+ - name: Delivery Optimization for Windows 10 updates
+ href: update/waas-delivery-optimization-reference.md
- name: Best practices for feature updates on mission-critical devices
href: update/feature-update-mission-critical.md
- name: Windows 10 deployment considerations
@@ -72,8 +74,6 @@
href: update/waas-branchcache.md
- name: Prepare your deployment tools
items:
- - name: Register devices for deployment with Windows Autopilot
- href: windows-autopilot/add-devices.md
- name: Prepare for deployment with MDT
href: deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
- name: Prepare for deployment with Configuration Manager
@@ -92,7 +92,7 @@
- name: Deploy Windows 10
items:
- name: Deploy Windows 10 with Autopilot
- href: windows-autopilot/windows-autopilot-scenarios.md
+ href: windows-autopilot/index.yml
- name: Deploy Windows 10 with Configuration Manager
items:
- name: Deploy to a new device
diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md
index ae15ebea5c..a57384798d 100644
--- a/windows/deployment/Windows-AutoPilot-EULA-note.md
+++ b/windows/deployment/Windows-AutoPilot-EULA-note.md
@@ -1,24 +1,25 @@
----
-title: Windows Autopilot EULA dismissal – important information
-description: A notice about EULA dismissal through Windows Autopilot
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 08/22/2017
-ms.reviewer:
-manager: laurawi
-audience: itpro
author: greg-lindsay
-ROBOTS: noindex,nofollow
-ms.topic: article
----
-# Windows Autopilot EULA dismissal – important information
-
->[!IMPORTANT]
->The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
-
-Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen.
-
-By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you did not suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you have not validly acquired a license for the software from Microsoft or its licensed distributors.
+---
+title: Windows Autopilot EULA dismissal – important information
+description: A notice about EULA dismissal through Windows Autopilot
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+ms.localizationpriority: medium
+ms.audience: itpro
+author: greg-lindsay
+ms.date: 08/22/2017
+ms.reviewer:
+manager: laurawi
+audience: itpro
+ROBOTS: noindex,nofollow
+ms.topic: article
+---
+# Windows Autopilot EULA dismissal – important information
+
+>[!IMPORTANT]
+>The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
+
+Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen.
+
+By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you did not suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you have not validly acquired a license for the software from Microsoft or its licensed distributors.
diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
index f9405d730e..834b94f381 100644
--- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
@@ -11,8 +11,6 @@ audience: itpro
author: greg-lindsay
ms.reviewer:
manager: laurawi
-audience: itpro
-author: greg-lindsay
ms.author: greglin
ms.topic: article
---
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 7e06abfeb3..5c8972471b 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -170,13 +170,16 @@ The key to successful management of drivers for MDT, as well as for any other de
On **MDT01**:
+> [!IMPORTANT]
+> In the steps below, it is critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system.
+
1. Using File Explorer, create the **D:\\drivers** folder.
2. In the **D:\\drivers** folder, create the following folder structure:
1. WinPE x86
2. WinPE x64
3. Windows 10 x64
3. In the new Windows 10 x64 folder, create the following folder structure:
- - Dell
+ - Dell Inc
- Latitude E7450
- Hewlett-Packard
- HP EliteBook 8560w
@@ -185,8 +188,8 @@ On **MDT01**:
- Microsoft Corporation
- Surface Laptop
->[!NOTE]
->Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
+> [!NOTE]
+> Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
### Create the logical driver structure in MDT
@@ -197,7 +200,7 @@ When you import drivers to the MDT driver repository, MDT creates a single insta
2. WinPE x64
3. Windows 10 x64
3. In the **Windows 10 x64** folder, create the following folder structure:
- - Dell
+ - Dell Inc
- Latitude E7450
- Hewlett-Packard
- HP EliteBook 8560w
@@ -281,12 +284,12 @@ The folder you select and all sub-folders will be checked for drivers, expanding
For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544).
-In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell\\Latitude E7450** folder.
+In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc\\Latitude E7450** folder.
On **MDT01**:
-1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell** node.
-2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell\\Latitude E7450**
+1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc** node.
+2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450**
### For the HP EliteBook 8560w
diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md
index 52cc80097b..9480bdbc84 100644
--- a/windows/deployment/deploy-windows-to-go.md
+++ b/windows/deployment/deploy-windows-to-go.md
@@ -6,13 +6,13 @@ ms.reviewer:
manager: laurawi
ms.audience: itpro
author: greg-lindsay
+ms.author: greglin
keywords: deployment, USB, device, BitLocker, workspace, security, data
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobility
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index d86cb2f2a8..f665e396be 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -6,12 +6,12 @@ ms.reviewer:
manager: laurawi
ms.audience: itpro
author: greg-lindsay
+ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index 66b299511f..dbd960b4a7 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -1,7 +1,7 @@
### YamlMime:Landing
title: Windows 10 deployment resources and documentation # < 60 chars
-summary: Learn about deploying and and keeping Windows 10 up to date. # < 160 chars
+summary: Learn about deploying and keeping Windows 10 up to date. # < 160 chars
metadata:
title: Windows 10 deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
@@ -13,7 +13,7 @@ metadata:
ms.collection: windows-10
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
- ms.date: 06/09/2020 #Required; mm/dd/yyyy format.
+ ms.date: 08/05/2020 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@@ -53,7 +53,7 @@ landingContent:
- linkListType: deploy
links:
- text: Deploy Windows 10 with Autopilot
- url: windows-autopilot/windows-autopilot-scenarios.md
+ url: https://docs.microsoft.com/mem/autopilot
- text: Assign devices to servicing channels
url: update/waas-servicing-channels-windows-10-updates.md
- text: Deploy Windows updates with Configuration Manager
@@ -71,8 +71,7 @@ landingContent:
- text: Basics of Windows updates, channels, and tools
url: update/get-started-updates-channels-tools.md
- text: Overview of Windows Autopilot
- url: windows-autopilot/windows-autopilot.md
-
+ url: https://docs.microsoft.com/mem/autopilot/windows-autopilot
# Card
- title: Support remote work
@@ -85,6 +84,8 @@ landingContent:
url: https://docs.microsoft.com/microsoft-365/solutions/empower-people-to-work-remotely
- text: Top 12 tasks for security teams to support working from home
url: https://docs.microsoft.com/microsoft-365/security/top-security-tasks-for-remote-work
+ - text: Support your remote workforce
+ url: https://docs.microsoft.com/microsoftteams/faq-support-remote-workforce
# Card (optional)
- title: Microsoft Learn
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 45e00f7007..90f83f5802 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -8,11 +8,11 @@ ms.sitesec: library
ms.pagetype: deploy
audience: itpro
author: greg-lindsay
+ms.author: greglin
ms.date: 02/13/2018
ms.reviewer:
manager: laurawi
ms.audience: itpro
-author: greg-lindsay
ms.localizationpriority: medium
ms.topic: article
---
diff --git a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
index a202b57844..f128528a5e 100644
--- a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
+++ b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
@@ -1,238 +1,239 @@
----
-title: Available Data Types and Operators in Compatibility Administrator (Windows 10)
-description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
-ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Available Data Types and Operators in Compatibility Administrator
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
-
-## Available Data Types
-
-
-Customized-compatibility databases in Compatibility Administrator contain the following data types.
-
-- **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value.
-
-- **String**. A series of alphanumeric characters manipulated as a group.
-
-- **Boolean**. A value of True or False.
-
-## Available Attributes
-
-
-The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator.
-
-
-
-
-
-
-
-
-
-
Attribute
-
Description
-
Data type
-
-
-
-
-
APP_NAME
-
Name of the application.
-
String
-
-
-
DATABASE_GUID
-
Unique ID for your compatibility database.
-
String
-
-
-
DATABASE_INSTALLED
-
Specifies if you have installed the database.
-
Boolean
-
-
-
DATABASE_NAME
-
Descriptive name of your database.
-
String
-
-
-
DATABASE_PATH
-
Location of the database on your computer.
-
String
-
-
-
FIX_COUNT
-
Number of compatibility fixes applied to a specific application.
-
Integer
-
-
-
FIX_NAME
-
Name of your compatibility fix.
-
String
-
-
-
MATCH_COUNT
-
Number of matching files for a specific, fixed application.
-
Integer
-
-
-
MATCHFILE_NAME
-
Name of a matching file used to identify a specific, fixed application.
-
String
-
-
-
MODE_COUNT
-
Number of compatibility modes applied to a specific, fixed application.
-
Integer
-
-
-
MODE_NAME
-
Name of your compatibility mode.
-
String
-
-
-
PROGRAM_APPHELPTYPE
-
Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program.
-
Integer
-
-
-
PROGRAM_DISABLED
-
Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application.
-
Boolean
-
-
-
PROGRAM_GUID
-
Unique ID for an application.
-
String
-
-
-
PROGRAM_NAME
-
Name of the application that you are fixing.
-
String
-
-
-
-
-
-
-## Available Operators
-
-
-The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator.
-
-
-
-
-
-
-
-
-
-
-
Symbol
-
Description
-
Data type
-
Precedence
-
-
-
-
-
>
-
Greater than
-
Integer or string
-
1
-
-
-
>=
-
Greater than or equal to
-
Integer or string
-
1
-
-
-
<
-
Less than
-
Integer or string
-
1
-
-
-
<=
-
Less than or equal to
-
Integer or string
-
1
-
-
-
<>
-
Not equal to
-
Integer or string
-
1
-
-
-
=
-
Equal to
-
Integer, string, or Boolean
-
1
-
-
-
HAS
-
A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand.
Only the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.
-
-
-
-
-
Right-hand operand. String
-
1
-
-
-
OR
-
Logical OR operator
-
Boolean
-
2
-
-
-
AND
-
Logical AND operator
-
Boolean
-
2
-
-
-
-
-
-
-## Related topics
-[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
-
-
-
-
-
-
-
-
-
+---
+title: Available Data Types and Operators in Compatibility Administrator (Windows 10)
+description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
+ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Available Data Types and Operators in Compatibility Administrator
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
+
+## Available Data Types
+
+
+Customized-compatibility databases in Compatibility Administrator contain the following data types.
+
+- **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value.
+
+- **String**. A series of alphanumeric characters manipulated as a group.
+
+- **Boolean**. A value of True or False.
+
+## Available Attributes
+
+
+The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator.
+
+
+
+
+
+
+
+
+
+
Attribute
+
Description
+
Data type
+
+
+
+
+
APP_NAME
+
Name of the application.
+
String
+
+
+
DATABASE_GUID
+
Unique ID for your compatibility database.
+
String
+
+
+
DATABASE_INSTALLED
+
Specifies if you have installed the database.
+
Boolean
+
+
+
DATABASE_NAME
+
Descriptive name of your database.
+
String
+
+
+
DATABASE_PATH
+
Location of the database on your computer.
+
String
+
+
+
FIX_COUNT
+
Number of compatibility fixes applied to a specific application.
+
Integer
+
+
+
FIX_NAME
+
Name of your compatibility fix.
+
String
+
+
+
MATCH_COUNT
+
Number of matching files for a specific, fixed application.
+
Integer
+
+
+
MATCHFILE_NAME
+
Name of a matching file used to identify a specific, fixed application.
+
String
+
+
+
MODE_COUNT
+
Number of compatibility modes applied to a specific, fixed application.
+
Integer
+
+
+
MODE_NAME
+
Name of your compatibility mode.
+
String
+
+
+
PROGRAM_APPHELPTYPE
+
Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program.
+
Integer
+
+
+
PROGRAM_DISABLED
+
Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application.
+
Boolean
+
+
+
PROGRAM_GUID
+
Unique ID for an application.
+
String
+
+
+
PROGRAM_NAME
+
Name of the application that you are fixing.
+
String
+
+
+
+
+
+
+## Available Operators
+
+
+The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator.
+
+
+
+
+
+
+
+
+
+
+
Symbol
+
Description
+
Data type
+
Precedence
+
+
+
+
+
>
+
Greater than
+
Integer or string
+
1
+
+
+
>=
+
Greater than or equal to
+
Integer or string
+
1
+
+
+
<
+
Less than
+
Integer or string
+
1
+
+
+
<=
+
Less than or equal to
+
Integer or string
+
1
+
+
+
<>
+
Not equal to
+
Integer or string
+
1
+
+
+
=
+
Equal to
+
Integer, string, or Boolean
+
1
+
+
+
HAS
+
A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand.
Only the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.
+
+
+
+
+
Right-hand operand. String
+
1
+
+
+
OR
+
Logical OR operator
+
Boolean
+
2
+
+
+
AND
+
Logical AND operator
+
Boolean
+
2
+
+
+
+
+
+
+## Related topics
+[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
index 98986e0bfd..ea3a21ed29 100644
--- a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
+++ b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
@@ -1,76 +1,77 @@
----
-title: Fixing Applications by Using the SUA Tool (Windows 10)
-description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
-ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Fixing Applications by Using the SUA Tool
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
-
-**To fix an application by using the SUA tool**
-
-1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
-
-2. After you finish testing, open the SUA tool.
-
-3. On the **Mitigation** menu, click the command that corresponds to the action that you want to take. The following table describes the commands.
-
-
-
-
-
-
-
-
-
Mitigation menu command
-
Description
-
-
-
-
-
Apply Mitigations
-
Opens the Mitigate AppCompat Issues dialog box, in which you can select the fixes that you intend to apply to the application.
-
-
-
Undo Mitigations
-
Removes the application fixes that you just applied.
-
This option is available only after you apply an application fix and before you close the SUA tool. Alternatively, you can manually remove application fixes by using Programs and Features in Control Panel.
-
-
-
Export Mitigations as Windows Installer file
-
Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: Fixing Applications by Using the SUA Tool (Windows 10)
+description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
+ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Fixing Applications by Using the SUA Tool
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
+
+**To fix an application by using the SUA tool**
+
+1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
+
+2. After you finish testing, open the SUA tool.
+
+3. On the **Mitigation** menu, click the command that corresponds to the action that you want to take. The following table describes the commands.
+
+
+
+
+
+
+
+
+
Mitigation menu command
+
Description
+
+
+
+
+
Apply Mitigations
+
Opens the Mitigate AppCompat Issues dialog box, in which you can select the fixes that you intend to apply to the application.
+
+
+
Undo Mitigations
+
Removes the application fixes that you just applied.
+
This option is available only after you apply an application fix and before you close the SUA tool. Alternatively, you can manually remove application fixes by using Programs and Features in Control Panel.
+
+
+
Export Mitigations as Windows Installer file
+
Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
index 08db3b24d6..d4b510cd08 100644
--- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
+++ b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
@@ -1,80 +1,81 @@
----
-title: Showing Messages Generated by the SUA Tool (Windows 10)
-description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
-ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Showing Messages Generated by the SUA Tool
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
-
-**To show the messages that the SUA tool has generated**
-
-1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
-
-2. After you finish testing, in the SUA tool, click the **App Info** tab.
-
-3. On the **View** menu, click the command that corresponds to the messages that you want to see. The following table describes the commands.
-
-
-
-
-
-
-
-
-
View menu command
-
Description
-
-
-
-
-
Error Messages
-
When this command is selected, the user interface shows error messages that the SUA tool has generated. Error messages are highlighted in pink.
-
This command is selected by default.
-
-
-
Warning Messages
-
When this command is selected, the user interface shows warning messages that the SUA tool has generated. Warning messages are highlighted in yellow.
-
-
-
Information Messages
-
When this command is selected, the user interface shows informational messages that the SUA tool has generated. Informational messages are highlighted in green.
-
-
-
Detailed Information
-
When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: Showing Messages Generated by the SUA Tool (Windows 10)
+description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
+ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Showing Messages Generated by the SUA Tool
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
+
+**To show the messages that the SUA tool has generated**
+
+1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
+
+2. After you finish testing, in the SUA tool, click the **App Info** tab.
+
+3. On the **View** menu, click the command that corresponds to the messages that you want to see. The following table describes the commands.
+
+
+
+
+
+
+
+
+
View menu command
+
Description
+
+
+
+
+
Error Messages
+
When this command is selected, the user interface shows error messages that the SUA tool has generated. Error messages are highlighted in pink.
+
This command is selected by default.
+
+
+
Warning Messages
+
When this command is selected, the user interface shows warning messages that the SUA tool has generated. Warning messages are highlighted in yellow.
+
+
+
Information Messages
+
When this command is selected, the user interface shows informational messages that the SUA tool has generated. Informational messages are highlighted in green.
+
+
+
Detailed Information
+
When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
index d58bf1d2ce..d3c279c3eb 100644
--- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
+++ b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
@@ -1,105 +1,106 @@
----
-title: Tabs on the SUA Tool Interface (Windows 10)
-description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
-ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Tabs on the SUA Tool Interface
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
-
-The following table provides a description of each tab on the user interface for the SUA tool.
-
-
-
-
-
-
-
-
-
Tab name
-
Description
-
-
-
-
-
App Info
-
Provides the following information for the selected application:
-
-
Debugging information
-
Error, warning, and informational messages (if they are enabled)
-
Options for running the application
-
-
-
-
File
-
Provides information about access to the file system.
-
For example, this tab might show an attempt to write to a file that only administrators can typically access.
-
-
-
Registry
-
Provides information about access to the system registry.
-
For example, this tab might show an attempt to write to a registry key that only administrators can typically access.
-
-
-
INI
-
Provides information about WriteProfile API issues.
-
For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from Standard to Scientific, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators.
-
-
-
Token
-
Provides information about access-token checking.
-
For example, this tab might show an explicit check for the Builtin\Administrators security identifier (SID) in the user's access token. This operation may not work for a standard user.
-
-
-
Privilege
-
Provides information about permissions.
-
For example, this tab might show an attempt to explicitly enable permissions that do not work for a standard user.
-
-
-
Name Space
-
Provides information about creation of system objects.
-
For example, this tab might show an attempt to create a new system object, such as an event or a memory map, in a restricted namespace. Applications that attempt this kind of operation do not function for a standard user.
-
-
-
Other Objects
-
Provides information related to applications accessing objects other than files and registry keys.
-
-
-
Process
-
Provides information about process elevation.
-
For example, this tab might show the use of the CreateProcess API to open an executable (.exe) file that, in turn, requires process elevation that will not function for a standard user.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: Tabs on the SUA Tool Interface (Windows 10)
+description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
+ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Tabs on the SUA Tool Interface
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
+
+The following table provides a description of each tab on the user interface for the SUA tool.
+
+
+
+
+
+
+
+
+
Tab name
+
Description
+
+
+
+
+
App Info
+
Provides the following information for the selected application:
+
+
Debugging information
+
Error, warning, and informational messages (if they are enabled)
+
Options for running the application
+
+
+
+
File
+
Provides information about access to the file system.
+
For example, this tab might show an attempt to write to a file that only administrators can typically access.
+
+
+
Registry
+
Provides information about access to the system registry.
+
For example, this tab might show an attempt to write to a registry key that only administrators can typically access.
+
+
+
INI
+
Provides information about WriteProfile API issues.
+
For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from Standard to Scientific, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators.
+
+
+
Token
+
Provides information about access-token checking.
+
For example, this tab might show an explicit check for the Builtin\Administrators security identifier (SID) in the user's access token. This operation may not work for a standard user.
+
+
+
Privilege
+
Provides information about permissions.
+
For example, this tab might show an attempt to explicitly enable permissions that do not work for a standard user.
+
+
+
Name Space
+
Provides information about creation of system objects.
+
For example, this tab might show an attempt to create a new system object, such as an event or a memory map, in a restricted namespace. Applications that attempt this kind of operation do not function for a standard user.
+
+
+
Other Objects
+
Provides information related to applications accessing objects other than files and registry keys.
+
+
+
Process
+
Provides information about process elevation.
+
For example, this tab might show the use of the CreateProcess API to open an executable (.exe) file that, in turn, requires process elevation that will not function for a standard user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
index b38891eae2..cb84beaa58 100644
--- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md
+++ b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
@@ -1,94 +1,95 @@
----
-title: Using the Compatibility Administrator Tool (Windows 10)
-description: This section provides information about using the Compatibility Administrator tool.
-ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Using the Compatibility Administrator Tool
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section provides information about using the Compatibility Administrator tool.
-
-## In this section
-
-
-
With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.
The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.
Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.
The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.
The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: Using the Compatibility Administrator Tool (Windows 10)
+description: This section provides information about using the Compatibility Administrator tool.
+ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Using the Compatibility Administrator Tool
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+This section provides information about using the Compatibility Administrator tool.
+
+## In this section
+
+
+
With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.
The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.
Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.
The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.
The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md
index 464e7e03de..965ad4dad7 100644
--- a/windows/deployment/planning/windows-10-compatibility.md
+++ b/windows/deployment/planning/windows-10-compatibility.md
@@ -1,60 +1,61 @@
----
-title: Windows 10 compatibility (Windows 10)
-description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
-ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, upgrade, update, appcompat
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows 10 compatibility
-
-
-**Applies to**
-
-- Windows 10
-
-Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
-
-For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10.
-
-Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues.
-
-Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store.
-
-For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](https://go.microsoft.com/fwlink/p/?LinkId=734031)
-
-## Recommended application testing process
-
-
-Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to leverage more optimized testing processes, which reflects the higher levels of compatibility that are expected. At a high level:
-
-- Identify mission-critical applications and websites, those that are absolutely essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release.
-
-- For less critical applications, leverage an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines.
-
-## Related topics
-
-
-[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
-
-[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
-
-[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
-
-
-
-
-
-
-
-
-
+---
+title: Windows 10 compatibility (Windows 10)
+description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
+ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deploy, upgrade, update, appcompat
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows 10 compatibility
+
+
+**Applies to**
+
+- Windows 10
+
+Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
+
+For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10.
+
+Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues.
+
+Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store.
+
+For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](https://go.microsoft.com/fwlink/p/?LinkId=734031)
+
+## Recommended application testing process
+
+
+Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to leverage more optimized testing processes, which reflects the higher levels of compatibility that are expected. At a high level:
+
+- Identify mission-critical applications and websites, those that are absolutely essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release.
+
+- For less critical applications, leverage an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines.
+
+## Related topics
+
+
+[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
+
+[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
+
+[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index fba2f6ef1d..e34b68d47e 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -45,7 +45,7 @@ The features described below are no longer being actively developed, and might b
|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. If for any reason you see an error message about "help not supported," possibly when using a non-Microsoft application, read [this support article](https://support.microsoft.com/help/917607/error-opening-help-in-windows-based-programs-feature-not-included-or-h) for additional information and any next steps.| 1803 |
|Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](https://msdn.microsoft.com/library/ff800913.aspx). Instead, you can use the People app in Windows 10 to maintain your contacts.| 1803 |
|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| 1803 |
-|IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| 1803 |
+|IPv4/6 Transition Technologies (6to4, ISATAP, Teredo, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), Teredo has been disabled since Windows 10, version 1803, and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| 1803 |
|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers has not been developed since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.| 1803 |
|Business Scanning| This feature is also called Distributed Scan Management (DSM) **(Added 05/03/2018)**
The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| 1803 |
|IIS 6 Management Compatibility* | We recommend that users use alternative scripting tools and a newer management console. | 1709 |
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index 764b8d1ca5..546b8de3af 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -6,14 +6,12 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
ms.sitesec: library
-audience: itpro
author: greg-lindsay
ms.date: 08/18/2017
ms.reviewer:
manager: laurawi
ms.author: greglin
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md
index b79a9e0b9d..bd70149a69 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/deployment/planning/windows-10-removed-features.md
@@ -27,6 +27,8 @@ The following features and functionalities have been removed from the installed
|Feature | Details and mitigation | Removed in version |
| ----------- | --------------------- | ------ |
+| Connect app | The [Connect app](https://docs.microsoft.com/windows-hardware/design/device-experiences/wireless-projection-understanding) for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, click on **Settings** > **Apps** > **Optional features** > **Add a feature** and then install the **Wireless Display** app. | 2004 |
+| Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13th, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 |
| Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 |
| Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 |
| Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for non-cellular devices.| 2004 |
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index bd9b8af4d0..37b3315a1d 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -11,8 +11,8 @@ ms.reviewer:
manager: laurawi
ms.audience: itpro
author: greg-lindsay
+ms.author: greglin
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index 3534c08c5c..97f6eb21e1 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -7,9 +7,7 @@ ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
-author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md
index 99bb88d5a4..fc8013e00c 100644
--- a/windows/deployment/update/change-history-for-update-windows-10.md
+++ b/windows/deployment/update/change-history-for-update-windows-10.md
@@ -4,7 +4,6 @@ description: This topic lists new and updated topics in the Update Windows 10 do
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
-itproauthor: jaimeo
author: jaimeo
ms.author: jaimeo
ms.reviewer:
diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md
index af6fe156e8..77795ce1c4 100644
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@@ -10,7 +10,6 @@ audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
---
diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md
index da74aafced..5e3223976c 100644
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ b/windows/deployment/update/feature-update-maintenance-window.md
@@ -4,7 +4,6 @@ description: Learn how to deploy feature updates during a maintenance window
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
-itproauthor: jaimeo
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md
index a2ff53df19..4264b434b1 100644
--- a/windows/deployment/update/plan-define-readiness.md
+++ b/windows/deployment/update/plan-define-readiness.md
@@ -10,7 +10,6 @@ audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
---
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
index b7e1707a7d..645903d80f 100644
--- a/windows/deployment/update/plan-determine-app-readiness.md
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -7,12 +7,12 @@ keywords: updates, servicing, current, deployment, semi-annual channel, feature,
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
-author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
+ms.author: jaimeo
+author: jaimeo
---
# Determine application readiness
diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md
index 2167039e0c..0305a83e2b 100644
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@@ -35,6 +35,10 @@ The script is organized into two folders **Pilot** and **Deployment**. Both fold
> [!IMPORTANT]
> If you encounter an issue with Update Compliance, the first step should be to run the script in Pilot mode on a device you are encountering issues with, and save these Logs for reference with Support.
+> [!IMPORTANT]
+> The script must be run in the System context. To do this, use the PsExec tool included in the file. For more about PsExec, see [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec).
+
+
When using the script in the context of troubleshooting, use `Pilot`. Enter `RunConfig.bat`, and configure it as follows:
1. Configure `logPath` to a path where the script will have write access and a place you can easily access. This specifies the output of the log files generated when the script is in Verbose mode.
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
index 5953fcc349..312c0ec84c 100644
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -16,7 +16,7 @@ ms.topic: article
# Feature Update Status
-
+[  ](images/UC_workspace_FU_status.png#lightbox)
The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels).
@@ -41,7 +41,14 @@ Microsoft uses diagnostic data to determine whether devices that use Windows Upd
### Opting out of compatibility hold
-Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. To opt out, set the registry key **HKLM\Software\Microsoft\Windows NT\CurrentVersion\502505fe-762c-4e80-911e-0c3fa4c63fb0** to a name of **DataRequireGatedScanForFeatureUpdates** and a value of **0**.
+Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired.
+To opt out, set the registry key as follows:
+
+- Registry Key Path :: **Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion**
+- Create New Key :: **502505fe-762c-4e80-911e-0c3fa4c63fb0**
+- Name :: **DataRequireGatedScanForFeatureUpdates**
+- Type :: **REG_DWORD**
+- Value :: **0**
Setting this registry key to **0** will force the device to opt out from *all* compatibility holds. Any other value, or deleting the key, will resume compatibility protection on the device.
diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md
index dbf94c9677..58e2b5e496 100644
--- a/windows/deployment/update/update-policies.md
+++ b/windows/deployment/update/update-policies.md
@@ -10,7 +10,6 @@ audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
---
diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md
index b4bb57aef5..515ad60203 100644
--- a/windows/deployment/update/waas-delivery-optimization-reference.md
+++ b/windows/deployment/update/waas-delivery-optimization-reference.md
@@ -23,7 +23,7 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference.
+There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md).
## Delivery Optimization options
@@ -47,9 +47,9 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 |
| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 |
| [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 |
-| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 |
-| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 |
-| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 |
+| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)|
+| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)|
+| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (removed in Windows 10, version 2004) |
| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 |
| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 |
| [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 |
@@ -64,6 +64,10 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
| [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 |
| [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 |
| [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 |
+| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 2004 |
+| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 |
+| [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 |
+| [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 |
### More detail on Delivery Optimization settings:
@@ -131,7 +135,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
- 0 = not set
- 1 = AD Site
- 2 = Authenticated domain SID
-- 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID)
+- 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 235 and use the returned GUID value as the Group ID)
- 4 = DNS Suffix
- 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
@@ -232,4 +236,33 @@ The device can download from peers while on battery regardless of this policy.
>[!IMPORTANT]
> By default, devices **will not upload while on battery**. To enable uploads while on battery, you need to enable this policy and set the battery value under which uploads pause.
+### Cache Server Hostname
+Set this policy to to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma separated, for example: myhost.somerandomhost.com,myhost2.somrandomhost.com,10.10.1.7.
+
+
+### Cache Server Hostname Source
+
+This policy allows you to specify how your client(s) can discover Delivery Optimization in Network Cache servers dynamically. There are two options:
+- 1 = DHCP Option 235.
+- 2 = DHCP Option 235 Force.
+
+with either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set.
+
+Set this policy to designate one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. You can add one or more value either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
+
+> [!NOTE]
+> If you format the DHCP Option ID incorrectly, the client will fall back to the Cache Server Hostname policy value if that value has been set.
+
+### Maximum Foreground Download Bandwidth (in KB/s)
+
+Specifies the maximum foreground download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization.
+
+The default value of 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+
+
+### Maximum Background Download Bandwidth (in KB/s)
+
+Specifies the maximum background download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization.
+
+The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md
index 584aa81202..0dca1d9e70 100644
--- a/windows/deployment/update/waas-delivery-optimization-setup.md
+++ b/windows/deployment/update/waas-delivery-optimization-setup.md
@@ -24,7 +24,7 @@ ms.topic: article
## Recommended Delivery Optimization settings
-Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greatest impact if particular situations exist in your deployment:
+Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greatest impact if particular situations exist in your deployment. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md).
- Does your topology include multiple breakouts to the internet (i.e., a "hybrid WAN") or are there only a few connections to the internet, so that all requests appear to come from a single external IP address (a "hub and spoke" topology)?
- If you use boundary groups in your topology, how many devices are present in a given group?
@@ -129,7 +129,6 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
| ExpireOn | The target expiration date and time for the file. |
| Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). |
-Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
`Get-DeliveryOptimizationPerfSnap` returns a list of key performance data:
@@ -147,9 +146,7 @@ Using the `-Verbose` option returns additional information:
- Bytes from CDN (the number of bytes received over HTTP)
- Average number of peer connections per download
-Starting in Windows 10, version 2004, `Get-DeliveryOptimizationPerfSnap` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
-
-Starting in Windows 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status.
+**Starting in Windows 10, version 2004**, `Get-DeliveryOptimizationPerfSnap` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month.
@@ -178,7 +175,10 @@ You can now "pin" files to keep them persistent in the cache. You can only do th
**Starting in Windows 10, version 2004:**
-`Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]`
+- `Enable-DeliveryOptimizationVerboseLogs`
+- `Disable-DeliveryOptimizationVerboseLogs`
+
+- `Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]`
With no options, this cmdlet returns these data:
@@ -218,7 +218,7 @@ Log entries are written to the PowerShell pipeline as objects. To dump logs to a
Update Compliance provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
-
+[  ](images/UC_workspace_DO_status.png#lightbox)
For details, see [Delivery Optimization in Update Compliance](update-compliance-delivery-optimization.md).
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index b788f2aa7c..e4e27a9a8a 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -1,12 +1,11 @@
---
-title: Configure Delivery Optimization for Windows 10 updates (Windows 10)
+title: Delivery Optimization for Windows 10 updates
ms.reviewer:
manager: laurawi
description: Delivery Optimization is a peer-to-peer distribution method in Windows 10
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
-
audience: itpro
author: jaimeo
ms.localizationpriority: medium
@@ -28,17 +27,42 @@ Windows updates, upgrades, and applications can contain packages with very large
Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet.
+For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).
+
>[!NOTE]
>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead.
## New in Windows 10, version 2004
-- Enterprise network throttling: new settings have been added in Group Policy and MDM to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface:
+- Enterprise network throttling: new settings have been added in Group Policy and mobile device management (MDM) to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface:
-
+ 
-- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#microsoft-connected-cache).
+- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache).
+
+- New options for [`Get-DeliveryOptimizationPerfSnap`](waas-delivery-optimization-setup.md#analyze-usage).
+
+- New cmdlets:
+ - `Enable-DeliveryOptimizationVerboseLogs`
+ - `Disable-DeliveryOptimizationVerboseLogs`
+ - `Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]`
+
+- New policy settings:
+ - [DOCacheHost](waas-delivery-optimization-reference.md#cache-server-hostname)
+ - [DOCacheHostSource](waas-delivery-optimization-reference.md#cache-server-hostname-source)
+ - [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs); replaces DOPercentageMaxDownloadBandwidth
+ - [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs)
+
+- Removed policy settings (if you set these policies in Windows 10, 2004, they will have no effect):
+ - DOMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) or [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead.
+ - DOPercentageMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) or [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead.
+ - DOMaxUploadBandwidth
+
+- Support for new types of downloads:
+ - Office installations and updates
+ - Xbox game pass games
+ - MSIX apps (HTTP downloads only)
## Requirements
@@ -61,9 +85,8 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Windows Store files | 1511 |
| Windows Store for Business files | 1511 |
| Windows Defender definition updates | 1511 |
-| Office Click-to-Run updates | 1709 |
+| Microsoft 365 Apps and updates | 1709 (for more information, see [Delivery Optimization and Microsoft 365 Apps](https://docs.microsoft.com/deployoffice/delivery-optimization)) |
| Win32 apps for Intune | 1709 |
-| Office installations and updates | 2004 |
| Xbox game pass games | 2004 |
| MSIX apps (HTTP downloads only) | 2004 |
| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 |
@@ -73,13 +96,9 @@ The following table lists the minimum Windows 10 version that supports Delivery
-
-
-
-
In Windows 10 Enterprise, Professional, and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
-For more details, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md).
+For more information, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md).
## Set up Delivery Optimization
@@ -91,7 +110,7 @@ You can use Group Policy or an MDM solution like Intune to configure Delivery Op
You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
-Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](https://docs.microsoft.com/intune/delivery-optimization-windows))
+Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](https://docs.microsoft.com/intune/delivery-optimization-windows))
**Starting with Windows 10, version 1903,** you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
@@ -181,7 +200,7 @@ If you don’t see any bytes coming from peers the cause might be one of the fol
If you suspect this is the problem, try these steps:
1. Start a download of an app that is larger than 50 MB from the Store (for example "Candy Crush Saga").
-2. Run `Get-DeliveryOptimizationStatus` from an elevated Powershell window and observe the DownloadMode setting. For peering to work, DownloadMode should be 1, 2, or 3.
+2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and observe the DownloadMode setting. For peering to work, DownloadMode should be 1, 2, or 3.
3. If **DownloadMode** is 99 it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization hostnames are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**.
@@ -191,8 +210,8 @@ If you suspect this is the problem, try these steps:
If you suspect this is the problem, try these steps:
1. Download the same app on two different devices on the same network, waiting 10 – 15 minutes between downloads.
-2. Run `Get-DeliveryOptimizationStatus` from an elevated Powershell window and ensure that **DownloadMode** is 1 or 2 on both devices.
-3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated Powershell window on the second device. The **NumberOfPeers** field should be non-zero.
+2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **DownloadMode** is 1 or 2 on both devices.
+3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be non-zero.
4. If the number of peers is zero and you have **DownloadMode** = 1, ensure that both devices are using the same public IP address to reach the internet. To do this, open a browser Windows and search for “what is my IP”. You can **DownloadMode 2** (Group) and a custom GroupID (Guid) to fix this if the devices aren’t reporting the same public IP address.
@@ -212,7 +231,7 @@ If you suspect this is the problem, try a Telnet test between two devices on the
[Windows 10, Delivery Optimization, and WSUS](https://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/)
-## Related topics
+## Related articles
- [Update Windows 10 in the enterprise](index.md)
- [Overview of Windows as a service](waas-overview.md)
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 13b02958f8..db7cd77c90 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -82,6 +82,9 @@ When using WSUS to manage updates on Windows client devices, start by configurin
9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
+
+ >[!IMPORTANT]
+ > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdateDoNotConnectToWindowsUpdateInternetLocations
> [!NOTE]
> There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md
index b23dfbb017..377895abf7 100644
--- a/windows/deployment/update/waas-morenews.md
+++ b/windows/deployment/update/waas-morenews.md
@@ -4,13 +4,11 @@ ms.prod: w10
ms.topic: article
ms.manager: elizapo
audience: itpro
-itproauthor: jaimeo
author: jaimeo
ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.localizationpriority: high
-ms.topic: article
---
# Windows as a service - More news
diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md
index d55a28a5c1..81e33643c9 100644
--- a/windows/deployment/update/waas-servicing-differences.md
+++ b/windows/deployment/update/waas-servicing-differences.md
@@ -7,7 +7,6 @@ keywords: updates, servicing, current, deployment, semi-annual channel, feature,
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
-author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
author: jaimeo
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 83cc19c6e9..323e565a06 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -3,9 +3,7 @@ title: Manage additional Windows Update settings (Windows 10)
description: Additional settings to control the behavior of Windows Update (WU) in Windows 10
ms.prod: w10
ms.mktglfcycl: deploy
-
audience: itpro
-author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
author: jaimeo
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index d9b74223ef..8707f69961 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -118,6 +118,8 @@ Now all devices are paused from updating for 35 days. When the pause is removed,
If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version (for example, update fall release to fall release) use the **Select the target Feature Update version** setting instead of using the **Specify when Preview Builds and Feature Updates are received** setting for feature update deferrals. When you use this policy, specify the version that you want your device(s) to use. If you don't update this before the device reaches end of service, the device will automatically be updated once it is 60 days past end of service for its edition.
+When you set the target version policy, if you specify a feature update version that is older than your current version or set a value that isn't valid, the device will not receive any feature updates until the policy is updated. When you specify target version policy, feature update deferrals will not be in effect.
+
### Manage how users experience updates
#### I want to manage when devices download, install, and restart after updates
diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md
index 30af2075e1..92ee39c436 100644
--- a/windows/deployment/update/waas-wufb-intune.md
+++ b/windows/deployment/update/waas-wufb-intune.md
@@ -4,14 +4,14 @@ description: Configure Windows Update for Business settings using Microsoft Intu
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
-author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.date: 07/27/2017
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.author: jaimeo
+author: jaimeo
---
# Walkthrough: use Microsoft Intune to configure Windows Update for Business
diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md
index 4390f47e44..e992f49cb7 100644
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@@ -114,21 +114,4 @@ Secure your organization's deployment investment.
## Microsoft Ignite 2018
-Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service.
-
-
-[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor)
-
-[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor)
-
-[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor)
-
-[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor)
-
-[BRK3039: Windows 10 and Microsoft Microsoft 365 Apps for enterprise lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor)
-
-[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor)
-
-[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor)
-
-[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor)
+Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. See [MyIgnite - Session catalog](https://myignite.techcommunity.microsoft.com/sessions).
diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md
index b83dd307b0..eb75d04c0c 100644
--- a/windows/deployment/update/windows-update-error-reference.md
+++ b/windows/deployment/update/windows-update-error-reference.md
@@ -8,7 +8,6 @@ itproauthor: jaimeo
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md
index cdb6ea9f85..e3d4342c33 100644
--- a/windows/deployment/update/windows-update-errors.md
+++ b/windows/deployment/update/windows-update-errors.md
@@ -5,8 +5,6 @@ ms.prod: w10
ms.mktglfcycl:
audience: itpro
itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.date: 09/18/2018
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index 1e9deff347..32d22bb62b 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -5,8 +5,6 @@ ms.prod: w10
ms.mktglfcycl:
audience: itpro
itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.date: 09/18/2018
diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md
index 47cb14f395..d96f16274f 100644
--- a/windows/deployment/update/windows-update-overview.md
+++ b/windows/deployment/update/windows-update-overview.md
@@ -6,9 +6,7 @@ ms.mktglfcycl:
audience: itpro
itproauthor: jaimeo
author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
-author: jaimeo
ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md
index 0371ab7f89..17dce5c494 100644
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@@ -4,14 +4,14 @@ description: Use these resource to troubleshoot and reset Windows Update.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
-author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.author: jaimeo
+author: jaimeo
---
# Windows Update - additional resources
diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md
index 967245b7d0..f2f001b980 100644
--- a/windows/deployment/update/windows-update-troubleshooting.md
+++ b/windows/deployment/update/windows-update-troubleshooting.md
@@ -5,8 +5,6 @@ ms.prod: w10
ms.mktglfcycl:
audience: itpro
itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.reviewer:
diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md
index ac584017e2..49657d8483 100644
--- a/windows/deployment/update/wufb-autoupdate.md
+++ b/windows/deployment/update/wufb-autoupdate.md
@@ -6,9 +6,7 @@ ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
-author: jaimeo
ms.date: 06/20/2018
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/update/wufb-basics.md b/windows/deployment/update/wufb-basics.md
index 719b115f4f..0c8f5c32db 100644
--- a/windows/deployment/update/wufb-basics.md
+++ b/windows/deployment/update/wufb-basics.md
@@ -8,7 +8,6 @@ itproauthor: jaimeo
author: jaimeo
ms.localizationprioauthor: jaimeo
ms.audience: itpro
-author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
diff --git a/windows/deployment/update/wufb-managedrivers.md b/windows/deployment/update/wufb-managedrivers.md
index e451d7751a..56f956aae8 100644
--- a/windows/deployment/update/wufb-managedrivers.md
+++ b/windows/deployment/update/wufb-managedrivers.md
@@ -5,8 +5,6 @@ ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.date: 06/21/2018
diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md
index 10037c56b2..93a5ab27b7 100644
--- a/windows/deployment/update/wufb-manageupdate.md
+++ b/windows/deployment/update/wufb-manageupdate.md
@@ -6,9 +6,7 @@ ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
-author: jaimeo
ms.date: 06/20/2018
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/update/wufb-onboard.md b/windows/deployment/update/wufb-onboard.md
index 058f595090..9956826543 100644
--- a/windows/deployment/update/wufb-onboard.md
+++ b/windows/deployment/update/wufb-onboard.md
@@ -5,8 +5,6 @@ ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.reviewer:
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index 3a7f854132..9cef992dea 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -1,64 +1,65 @@
----
-title: Resolve Windows 10 upgrade errors - Windows IT Pro
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
-keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.topic: article
----
-
-# Resolve Windows 10 upgrade errors : Technical information for IT Pros
-
-**Applies to**
-- Windows 10
-
->[!IMPORTANT]
->This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](quick-fixes.md) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md).
-
-This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
-
-The article was originally one page, but has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods.
-
-The following four levels are assigned:
-
-Level 100: Basic
-Level 200: Moderate
-Level 300: Moderate advanced
-Level 400: Advanced
-
-## In this guide
-
-See the following topics in this article:
-
-- [Quick fixes](quick-fixes.md): \Level 100\ Steps you can take to eliminate many Windows upgrade errors.
-- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help you isolate the root cause of an upgrade failure.
-- [Troubleshooting upgrade errors](troubleshoot-upgrade-errors.md): \Level 300\ General advice and techniques for troubleshooting Windows 10 upgrade errors, and an explanation of phases used during the upgrade process.
-- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows 10 upgrade.
-- [Upgrade error codes](upgrade-error-codes.md): \Level 400\ The components of an error code are explained.
- - [Result codes](upgrade-error-codes.md#result-codes): Information about result codes.
- - [Extend codes](upgrade-error-codes.md#extend-codes): Information about extend codes.
-- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting.
- - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described.
- - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example.
-- [Resolution procedures](resolution-procedures.md): \Level 200\ Causes and mitigation procedures associated with specific error codes.
- - [0xC1900101](resolution-procedures.md#0xc1900101): Information about the 0xC1900101 result code.
- - [0x800xxxxx](resolution-procedures.md#0x800xxxxx): Information about result codes that start with 0x800.
- - [Other result codes](resolution-procedures.md#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
- - [Other error codes](resolution-procedures.md#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
-- [Submit Windows 10 upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis.
-
-## Related topics
-
-[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
- [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
- [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
- [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
- [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
-
+---
+title: Resolve Windows 10 upgrade errors - Windows IT Pro
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.topic: article
+---
+
+# Resolve Windows 10 upgrade errors : Technical information for IT Pros
+
+**Applies to**
+- Windows 10
+
+>[!IMPORTANT]
+>This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](quick-fixes.md) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md).
+
+This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
+
+The article was originally one page, but has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods.
+
+The following four levels are assigned:
+
+Level 100: Basic
+Level 200: Moderate
+Level 300: Moderate advanced
+Level 400: Advanced
+
+## In this guide
+
+See the following topics in this article:
+
+- [Quick fixes](quick-fixes.md): \Level 100\ Steps you can take to eliminate many Windows upgrade errors.
+- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help you isolate the root cause of an upgrade failure.
+- [Troubleshooting upgrade errors](troubleshoot-upgrade-errors.md): \Level 300\ General advice and techniques for troubleshooting Windows 10 upgrade errors, and an explanation of phases used during the upgrade process.
+- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows 10 upgrade.
+- [Upgrade error codes](upgrade-error-codes.md): \Level 400\ The components of an error code are explained.
+ - [Result codes](upgrade-error-codes.md#result-codes): Information about result codes.
+ - [Extend codes](upgrade-error-codes.md#extend-codes): Information about extend codes.
+- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting.
+ - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described.
+ - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example.
+- [Resolution procedures](resolution-procedures.md): \Level 200\ Causes and mitigation procedures associated with specific error codes.
+ - [0xC1900101](resolution-procedures.md#0xc1900101): Information about the 0xC1900101 result code.
+ - [0x800xxxxx](resolution-procedures.md#0x800xxxxx): Information about result codes that start with 0x800.
+ - [Other result codes](resolution-procedures.md#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
+ - [Other error codes](resolution-procedures.md#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
+- [Submit Windows 10 upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis.
+
+## Related topics
+
+[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
+ [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
+ [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
+ [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+ [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
+
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index bea5439367..bca001f87a 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -48,7 +48,7 @@ When run by Windows Setup, the following [parameters](#parameters) are used:
- /Output:%windir%\logs\SetupDiag\SetupDiagResults.xml
- /RegPath:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupDiag\Results
-The resulting SetupDiag analysis can be found at **%WinDir%\Logs\SetupDiag\SetupDiagResults.xml** and in the registry under **HKLM\Setup\SetupDiag\Results**.
+The resulting SetupDiag analysis can be found at **%WinDir%\Logs\SetupDiag\SetupDiagResults.xml** and in the registry under **HKLM\SYSTEM\Setup\SetupDiag\Results**.
If the upgrade process proceeds normally, the **Sources** directory including **setupdiag.exe** is moved under **%SystemDrive%\Windows.Old** for cleanup. If the **Windows.old** directory is deleted later, **setupdiag.exe** will also be removed.
diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
index 6062bfa905..91c5da4243 100644
--- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
+++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
@@ -1,79 +1,80 @@
----
-title: Windows Upgrade and Migration Considerations (Windows 10)
-description: Windows Upgrade and Migration Considerations
-ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows upgrade and migration considerations
-Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration.
-
-## Upgrade from a previous version of Windows
-You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete.
-
-## Migrate files and settings
-Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves.
-
-For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](https://go.microsoft.com/fwlink/p/?LinkId=131349).
-
-The User State Migration Tool (USMT) 10.0 is an application intended for administrators who are performing large-scale automated deployments. For deployment to a small number of computers or for individually customized deployments, you can use Windows Easy Transfer.
-
-### Migrate with Windows Easy Transfer
-Windows Easy Transfer is a software wizard for transferring files and settings from one computer that is running Windows to another. It helps you select what to move to your new computer, enables you to set which migration method to use, and then performs the transfer. When the transfer has completed, Windows Easy Transfer Reports shows you what was transferred and provides a list of programs you might want to install on your new computer, in addition to links to other programs you might want to download.
-
-With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you cannot use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store.
-
-> [!NOTE]
-> Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10).
-
-### Migrate with the User State Migration Tool
-You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded.
-
-## Upgrade and migration considerations
-Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations:
-
-### Application compatibility
-For more information about application compatibility in Windows, see [Use Upgrade Readiness to manage Windows upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades).
-
-### Multilingual Windows image upgrades
-When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English.
-
-If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed.
-
-### Errorhandler.cmd
-When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run.
-
-### Data drive ACL migration
-During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files.
-
-Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature:
-
-``` syntax
-Key: HKLM\System\Setup
-Type: REG_DWORD
-Value: "DDACLSys_Disabled" = 1
-```
-
-This feature is disabled if this registry key value exists and is configured to `1`.
-
-## Related topics
-[User State Migration Tool (USMT) Overview Topics](../usmt/usmt-topics.md)
-[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
-[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
-
-
-
-
-
-
-
-
-
-
+---
+title: Windows Upgrade and Migration Considerations (Windows 10)
+description: Windows Upgrade and Migration Considerations
+ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows upgrade and migration considerations
+Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration.
+
+## Upgrade from a previous version of Windows
+You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete.
+
+## Migrate files and settings
+Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves.
+
+For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](https://go.microsoft.com/fwlink/p/?LinkId=131349).
+
+The User State Migration Tool (USMT) 10.0 is an application intended for administrators who are performing large-scale automated deployments. For deployment to a small number of computers or for individually customized deployments, you can use Windows Easy Transfer.
+
+### Migrate with Windows Easy Transfer
+Windows Easy Transfer is a software wizard for transferring files and settings from one computer that is running Windows to another. It helps you select what to move to your new computer, enables you to set which migration method to use, and then performs the transfer. When the transfer has completed, Windows Easy Transfer Reports shows you what was transferred and provides a list of programs you might want to install on your new computer, in addition to links to other programs you might want to download.
+
+With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you cannot use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store.
+
+> [!NOTE]
+> Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10).
+
+### Migrate with the User State Migration Tool
+You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded.
+
+## Upgrade and migration considerations
+Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations:
+
+### Application compatibility
+For more information about application compatibility in Windows, see [Use Upgrade Readiness to manage Windows upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades).
+
+### Multilingual Windows image upgrades
+When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English.
+
+If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed.
+
+### Errorhandler.cmd
+When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run.
+
+### Data drive ACL migration
+During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files.
+
+Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature:
+
+``` syntax
+Key: HKLM\System\Setup
+Type: REG_DWORD
+Value: "DDACLSys_Disabled" = 1
+```
+
+This feature is disabled if this registry key value exists and is configured to `1`.
+
+## Related topics
+[User State Migration Tool (USMT) Overview Topics](../usmt/usmt-topics.md)
+[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
+[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md
index 8ca3e5b215..4b6585af49 100644
--- a/windows/deployment/usmt/migrate-application-settings.md
+++ b/windows/deployment/usmt/migrate-application-settings.md
@@ -1,172 +1,173 @@
----
-title: Migrate Application Settings (Windows 10)
-description: Migrate Application Settings
-ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Migrate Application Settings
-
-
-You can create a custom .xml file to migrate specific line-of-business application settings or to change the default migration behavior of the User State Migration Tool (USMT) 10.0. For ScanState and LoadState to use this file, you must specify the custom .xml file on both command lines.
-
-This topic defines how to author a custom migration .xml file that migrates the settings of an application that is not migrated by default using MigApp.xml. You should migrate the settings after you install the application, but before the user runs the application for the first time.
-
-This topic does not contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also does not contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this topic does not discuss how to migrate the .doc files and templates themselves.
-
-## In this Topic
-
-
-- [Before You Begin](#bkmk-beforebegin)
-
-- [Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer](#bkmk-step1).
-
-- [Step 2: Identify settings to collect and determine where each setting is stored on the computer](#bkmk-step2).
-
-- [Step 3: Identify how to apply the gathered settings](#bkmk-step3).
-
-- [Step 4: Create the migration XML component for the application](#bkmk-step4).
-
-- [Step 5: Test the application settings migration](#bkmk-step5).
-
-## Before You Begin
-
-
-You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application.
-
-## Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer.
-
-
-Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it is the correct version. If the application is not installed on the source computer, you probably do not want USMT to spend time searching for the application’s settings. More importantly, if USMT collects settings for an application that is not installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there is more than one version of the application. This is because the new version may not store the settings in the same place, which may lead to unexpected results on the destination computer.
-
-There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It is important that you check for both of these items, because sometimes different versions of the same application share the same uninstall key. So even if the key is there, it may not correspond to the version of the application that you want.
-
-### Check the registry for an application uninstall key.
-
-When many applications are installed (especially those installed using the Microsoft® Windows® Installer technology), an application uninstall key is created under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall**. For example, when Adobe Acrobat Reader 7 is installed, it creates a key named **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall \\{AC76BA86-7AD7-1033-7B44-A70000000000}**. Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. You can check for the existence of a registry key using the **DoesObjectExist** helper function.
-
-Usually, you can find this key by searching under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** for the name of the application, the name of the application executable file, or for the name of the company that makes the application. You can use the Registry Editor (**Regedit.exe** located in the %**SystemRoot**%) to search the registry.
-
-### Check the file system for the application executable file.
-
-You should also check the application binaries for the executable that installed the application. To do this, you will first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you have determined the path to the application executable, you can use the **DoesFileVersionMatch** helper function to check for the correct version of the application executable. For an example of how to do this, see the Windows Live™ Messenger section of the MigApp.xml file.
-
-## Step 2: Identify settings to collect and determine where each setting is stored on the computer.
-
-
-Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you do not want to migrate. To determine where each setting is stored, you will need to change each setting and monitor the activity on the registry and the file system. You do not need to migrate the binary files and registry settings that are made when the application is installed. This is because you will need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable.
-
-###
-
-**How To Determine Where Each Setting is Stored**
-
-1. Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](https://go.microsoft.com/fwlink/p/?linkid=36109).
-
-2. Shut down as many applications as possible to limit the registry and file system activity on the computer.
-
-3. Filter the output of the tools so it only displays changes being made by the application.
-
- **Note**
- Most applications store their settings under the user profile. That is, the settings stored in the file system are under the %**UserProfile**% directory, and the settings stored in the registry are under the **HKEY\_CURRENT\_USER** hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine.
-
-
-
-4. Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you are changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically will not take effect until you close the dialog box by clicking **OK**.
-
-5. When the setting is changed, note the changes to the file system and registry. There may be more than one file or registry values for each setting. You should identify the minimal set of file and registry changes that are required to change this setting. This set of files and registry keys is what you will need to migrate in order to migrate the setting.
-
- **Note**
- Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values.
-
-
-
-## Step 3: Identify how to apply the gathered settings.
-
-
-If the version of the application on the source computer is the same as the one on the destination computer, then you do not have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the C:\\Documents and Settings\\User1\\My Documents folder and the profile directory on the destination computer is located at D:\\Users\\User1, then USMT will automatically migrate the file to D:\\Users\\User1\\My Documents. However, you may need to modify the location of some settings in the following three cases:
-
-### Case 1: The version of the application on the destination computer is newer than the one on the source computer.
-
-In this case, the newer version of the application may be able to read the settings from the source computer without modification. That is, the data collected from an older version of the application is sometimes compatible with the newer version of the application. However, you may need to modify the setting location if either of the following is true:
-
-- **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications do this automatically after settings are migrated; however, other applications will only do this if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer does not contain this set of files and registry keys so the mapping does not occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer.
-
- To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How To determine where each setting is stored](#bkmkdetermine). Once you know the set of files that the computer needs, you can use the <`addObjects`> element to add them to the destination computer.
-
-- [The newer version of the application cannot read settings from the source computer and it is also unable to import the settings into the new format.](#bkmkdetermine) In this case, you will need to create a mapping for each setting from the old locations to the new locations. To do this, determine where the newer version stores each setting using the process described in How to determine where each setting is stored. After you have created the mapping, apply the settings to the new location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions.
-
-### Case 2: The destination computer already contains settings for the application.
-
-We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. If you must install the application before the migration, you should delete any existing settings using the <`destinationCleanup`> element. If for any reason you want to preserve the settings that are on the destination computer, you can use the <`merge`> element and **DestinationPriority** helper function.
-
-### Case 3: The application overwrites settings when it is installed.
-
-We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This is common for applications that store settings in locations that are outside of the user profile (typically these are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they are replaced by default values. To avoid this, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer.
-
-## Step 4: Create the migration XML component for the application
-
-
-After you have completed steps 1 through 3, you will need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the MigApp.xml file as a model because it contains examples of many of the concepts discussed in this topic. You can also see [Custom XML Examples](usmt-custom-xml-examples.md) for another sample .xml file.
-
-**Note**
-We recommend that you create a separate .xml file instead of adding your script to the **MigApp.xml** file. This is because the **MigApp.xml** file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the **MigApp.xml** file will be overwritten by the default version of the file and you will lose your customized version.
-
-
-
-**Important**
-Some applications store information in the user profile that should not be migrated (for example, application installation paths, the computer name, and so on). You should make sure to exclude these files and registry keys from the migration.
-
-
-
-Your script should do the following:
-
-1. Check whether the application and correct version is installed by:
-
- - Searching for the installation uninstall key under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** using the **DoesObjectExist** helper function.
-
- - Checking for the correct version of the application executable file using the **DoesFileVersionMatch** helper function.
-
-2. If the correct version of the application is installed, then ensure that each setting is migrated to the appropriate location on the destination computer.
-
- - If the versions of the applications are the same on both the source and destination computers, migrate each setting using the <`include`> and <`exclude`> elements.
-
- - If the version of the application on the destination computer is newer than the one on the source computer, and the application cannot import the settings, your script should either 1) add the set of files that trigger the import using the <`addObjects`> element or 2) create a mapping that applies the old settings to the correct location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions.
-
- - If you must install the application before migrating the settings, delete any settings that are already on the destination computer using the <`destinationCleanup`> element.
-
-For information about the .xml elements and helper functions, see [XML Elements Library](usmt-xml-elements-library.md).
-
-## Step 5: Test the application settings migration
-
-
-On a test computer, install the operating system that will be installed on the destination computers. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly.
-
-To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you are testing. To specify only User1 in the migration, type: **/ue:\*\\\* /ui:user1**. For more information, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md) and User options in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. To troubleshoot a problem, check the progress log, and the ScanState and LoadState logs, which contain warnings and errors that may point to problems with the migration.
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
-
-[XML Elements Library](usmt-xml-elements-library.md)
-
-[Log Files](usmt-log-files.md)
-
-
-
-
-
-
-
-
-
+---
+title: Migrate Application Settings (Windows 10)
+description: Migrate Application Settings
+ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Migrate Application Settings
+
+
+You can create a custom .xml file to migrate specific line-of-business application settings or to change the default migration behavior of the User State Migration Tool (USMT) 10.0. For ScanState and LoadState to use this file, you must specify the custom .xml file on both command lines.
+
+This topic defines how to author a custom migration .xml file that migrates the settings of an application that is not migrated by default using MigApp.xml. You should migrate the settings after you install the application, but before the user runs the application for the first time.
+
+This topic does not contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also does not contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this topic does not discuss how to migrate the .doc files and templates themselves.
+
+## In this Topic
+
+
+- [Before You Begin](#bkmk-beforebegin)
+
+- [Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer](#bkmk-step1).
+
+- [Step 2: Identify settings to collect and determine where each setting is stored on the computer](#bkmk-step2).
+
+- [Step 3: Identify how to apply the gathered settings](#bkmk-step3).
+
+- [Step 4: Create the migration XML component for the application](#bkmk-step4).
+
+- [Step 5: Test the application settings migration](#bkmk-step5).
+
+## Before You Begin
+
+
+You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application.
+
+## Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer.
+
+
+Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it is the correct version. If the application is not installed on the source computer, you probably do not want USMT to spend time searching for the application’s settings. More importantly, if USMT collects settings for an application that is not installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there is more than one version of the application. This is because the new version may not store the settings in the same place, which may lead to unexpected results on the destination computer.
+
+There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It is important that you check for both of these items, because sometimes different versions of the same application share the same uninstall key. So even if the key is there, it may not correspond to the version of the application that you want.
+
+### Check the registry for an application uninstall key.
+
+When many applications are installed (especially those installed using the Microsoft® Windows® Installer technology), an application uninstall key is created under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall**. For example, when Adobe Acrobat Reader 7 is installed, it creates a key named **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall \\{AC76BA86-7AD7-1033-7B44-A70000000000}**. Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. You can check for the existence of a registry key using the **DoesObjectExist** helper function.
+
+Usually, you can find this key by searching under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** for the name of the application, the name of the application executable file, or for the name of the company that makes the application. You can use the Registry Editor (**Regedit.exe** located in the %**SystemRoot**%) to search the registry.
+
+### Check the file system for the application executable file.
+
+You should also check the application binaries for the executable that installed the application. To do this, you will first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you have determined the path to the application executable, you can use the **DoesFileVersionMatch** helper function to check for the correct version of the application executable. For an example of how to do this, see the Windows Live™ Messenger section of the MigApp.xml file.
+
+## Step 2: Identify settings to collect and determine where each setting is stored on the computer.
+
+
+Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you do not want to migrate. To determine where each setting is stored, you will need to change each setting and monitor the activity on the registry and the file system. You do not need to migrate the binary files and registry settings that are made when the application is installed. This is because you will need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable.
+
+###
+
+**How To Determine Where Each Setting is Stored**
+
+1. Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](https://go.microsoft.com/fwlink/p/?linkid=36109).
+
+2. Shut down as many applications as possible to limit the registry and file system activity on the computer.
+
+3. Filter the output of the tools so it only displays changes being made by the application.
+
+ **Note**
+ Most applications store their settings under the user profile. That is, the settings stored in the file system are under the %**UserProfile**% directory, and the settings stored in the registry are under the **HKEY\_CURRENT\_USER** hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine.
+
+
+
+4. Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you are changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically will not take effect until you close the dialog box by clicking **OK**.
+
+5. When the setting is changed, note the changes to the file system and registry. There may be more than one file or registry values for each setting. You should identify the minimal set of file and registry changes that are required to change this setting. This set of files and registry keys is what you will need to migrate in order to migrate the setting.
+
+ **Note**
+ Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values.
+
+
+
+## Step 3: Identify how to apply the gathered settings.
+
+
+If the version of the application on the source computer is the same as the one on the destination computer, then you do not have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the C:\\Documents and Settings\\User1\\My Documents folder and the profile directory on the destination computer is located at D:\\Users\\User1, then USMT will automatically migrate the file to D:\\Users\\User1\\My Documents. However, you may need to modify the location of some settings in the following three cases:
+
+### Case 1: The version of the application on the destination computer is newer than the one on the source computer.
+
+In this case, the newer version of the application may be able to read the settings from the source computer without modification. That is, the data collected from an older version of the application is sometimes compatible with the newer version of the application. However, you may need to modify the setting location if either of the following is true:
+
+- **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications do this automatically after settings are migrated; however, other applications will only do this if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer does not contain this set of files and registry keys so the mapping does not occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer.
+
+ To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How To determine where each setting is stored](#bkmkdetermine). Once you know the set of files that the computer needs, you can use the <`addObjects`> element to add them to the destination computer.
+
+- [The newer version of the application cannot read settings from the source computer and it is also unable to import the settings into the new format.](#bkmkdetermine) In this case, you will need to create a mapping for each setting from the old locations to the new locations. To do this, determine where the newer version stores each setting using the process described in How to determine where each setting is stored. After you have created the mapping, apply the settings to the new location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions.
+
+### Case 2: The destination computer already contains settings for the application.
+
+We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. If you must install the application before the migration, you should delete any existing settings using the <`destinationCleanup`> element. If for any reason you want to preserve the settings that are on the destination computer, you can use the <`merge`> element and **DestinationPriority** helper function.
+
+### Case 3: The application overwrites settings when it is installed.
+
+We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This is common for applications that store settings in locations that are outside of the user profile (typically these are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they are replaced by default values. To avoid this, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer.
+
+## Step 4: Create the migration XML component for the application
+
+
+After you have completed steps 1 through 3, you will need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the MigApp.xml file as a model because it contains examples of many of the concepts discussed in this topic. You can also see [Custom XML Examples](usmt-custom-xml-examples.md) for another sample .xml file.
+
+**Note**
+We recommend that you create a separate .xml file instead of adding your script to the **MigApp.xml** file. This is because the **MigApp.xml** file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the **MigApp.xml** file will be overwritten by the default version of the file and you will lose your customized version.
+
+
+
+**Important**
+Some applications store information in the user profile that should not be migrated (for example, application installation paths, the computer name, and so on). You should make sure to exclude these files and registry keys from the migration.
+
+
+
+Your script should do the following:
+
+1. Check whether the application and correct version is installed by:
+
+ - Searching for the installation uninstall key under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** using the **DoesObjectExist** helper function.
+
+ - Checking for the correct version of the application executable file using the **DoesFileVersionMatch** helper function.
+
+2. If the correct version of the application is installed, then ensure that each setting is migrated to the appropriate location on the destination computer.
+
+ - If the versions of the applications are the same on both the source and destination computers, migrate each setting using the <`include`> and <`exclude`> elements.
+
+ - If the version of the application on the destination computer is newer than the one on the source computer, and the application cannot import the settings, your script should either 1) add the set of files that trigger the import using the <`addObjects`> element or 2) create a mapping that applies the old settings to the correct location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions.
+
+ - If you must install the application before migrating the settings, delete any settings that are already on the destination computer using the <`destinationCleanup`> element.
+
+For information about the .xml elements and helper functions, see [XML Elements Library](usmt-xml-elements-library.md).
+
+## Step 5: Test the application settings migration
+
+
+On a test computer, install the operating system that will be installed on the destination computers. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly.
+
+To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you are testing. To specify only User1 in the migration, type: **/ue:\*\\\* /ui:user1**. For more information, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md) and User options in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. To troubleshoot a problem, check the progress log, and the ScanState and LoadState logs, which contain warnings and errors that may point to problems with the migration.
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
+
+[XML Elements Library](usmt-xml-elements-library.md)
+
+[Log Files](usmt-log-files.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md
index 2d1d744fa6..c5a12de2fc 100644
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@@ -1,81 +1,82 @@
----
-title: Migration Store Types Overview (Windows 10)
-description: Migration Store Types Overview
-ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Migration Store Types Overview
-
-
-When planning your migration, you should determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers. You should also determine the space needed to create and host the migration store, whether you are using a local share, network share, or storage device.
-
-## In This Topic
-
-
-[Migration Store Types](#bkmk-types)
-
-[Local Store vs. Remote Store](#bkmk-localvremote)
-
-[The /localonly Command-Line Option](#bkmk-localonly)
-
-## Migration Store Types
-
-
-This section describes the three migration store types available in USMT.
-
-### Uncompressed (UNC)
-
-The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Windows Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer.
-
-### Compressed
-
-The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and cannot be navigated with Windows Explorer.
-
-### Hard-Link
-
-A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are “wired” into the file system. You use the new USMT hard-link migration store in the PC Refresh scenario only. This is because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration.
-
-You use a command-line option,**/hardlink** , to create a hard-link migration store, which functions the same as an uncompressed migration store. Files are not duplicated on the local computer when user state is captured, nor are they duplicated when user state is restored. For more information, see [Hard-Link Migration Store](usmt-hard-link-migration-store.md).
-
-The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store.
-
-
-
-## Local Store vs. Remote Store
-
-
-If you have enough space and you are migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you are using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It is also good practice to ensure that the migration is the only task the server is performing.
-
-If there is not enough local disk space, or if you are moving the user state to another computer, then you must store the data remotely. For example, you can store it in on a shared folder, on removable media such as a UFD drive, or you can store it directly on the destination computer. For example, create and share C:\\store on the destination computer. Then run the ScanState command on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store. Then, run the **LoadState** command on the destination computer and specify **C:\\Store** as the store location. By doing this, you do not need to save the files to a server.
-
-**Important**
-If possible, have users store their data within their %UserProfile%\\My Documents and %UserProfile%\\Application Data folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check.
-
-
-
-### The /localonly Command-Line Option
-
-You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify **/LocalOnly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
-
-## Related topics
-
-
-[Plan Your Migration](usmt-plan-your-migration.md)
-
-
-
-
-
-
-
-
-
+---
+title: Migration Store Types Overview (Windows 10)
+description: Migration Store Types Overview
+ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Migration Store Types Overview
+
+
+When planning your migration, you should determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers. You should also determine the space needed to create and host the migration store, whether you are using a local share, network share, or storage device.
+
+## In This Topic
+
+
+[Migration Store Types](#bkmk-types)
+
+[Local Store vs. Remote Store](#bkmk-localvremote)
+
+[The /localonly Command-Line Option](#bkmk-localonly)
+
+## Migration Store Types
+
+
+This section describes the three migration store types available in USMT.
+
+### Uncompressed (UNC)
+
+The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Windows Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer.
+
+### Compressed
+
+The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and cannot be navigated with Windows Explorer.
+
+### Hard-Link
+
+A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are “wired” into the file system. You use the new USMT hard-link migration store in the PC Refresh scenario only. This is because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration.
+
+You use a command-line option,**/hardlink** , to create a hard-link migration store, which functions the same as an uncompressed migration store. Files are not duplicated on the local computer when user state is captured, nor are they duplicated when user state is restored. For more information, see [Hard-Link Migration Store](usmt-hard-link-migration-store.md).
+
+The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store.
+
+
+
+## Local Store vs. Remote Store
+
+
+If you have enough space and you are migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you are using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It is also good practice to ensure that the migration is the only task the server is performing.
+
+If there is not enough local disk space, or if you are moving the user state to another computer, then you must store the data remotely. For example, you can store it in on a shared folder, on removable media such as a UFD drive, or you can store it directly on the destination computer. For example, create and share C:\\store on the destination computer. Then run the ScanState command on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store. Then, run the **LoadState** command on the destination computer and specify **C:\\Store** as the store location. By doing this, you do not need to save the files to a server.
+
+**Important**
+If possible, have users store their data within their %UserProfile%\\My Documents and %UserProfile%\\Application Data folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check.
+
+
+
+### The /localonly Command-Line Option
+
+You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify **/LocalOnly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md
index 75c4393563..682ad7ff15 100644
--- a/windows/deployment/usmt/usmt-choose-migration-store-type.md
+++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md
@@ -1,65 +1,66 @@
----
-title: Choose a Migration Store Type (Windows 10)
-description: Choose a Migration Store Type
-ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Choose a Migration Store Type
-
-
-One of the main considerations for planning your migration is to determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers, and how much space is needed to create and host the migration store, whether you are using a local share, network share, or storage device. The final consideration is ensuring that user date integrity is maintained by encrypting the migration store.
-
-## In This Section
-
-
-
Learn about the using migration store encryption to protect user data integrity during a migration.
-
-
-
-
-
-
-## Related topics
-
-
-[Plan Your Migration](usmt-plan-your-migration.md)
-
-[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
-
-
-
-
-
-
-
-
-
+---
+title: Choose a Migration Store Type (Windows 10)
+description: Choose a Migration Store Type
+ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Choose a Migration Store Type
+
+
+One of the main considerations for planning your migration is to determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers, and how much space is needed to create and host the migration store, whether you are using a local share, network share, or storage device. The final consideration is ensuring that user date integrity is maintained by encrypting the migration store.
+
+## In This Section
+
+
+
Learn about the using migration store encryption to protect user data integrity during a migration.
+
+
+
+
+
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md
index 43d9d9c686..045feda6ef 100644
--- a/windows/deployment/usmt/usmt-command-line-syntax.md
+++ b/windows/deployment/usmt/usmt-command-line-syntax.md
@@ -1,54 +1,55 @@
----
-title: User State Migration Tool (USMT) Command-line Syntax (Windows 10)
-description: User State Migration Tool (USMT) Command-line Syntax
-ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) Command-line Syntax
-
-
-The User State Migration Tool (USMT) 10.0 migrates user files and settings during large deployments of Windows. To improve and simplify the migration process, USMT captures desktop, network, and application settings in addition to a user's files. USMT then migrates these items to a new Windows installation.
-
-## In This Section
-
-
-
Lists the command-line options for using the UsmtUtils tool.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: User State Migration Tool (USMT) Command-line Syntax (Windows 10)
+description: User State Migration Tool (USMT) Command-line Syntax
+ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) Command-line Syntax
+
+
+The User State Migration Tool (USMT) 10.0 migrates user files and settings during large deployments of Windows. To improve and simplify the migration process, USMT captures desktop, network, and application settings in addition to a user's files. USMT then migrates these items to a new Windows installation.
+
+## In This Section
+
+
+
Lists the command-line options for using the UsmtUtils tool.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md
index 49aa08dbfe..3800f43309 100644
--- a/windows/deployment/usmt/usmt-common-issues.md
+++ b/windows/deployment/usmt/usmt-common-issues.md
@@ -1,340 +1,341 @@
----
-title: Common Issues (Windows 10)
-description: Common Issues
-ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.date: 09/19/2017
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Common Issues
-
-
-The following sections discuss common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. USMT produces log files that describe in further detail any errors that occurred during the migration process. These logs can be used to troubleshoot migration failures.
-
-## In This Topic
-
-
-[User Account Problems](#user)
-
-[Command-line Problems](#command)
-
-[XML File Problems](#xml)
-
-[Migration Problems](#migration)
-
-[Offline Migration Problems](#bkmk-offline)
-
-[Hard Link Migration Problems](#bkmk-hardlink)
-
-[USMT does not migrate the Start layout](#usmt-does-not-migrate-the-start-layout)
-
-## General Guidelines for Identifying Migration Problems
-
-
-When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem:
-
-- Examine the ScanState, LoadState, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). For more information about Windows API error messages, type **nethelpmsg** on the command line.
-
- In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger.
-
- **Note**
- Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred.
-
-
-
-- Use the **/Verify** option in the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md).
-
-- Use the **/Extract** option in the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
-
-- Create a progress log using the **/Progress** option to monitor your migration.
-
-- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment.
-
-- Log off after you run the LoadState tool. Some settings—for example, fonts, desktop backgrounds, and screen-saver settings—will not take effect until the next time the end user logs on.
-
-- Close all applications before running ScanState or LoadState tools. If some applications are running during the ScanState or LoadState process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files.
-
- **Note**
- USMT will fail if it cannot migrate a file or setting unless you specify the **/c** option. When you specify the **/c** option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that did not migrate.
-
-
-
-## User Account Problems
-
-
-The following sections describe common user account problems. Expand the section to see recommended solutions.
-
-### I'm having problems creating local accounts on the destination computer.
-
-**Resolution:** For more information about creating accounts and migrating local accounts, see [Migrate User Accounts](usmt-migrate-user-accounts.md).
-
-### Not all of the user accounts were migrated to the destination computer.
-
-**Causes/Resolutions** There are two possible causes for this problem:
-
-When running the ScanState tool on Windows Vista, or the ScanState and LoadState tools on Windows 7, Windows 8, or Windows 10, you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. To run in Administrator mode:
-
-1. Click **Start**.
-
-2. Click **All Programs**.
-
-3. Click **Accessories**.
-
-4. Right-click **Command Prompt**.
-
-5. Click **Run as administrator**.
-
-Then specify your LoadState or ScanState command. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration.
-
-Any user accounts on the computer that have not been used will not be migrated. For example, if you add User1 to the computer, but User1 never logs on, then USMT will not migrate the User1 account.
-
-### User accounts that I excluded were migrated to the destination computer.
-
-**Cause:** The command that you specified might have had conflicting **/ui** and **/ue** options. If a user is specified with the **/ui** option and is also specified to be excluded with either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:domain1\* /ue:domain1\user1`, then User1 will be migrated because the **/ui** option takes precedence.
-
-**Resolution:** For more information about how to use the **/ui** and **/ue** options together, see the examples in the [ScanState Syntax](usmt-scanstate-syntax.md) topic.
-
-### I am using the /uel option, but many accounts are still being included in the migration.
-
-**Cause** The **/uel** option depends on the last modified date of the users' NTUser.dat file. There are scenarios in which this last modified date might not match the users' last logon date.
-
-**Resolution** This is a limitation of the **/uel** option. You might need to exclude these users manually with the **/ue** option.
-
-### The LoadState tool reports an error as return code 71 and fails to restore a user profile during a migration test.
-
-**Cause:** During a migration test, if you run the ScanState tool on your test computer and then delete user profiles in order to test the LoadState tool on the same computer, you may have a conflicting key present in the registry. Using the **net use** command to remove a user profile will delete folders and files associated with that profile, but will not remove the registry key.
-
-**Resolution:** To delete a user profile, use the **User Accounts** item in Control Panel. To correct an incomplete deletion of a user profile:
-
-1. Open the registry editor by typing `regedit` at an elevated command prompt.
-
-2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`.
-
- Each user profile is stored in a System Identifier key under `ProfileList`.
-
-3. Delete the key for the user profile you are trying to remove.
-
-### Files that were not encrypted before the migration are now encrypted with the account used to run the LoadState tool.
-
-**Cause:** The ScanState tool was run using the **/EFS: copyraw** option to migrate encrypted files and Encrypting File System (EFS) certificates. The encryption attribute was set on a folder that was migrated, but the attribute was removed from file contents of that folder prior to migration.
-
-**Resolution:** Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you can run the Cipher tool at the command prompt to review and change encryption settings on files and folders. You must remove the encryption attribute from folders that contain unencrypted files or encrypt the contents of all files within an encrypted folder.
-
-To remove encryption from files that have already been migrated incorrectly, you must log on to the computer with the account that you used to run the LoadState tool and then remove the encryption from the affected files.
-
-### The LoadState tool reports an error as return code 71 and a Windows Error 2202 in the log file.
-
-**Cause:** The computer name was changed during an offline migration of a local user profile.
-
-**Resolution:** You can use the **/mu** option when you run the LoadState tool to specify a new name for the user. For example,
-
-``` syntax
-loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore
-/progress:prog.log /l:load.log /mu:fareast\user1:farwest\user1
-```
-
-## Command-line Problems
-
-
-The following sections describe common command-line problems. Expand the section to see recommended solutions.
-
-### I received the following error message: "Usage Error: You cannot specify a file path with any of the command-line options that exceeds 256 characters."
-
-**Cause:** You might receive this error message in some cases even if you do not specify a long store or file path, because the path length is calculated based on the absolute path. For example, if you run the **scanstate.exe /o store** command from C:\\Program Files\\USMT40, then each character in "`C:\Program Files\USMT40`" will be added to the length of "store" to get the length of the path.
-
-**Resolution:** Ensure that the total path length—the store path plus the current directory—does not exceed 256 characters.
-
-### I received the following error message: "USMT was unable to create the log file(s). Ensure that you have write access to the log directory."
-
-**Cause:** If you are running the ScanState or LoadState tools from a shared network resource, you will receive this error message if you do not specify **/l**.
-
-**Resolution:** To fix this issue in this scenario, specify the **/l:scan.log** or **/l:load.log** option.
-
-## XML File Problems
-
-
-The following sections describe common XML file problems. Expand the section to see recommended solutions.
-
-### I used the /genconfig option to create a Config.xml file, but I see only a few applications and components that are in MigApp.xml. Why does Config.xml not contain all of the same applications?
-
-**Cause:** Config.xml will contain only operating system components, applications, and the user document sections that are in both of the .xml files and are installed on the computer when you run the **/genconfig** option. Otherwise, these applications and components will not appear in the Config.xml file.
-
-**Resolution:** Install all of the desired applications on the computer before running the **/genconfig** option. Then run ScanState with all of the .xml files. For example, run the following:
-
-`scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:scanstate.log`
-
-### I am having problems with a custom .xml file that I authored, and I cannot verify that the syntax is correct.
-
-**Resolution:** You can load the XML schema (MigXML.xsd), included with USMT, into your XML authoring tool. For examples, see the [Visual Studio Development Center](https://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there is a syntax error. In addition, see [USMT XML Reference](usmt-xml-reference.md) for more information about using the XML elements.
-
-### I am using a MigXML helper function, but the migration isn’t working the way I expected it to. How do I troubleshoot this issue?
-
-**Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate did not get collected or applied, or weren’t collected or applied in the way you expected.
-
-**Resolution:** You should search the ScanState or LoadState log for either the component name which contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file.
-
-## Migration Problems
-
-
-The following sections describe common migration problems. Expand the section to see recommended solutions.
-
-### Files that I specified to exclude are still being migrated.
-
-**Cause:** There might be another rule that is including the files. If there is a more specific rule or a conflicting rule, the files will be included in the migration.
-
-**Resolution:** For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md) and the Diagnostic Log section in [Log Files](usmt-log-files.md).
-
-### I specified rules to move a folder to a specific location on the destination computer, but it has not migrated correctly.
-
-**Cause:** There might be an error in the XML syntax.
-
-**Resolution:** You can use the USMT XML schema (MigXML.xsd) to write and validate migration .xml files. Also see the XML examples in the following topics:
-
-[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
-
-[Exclude Files and Settings](usmt-exclude-files-and-settings.md)
-
-[Reroute Files and Settings](usmt-reroute-files-and-settings.md)
-
-[Include Files and Settings](usmt-include-files-and-settings.md)
-
-[Custom XML Examples](usmt-custom-xml-examples.md)
-
-### After LoadState completes, the new desktop background does not appear on the destination computer.
-
-There are three typical causes for this issue.
-
-**Cause \#1:**: Some settings such as fonts, desktop backgrounds, and screen-saver settings are not applied by LoadState until after the destination computer has been restarted.
-
-**Resolution:** To fix this issue, log off, and then log back on to see the migrated desktop background.
-
-**Cause \#2:** If the source computer was running Windows® XP and the desktop background was stored in the *Drive*:\\WINDOWS\\Web\\Wallpaper folder—the default folder where desktop backgrounds are stored in Windows XP—the desktop background will not be migrated. Instead, the destination computer will have the default Windows® desktop background. This will occur even if the desktop background was a custom picture that was added to the \\WINDOWS\\Web\\Wallpaper folder. However, if the end user sets a picture as the desktop background that was saved in another location, for example, My Pictures, then the desktop background will migrate.
-
-**Resolution:** Ensure that the desktop background images that you want to migrate are not in the \\WINDOWS\\Web\\Wallpaper folder on the source computer.
-
-**Cause \#3:** If ScanState was not run on Windows XP from an account with administrative credentials, some operating system settings will not migrate. For example, desktop background settings, screen-saver selections, modem options, media-player settings, and Remote Access Service (RAS) connection phone book (.pbk) files and settings will not migrate.
-
-**Resolution:** Run the ScanState and LoadState tools from within an account with administrative credentials.
-
-### I included MigApp.xml in the migration, but some PST files aren’t migrating.
-
-**Cause:** The MigApp.xml file migrates only the PST files that are linked to Outlook profiles.
-
-**Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files.
-
-### USMT does not migrate the Start layout
-
-**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured.
-
-**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function.
-
-**Resolution:** The following workaround is available:
-
-1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired:
-
- ```
- Export-StartLayout -Path "C:\Layout\user1.xml"
- ```
-2. Migrate the user's profile with USMT.
-3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command:
-
- ```
- Import-StartLayout –LayoutPath "C:\Layout\user1.xml" –MountPath %systemdrive%
- ```
-
-This workaround changes the Default user's Start layout. The workaround does not scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout.
-
-## Offline Migration Problems
-
-
-The following sections describe common offline migration problems. Expand the section to see recommended solutions.
-
-### Some of my system settings do not migrate in an offline migration.
-
-**Cause:** Some system settings, such as desktop backgrounds and network printers, are not supported in an offline migration. For more information, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
-
-**Resolution:** In an offline migration, these system settings must be restored manually.
-
-### The ScanState tool fails with return code 26.
-
-**Cause:** A common cause of return code 26 is that a temp profile is active on the source computer. This profile maps to c:\\users\\temp. The ScanState log shows a MigStartupOfflineCaught exception that includes the message "User profile duplicate SID error".
-
-**Resolution:** You can reboot the computer to get rid of the temp profile or you can set MIG\_FAIL\_ON\_PROFILE\_ERROR=0 to skip the error and exclude the temp profile.
-
-### Include and Exclude rules for migrating user profiles do not work the same offline as they do online.
-
-**Cause:** When offline, the DNS server cannot be queried to resolve the user name and SID mapping.
-
-**Resolution:** Use a Security Identifier (SID) to include a user when running the ScanState tool. For example:
-
-``` syntax
-Scanstate /ui:S1-5-21-124525095-708259637-1543119021*
-```
-
-The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well.
-
-You can also use patterns for SIDs that identify generic users or groups. For example, you can use the */ue:\*-500* option to exclude the local administrator accounts. For more information about Windows SIDs, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=190277).
-
-### My script to wipe the disk fails after running the ScanState tool on a 64-bit system.
-
-**Cause:** The HKLM registry hive is not unloaded after the ScanState tool has finished running.
-
-**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the ScanState tool has finished running. For example, at a command prompt, type:
-
-``` syntax
-reg.exe unload hklm\$dest$software
-```
-
-## Hard-Link Migration Problems
-
-
-The following sections describe common hard-link migration problems. Expand the section to see recommended solutions.
-
-### EFS files are not restored to the new partition.
-
-**Cause:** EFS files cannot be moved to a new partition with a hard link. The **/efs:hardlink** command-line option is only applicable to files migrated on the same partition.
-
-**Resolution:** Use the **/efs:copyraw** command-line option to copy EFS files during the migration instead of creating hard links, or manually copy the EFS files from the hard-link store.
-
-### The ScanState tool cannot delete a previous hard-link migration store.
-
-**Cause:** The migration store contains hard links to locked files.
-
-**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, type:
-
-``` syntax
-USMTutils /rd
-```
-
-You should also reboot the machine.
-
-
-
-
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-
-[Frequently Asked Questions](usmt-faq.md)
-
-[Return Codes](usmt-return-codes.md)
-
-[UsmtUtils Syntax](usmt-utilities.md)
-
-
-
-
-
-
-
-
-
+---
+title: Common Issues (Windows 10)
+description: Common Issues
+ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.date: 09/19/2017
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Common Issues
+
+
+The following sections discuss common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. USMT produces log files that describe in further detail any errors that occurred during the migration process. These logs can be used to troubleshoot migration failures.
+
+## In This Topic
+
+
+[User Account Problems](#user)
+
+[Command-line Problems](#command)
+
+[XML File Problems](#xml)
+
+[Migration Problems](#migration)
+
+[Offline Migration Problems](#bkmk-offline)
+
+[Hard Link Migration Problems](#bkmk-hardlink)
+
+[USMT does not migrate the Start layout](#usmt-does-not-migrate-the-start-layout)
+
+## General Guidelines for Identifying Migration Problems
+
+
+When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem:
+
+- Examine the ScanState, LoadState, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). For more information about Windows API error messages, type **nethelpmsg** on the command line.
+
+ In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger.
+
+ **Note**
+ Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred.
+
+
+
+- Use the **/Verify** option in the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md).
+
+- Use the **/Extract** option in the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
+
+- Create a progress log using the **/Progress** option to monitor your migration.
+
+- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment.
+
+- Log off after you run the LoadState tool. Some settings—for example, fonts, desktop backgrounds, and screen-saver settings—will not take effect until the next time the end user logs on.
+
+- Close all applications before running ScanState or LoadState tools. If some applications are running during the ScanState or LoadState process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files.
+
+ **Note**
+ USMT will fail if it cannot migrate a file or setting unless you specify the **/c** option. When you specify the **/c** option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that did not migrate.
+
+
+
+## User Account Problems
+
+
+The following sections describe common user account problems. Expand the section to see recommended solutions.
+
+### I'm having problems creating local accounts on the destination computer.
+
+**Resolution:** For more information about creating accounts and migrating local accounts, see [Migrate User Accounts](usmt-migrate-user-accounts.md).
+
+### Not all of the user accounts were migrated to the destination computer.
+
+**Causes/Resolutions** There are two possible causes for this problem:
+
+When running the ScanState tool on Windows Vista, or the ScanState and LoadState tools on Windows 7, Windows 8, or Windows 10, you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. To run in Administrator mode:
+
+1. Click **Start**.
+
+2. Click **All Programs**.
+
+3. Click **Accessories**.
+
+4. Right-click **Command Prompt**.
+
+5. Click **Run as administrator**.
+
+Then specify your LoadState or ScanState command. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration.
+
+Any user accounts on the computer that have not been used will not be migrated. For example, if you add User1 to the computer, but User1 never logs on, then USMT will not migrate the User1 account.
+
+### User accounts that I excluded were migrated to the destination computer.
+
+**Cause:** The command that you specified might have had conflicting **/ui** and **/ue** options. If a user is specified with the **/ui** option and is also specified to be excluded with either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:domain1\* /ue:domain1\user1`, then User1 will be migrated because the **/ui** option takes precedence.
+
+**Resolution:** For more information about how to use the **/ui** and **/ue** options together, see the examples in the [ScanState Syntax](usmt-scanstate-syntax.md) topic.
+
+### I am using the /uel option, but many accounts are still being included in the migration.
+
+**Cause** The **/uel** option depends on the last modified date of the users' NTUser.dat file. There are scenarios in which this last modified date might not match the users' last logon date.
+
+**Resolution** This is a limitation of the **/uel** option. You might need to exclude these users manually with the **/ue** option.
+
+### The LoadState tool reports an error as return code 71 and fails to restore a user profile during a migration test.
+
+**Cause:** During a migration test, if you run the ScanState tool on your test computer and then delete user profiles in order to test the LoadState tool on the same computer, you may have a conflicting key present in the registry. Using the **net use** command to remove a user profile will delete folders and files associated with that profile, but will not remove the registry key.
+
+**Resolution:** To delete a user profile, use the **User Accounts** item in Control Panel. To correct an incomplete deletion of a user profile:
+
+1. Open the registry editor by typing `regedit` at an elevated command prompt.
+
+2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`.
+
+ Each user profile is stored in a System Identifier key under `ProfileList`.
+
+3. Delete the key for the user profile you are trying to remove.
+
+### Files that were not encrypted before the migration are now encrypted with the account used to run the LoadState tool.
+
+**Cause:** The ScanState tool was run using the **/EFS: copyraw** option to migrate encrypted files and Encrypting File System (EFS) certificates. The encryption attribute was set on a folder that was migrated, but the attribute was removed from file contents of that folder prior to migration.
+
+**Resolution:** Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you can run the Cipher tool at the command prompt to review and change encryption settings on files and folders. You must remove the encryption attribute from folders that contain unencrypted files or encrypt the contents of all files within an encrypted folder.
+
+To remove encryption from files that have already been migrated incorrectly, you must log on to the computer with the account that you used to run the LoadState tool and then remove the encryption from the affected files.
+
+### The LoadState tool reports an error as return code 71 and a Windows Error 2202 in the log file.
+
+**Cause:** The computer name was changed during an offline migration of a local user profile.
+
+**Resolution:** You can use the **/mu** option when you run the LoadState tool to specify a new name for the user. For example,
+
+``` syntax
+loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore
+/progress:prog.log /l:load.log /mu:fareast\user1:farwest\user1
+```
+
+## Command-line Problems
+
+
+The following sections describe common command-line problems. Expand the section to see recommended solutions.
+
+### I received the following error message: "Usage Error: You cannot specify a file path with any of the command-line options that exceeds 256 characters."
+
+**Cause:** You might receive this error message in some cases even if you do not specify a long store or file path, because the path length is calculated based on the absolute path. For example, if you run the **scanstate.exe /o store** command from C:\\Program Files\\USMT40, then each character in "`C:\Program Files\USMT40`" will be added to the length of "store" to get the length of the path.
+
+**Resolution:** Ensure that the total path length—the store path plus the current directory—does not exceed 256 characters.
+
+### I received the following error message: "USMT was unable to create the log file(s). Ensure that you have write access to the log directory."
+
+**Cause:** If you are running the ScanState or LoadState tools from a shared network resource, you will receive this error message if you do not specify **/l**.
+
+**Resolution:** To fix this issue in this scenario, specify the **/l:scan.log** or **/l:load.log** option.
+
+## XML File Problems
+
+
+The following sections describe common XML file problems. Expand the section to see recommended solutions.
+
+### I used the /genconfig option to create a Config.xml file, but I see only a few applications and components that are in MigApp.xml. Why does Config.xml not contain all of the same applications?
+
+**Cause:** Config.xml will contain only operating system components, applications, and the user document sections that are in both of the .xml files and are installed on the computer when you run the **/genconfig** option. Otherwise, these applications and components will not appear in the Config.xml file.
+
+**Resolution:** Install all of the desired applications on the computer before running the **/genconfig** option. Then run ScanState with all of the .xml files. For example, run the following:
+
+`scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:scanstate.log`
+
+### I am having problems with a custom .xml file that I authored, and I cannot verify that the syntax is correct.
+
+**Resolution:** You can load the XML schema (MigXML.xsd), included with USMT, into your XML authoring tool. For examples, see the [Visual Studio Development Center](https://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there is a syntax error. In addition, see [USMT XML Reference](usmt-xml-reference.md) for more information about using the XML elements.
+
+### I am using a MigXML helper function, but the migration isn’t working the way I expected it to. How do I troubleshoot this issue?
+
+**Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate did not get collected or applied, or weren’t collected or applied in the way you expected.
+
+**Resolution:** You should search the ScanState or LoadState log for either the component name which contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file.
+
+## Migration Problems
+
+
+The following sections describe common migration problems. Expand the section to see recommended solutions.
+
+### Files that I specified to exclude are still being migrated.
+
+**Cause:** There might be another rule that is including the files. If there is a more specific rule or a conflicting rule, the files will be included in the migration.
+
+**Resolution:** For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md) and the Diagnostic Log section in [Log Files](usmt-log-files.md).
+
+### I specified rules to move a folder to a specific location on the destination computer, but it has not migrated correctly.
+
+**Cause:** There might be an error in the XML syntax.
+
+**Resolution:** You can use the USMT XML schema (MigXML.xsd) to write and validate migration .xml files. Also see the XML examples in the following topics:
+
+[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
+
+[Exclude Files and Settings](usmt-exclude-files-and-settings.md)
+
+[Reroute Files and Settings](usmt-reroute-files-and-settings.md)
+
+[Include Files and Settings](usmt-include-files-and-settings.md)
+
+[Custom XML Examples](usmt-custom-xml-examples.md)
+
+### After LoadState completes, the new desktop background does not appear on the destination computer.
+
+There are three typical causes for this issue.
+
+**Cause \#1:**: Some settings such as fonts, desktop backgrounds, and screen-saver settings are not applied by LoadState until after the destination computer has been restarted.
+
+**Resolution:** To fix this issue, log off, and then log back on to see the migrated desktop background.
+
+**Cause \#2:** If the source computer was running Windows® XP and the desktop background was stored in the *Drive*:\\WINDOWS\\Web\\Wallpaper folder—the default folder where desktop backgrounds are stored in Windows XP—the desktop background will not be migrated. Instead, the destination computer will have the default Windows® desktop background. This will occur even if the desktop background was a custom picture that was added to the \\WINDOWS\\Web\\Wallpaper folder. However, if the end user sets a picture as the desktop background that was saved in another location, for example, My Pictures, then the desktop background will migrate.
+
+**Resolution:** Ensure that the desktop background images that you want to migrate are not in the \\WINDOWS\\Web\\Wallpaper folder on the source computer.
+
+**Cause \#3:** If ScanState was not run on Windows XP from an account with administrative credentials, some operating system settings will not migrate. For example, desktop background settings, screen-saver selections, modem options, media-player settings, and Remote Access Service (RAS) connection phone book (.pbk) files and settings will not migrate.
+
+**Resolution:** Run the ScanState and LoadState tools from within an account with administrative credentials.
+
+### I included MigApp.xml in the migration, but some PST files aren’t migrating.
+
+**Cause:** The MigApp.xml file migrates only the PST files that are linked to Outlook profiles.
+
+**Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files.
+
+### USMT does not migrate the Start layout
+
+**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured.
+
+**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function.
+
+**Resolution:** The following workaround is available:
+
+1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired:
+
+ ```
+ Export-StartLayout -Path "C:\Layout\user1.xml"
+ ```
+2. Migrate the user's profile with USMT.
+3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command:
+
+ ```
+ Import-StartLayout –LayoutPath "C:\Layout\user1.xml" –MountPath %systemdrive%
+ ```
+
+This workaround changes the Default user's Start layout. The workaround does not scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout.
+
+## Offline Migration Problems
+
+
+The following sections describe common offline migration problems. Expand the section to see recommended solutions.
+
+### Some of my system settings do not migrate in an offline migration.
+
+**Cause:** Some system settings, such as desktop backgrounds and network printers, are not supported in an offline migration. For more information, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
+
+**Resolution:** In an offline migration, these system settings must be restored manually.
+
+### The ScanState tool fails with return code 26.
+
+**Cause:** A common cause of return code 26 is that a temp profile is active on the source computer. This profile maps to c:\\users\\temp. The ScanState log shows a MigStartupOfflineCaught exception that includes the message "User profile duplicate SID error".
+
+**Resolution:** You can reboot the computer to get rid of the temp profile or you can set MIG\_FAIL\_ON\_PROFILE\_ERROR=0 to skip the error and exclude the temp profile.
+
+### Include and Exclude rules for migrating user profiles do not work the same offline as they do online.
+
+**Cause:** When offline, the DNS server cannot be queried to resolve the user name and SID mapping.
+
+**Resolution:** Use a Security Identifier (SID) to include a user when running the ScanState tool. For example:
+
+``` syntax
+Scanstate /ui:S1-5-21-124525095-708259637-1543119021*
+```
+
+The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well.
+
+You can also use patterns for SIDs that identify generic users or groups. For example, you can use the */ue:\*-500* option to exclude the local administrator accounts. For more information about Windows SIDs, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=190277).
+
+### My script to wipe the disk fails after running the ScanState tool on a 64-bit system.
+
+**Cause:** The HKLM registry hive is not unloaded after the ScanState tool has finished running.
+
+**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the ScanState tool has finished running. For example, at a command prompt, type:
+
+``` syntax
+reg.exe unload hklm\$dest$software
+```
+
+## Hard-Link Migration Problems
+
+
+The following sections describe common hard-link migration problems. Expand the section to see recommended solutions.
+
+### EFS files are not restored to the new partition.
+
+**Cause:** EFS files cannot be moved to a new partition with a hard link. The **/efs:hardlink** command-line option is only applicable to files migrated on the same partition.
+
+**Resolution:** Use the **/efs:copyraw** command-line option to copy EFS files during the migration instead of creating hard links, or manually copy the EFS files from the hard-link store.
+
+### The ScanState tool cannot delete a previous hard-link migration store.
+
+**Cause:** The migration store contains hard links to locked files.
+
+**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, type:
+
+``` syntax
+USMTutils /rd
+```
+
+You should also reboot the machine.
+
+
+
+
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+[Frequently Asked Questions](usmt-faq.md)
+
+[Return Codes](usmt-return-codes.md)
+
+[UsmtUtils Syntax](usmt-utilities.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md
index 9376707ccd..8eb09c18ae 100644
--- a/windows/deployment/usmt/usmt-customize-xml-files.md
+++ b/windows/deployment/usmt/usmt-customize-xml-files.md
@@ -1,138 +1,139 @@
----
-title: Customize USMT XML Files (Windows 10)
-description: Customize USMT XML Files
-ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Customize USMT XML Files
-
-
-## In This Topic
-
-
-[Overview](#bkmk-overview)
-
-[Migration .xml Files](#bkmk-migxml)
-
-[Custom .xml Files](#bkmk-customxmlfiles)
-
-[The Config.xml File](#bkmk-configxml)
-
-[Examples](#bkmk-examples)
-
-[Additional Information](#bkmk-addlinfo)
-
-## Overview
-
-
-If you want the **ScanState** and **LoadState** tools to use any of the migration .xml files, specify these files at the command line using the **/i** option. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, specify the same set of .xml files for both the **ScanState** and **LoadState** commands. However, you do not have to specify the Config.xml file with the **/config** option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. Then the **LoadState** command will migrate only the files and settings that you want to migrate.
-
-If you leave out an .xml file from the **LoadState** command, all of the data in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified with the **ScanState** command will not apply. For example, if you leave out an .xml file, and it contains a rerouting rule such as: `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files, and they will be migrated to C:\\data.
-
-To modify the migration, do one or more of the following.
-
-- **Modify the migration .xml files.** If you want to exclude a portion of a component—for example, you want to migrate C:\\ but exclude all of the .mp3 files—or if you want to move data to a new location on the destination computer, modify the .xml files. To modify these files, you must be familiar with the migration rules and syntax. If you want **ScanState** and **LoadState** to use these files, specify them at the command line when each command is entered.
-
-- **Create a custom .xml file.** You can also create a custom .xml file to migrate settings for another application, or to change the migration behavior to suit your needs. For **ScanState** and **LoadState** to use this file, specify them on both command lines.
-
-- **Create and modify a Config.xml file.** Do this if you want to exclude an entire component from the migration. For example, you can use a Config.xml file to exclude the entire My Documents folder, or exclude the settings for an application. Excluding components using a Config.xml file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. In addition, using a Config.xml file is the only way to exclude the operating system settings from being migrated.
-
-For more information about excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic.
-
-## Migration .xml Files
-
-
-This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they are migrated to on the destination computer.
-
-**Note**
-You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character.
-
-
-
-- **The MigApp.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate application settings.
-
-- **The MigDocs.xml file.** Specify this file with both the **ScanState** and **LoadState** tools to migrate all user folders and files that are found by the **MigXmlHelper.GenerateDocPatterns** helper function. This helper function finds user data that resides on the root of any drive and in the Users directory. However, it does not find and migrate any application data, program files, or any files in the Windows directory. You can modify the MigDocs.xml file.
-
-- **The MigUser.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate user folders, files, and file types. You can modify the MigUser.xml file. This file does not contain rules that migrate specific user accounts. The only way to specify which user accounts to migrate is on the command line using the **ScanState** and the **LoadState** user options.
-
- **Note**
- Do not use the MigUser.xml and MigDocs.xml files together. For more information, see the [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) and [USMT Best Practices](usmt-best-practices.md) topics.
-
-
-
-## Custom .xml Files
-
-
-You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want **ScanState** and **LoadState** to use this file, specify it with both commands. For more information, see the How to Create a Custom .xml File topic.
-
-## The Config.xml File
-
-
-The Config.xml file is an optional file that you create using the **/genconfig** option with the **ScanState** command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The Config.xml file format is different from that of the migration .xml files because it does not contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](usmt-configxml-file.md) topic. For this reason, excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in a Config.xml file.
-
-If you want to include all of the default components, you do not need to create the Config.xml file. Alternatively, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigDocs.xml, and MigUser.xml files, and you want to exclude only some components, you can create and modify a Config.xml file and leave the other .xml files in their original state.
-
-When you run the **ScanState** command with the **/genconfig** option, **ScanState** reads the other .xml files that you specify using the **/i** option to create a custom list of components that can be migrated from the computer. This file will contain only operating system components, applications, and the user document sections that are in both of the .xml files and that are installed on the computer when you run the **ScanState** command with the **/genconfig** option. Therefore, you should create this file on a source computer that contains all of the components, applications, and settings that will be present on the destination computers. This will ensure that this file contains every component that can be migrated. The components are organized into sections: <Applications>, <WindowsComponents>, and <Documents>. To choose not to migrate a component, change its entry to `migrate="no"`.
-
-After you create this file, you need to specify it only with the **ScanState** command using the **/Config** option for it to affect the migration. However, if you want to exclude additional data that you migrated to the store, modify the Config.xml file and specify the updated file with the **LoadState** command. For example, if you collected the My Documents folder in the store, but you decide that you do not want to migrate the My Documents folder to a destination computer, you can modify the Config.xml file to indicate `migrate="no"` before you run the **LoadState** command, and the file will not be migrated. For more information about the precedence that takes place when excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic.
-
-In addition, note the following functionality with the Config.xml file:
-
-- If a parent component is removed from the migration in the Config.xml file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`.
-
-- If you mistakenly have two lines of code for the same component where one line specifies `migrate="no"` and the other line specifies `migrate="yes"`, the component will be migrated.
-
-- In USMT there are several migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. For more information, see the [Config.xml File](usmt-configxml-file.md) topic.
-
-**Note**
-To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
-
-
-
-### Examples
-
-- The following command creates a Config.xml file in the current directory, but it does not create a store:
-
- `scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:5`
-
-- The following command creates an encrypted store using the Config.xml file and the default migration .xml files:
-
- `scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:5 /encrypt /key:"mykey"`
-
-- The following command decrypts the store and migrates the files and settings:
-
- `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:5 /decrypt /key:"mykey"`
-
-## Additional Information
-
-
-- For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
-
-- For more information about each .xml element, see the [XML Elements Library](usmt-xml-elements-library.md) topic.
-
-- For answers to common questions, see ".xml files" in the [Frequently Asked Questions](usmt-faq.md) topic.
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
-
-[USMT Resources](usmt-resources.md)
-
-
-
-
-
-
-
-
-
+---
+title: Customize USMT XML Files (Windows 10)
+description: Customize USMT XML Files
+ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Customize USMT XML Files
+
+
+## In This Topic
+
+
+[Overview](#bkmk-overview)
+
+[Migration .xml Files](#bkmk-migxml)
+
+[Custom .xml Files](#bkmk-customxmlfiles)
+
+[The Config.xml File](#bkmk-configxml)
+
+[Examples](#bkmk-examples)
+
+[Additional Information](#bkmk-addlinfo)
+
+## Overview
+
+
+If you want the **ScanState** and **LoadState** tools to use any of the migration .xml files, specify these files at the command line using the **/i** option. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, specify the same set of .xml files for both the **ScanState** and **LoadState** commands. However, you do not have to specify the Config.xml file with the **/config** option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. Then the **LoadState** command will migrate only the files and settings that you want to migrate.
+
+If you leave out an .xml file from the **LoadState** command, all of the data in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified with the **ScanState** command will not apply. For example, if you leave out an .xml file, and it contains a rerouting rule such as: `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files, and they will be migrated to C:\\data.
+
+To modify the migration, do one or more of the following.
+
+- **Modify the migration .xml files.** If you want to exclude a portion of a component—for example, you want to migrate C:\\ but exclude all of the .mp3 files—or if you want to move data to a new location on the destination computer, modify the .xml files. To modify these files, you must be familiar with the migration rules and syntax. If you want **ScanState** and **LoadState** to use these files, specify them at the command line when each command is entered.
+
+- **Create a custom .xml file.** You can also create a custom .xml file to migrate settings for another application, or to change the migration behavior to suit your needs. For **ScanState** and **LoadState** to use this file, specify them on both command lines.
+
+- **Create and modify a Config.xml file.** Do this if you want to exclude an entire component from the migration. For example, you can use a Config.xml file to exclude the entire My Documents folder, or exclude the settings for an application. Excluding components using a Config.xml file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. In addition, using a Config.xml file is the only way to exclude the operating system settings from being migrated.
+
+For more information about excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic.
+
+## Migration .xml Files
+
+
+This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they are migrated to on the destination computer.
+
+**Note**
+You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character.
+
+
+
+- **The MigApp.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate application settings.
+
+- **The MigDocs.xml file.** Specify this file with both the **ScanState** and **LoadState** tools to migrate all user folders and files that are found by the **MigXmlHelper.GenerateDocPatterns** helper function. This helper function finds user data that resides on the root of any drive and in the Users directory. However, it does not find and migrate any application data, program files, or any files in the Windows directory. You can modify the MigDocs.xml file.
+
+- **The MigUser.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate user folders, files, and file types. You can modify the MigUser.xml file. This file does not contain rules that migrate specific user accounts. The only way to specify which user accounts to migrate is on the command line using the **ScanState** and the **LoadState** user options.
+
+ **Note**
+ Do not use the MigUser.xml and MigDocs.xml files together. For more information, see the [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) and [USMT Best Practices](usmt-best-practices.md) topics.
+
+
+
+## Custom .xml Files
+
+
+You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want **ScanState** and **LoadState** to use this file, specify it with both commands. For more information, see the How to Create a Custom .xml File topic.
+
+## The Config.xml File
+
+
+The Config.xml file is an optional file that you create using the **/genconfig** option with the **ScanState** command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The Config.xml file format is different from that of the migration .xml files because it does not contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](usmt-configxml-file.md) topic. For this reason, excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in a Config.xml file.
+
+If you want to include all of the default components, you do not need to create the Config.xml file. Alternatively, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigDocs.xml, and MigUser.xml files, and you want to exclude only some components, you can create and modify a Config.xml file and leave the other .xml files in their original state.
+
+When you run the **ScanState** command with the **/genconfig** option, **ScanState** reads the other .xml files that you specify using the **/i** option to create a custom list of components that can be migrated from the computer. This file will contain only operating system components, applications, and the user document sections that are in both of the .xml files and that are installed on the computer when you run the **ScanState** command with the **/genconfig** option. Therefore, you should create this file on a source computer that contains all of the components, applications, and settings that will be present on the destination computers. This will ensure that this file contains every component that can be migrated. The components are organized into sections: <Applications>, <WindowsComponents>, and <Documents>. To choose not to migrate a component, change its entry to `migrate="no"`.
+
+After you create this file, you need to specify it only with the **ScanState** command using the **/Config** option for it to affect the migration. However, if you want to exclude additional data that you migrated to the store, modify the Config.xml file and specify the updated file with the **LoadState** command. For example, if you collected the My Documents folder in the store, but you decide that you do not want to migrate the My Documents folder to a destination computer, you can modify the Config.xml file to indicate `migrate="no"` before you run the **LoadState** command, and the file will not be migrated. For more information about the precedence that takes place when excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic.
+
+In addition, note the following functionality with the Config.xml file:
+
+- If a parent component is removed from the migration in the Config.xml file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`.
+
+- If you mistakenly have two lines of code for the same component where one line specifies `migrate="no"` and the other line specifies `migrate="yes"`, the component will be migrated.
+
+- In USMT there are several migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. For more information, see the [Config.xml File](usmt-configxml-file.md) topic.
+
+**Note**
+To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
+
+
+
+### Examples
+
+- The following command creates a Config.xml file in the current directory, but it does not create a store:
+
+ `scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:5`
+
+- The following command creates an encrypted store using the Config.xml file and the default migration .xml files:
+
+ `scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:5 /encrypt /key:"mykey"`
+
+- The following command decrypts the store and migrates the files and settings:
+
+ `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:5 /decrypt /key:"mykey"`
+
+## Additional Information
+
+
+- For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
+
+- For more information about each .xml element, see the [XML Elements Library](usmt-xml-elements-library.md) topic.
+
+- For answers to common questions, see ".xml files" in the [Frequently Asked Questions](usmt-faq.md) topic.
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
+
+[USMT Resources](usmt-resources.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
index 21a829f394..45bad6ef55 100644
--- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
@@ -1,279 +1,280 @@
----
-title: Exclude Files and Settings (Windows 10)
-description: Exclude Files and Settings
-ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Exclude Files and Settings
-When you specify the migration .xml files, MigApp.xml, Migdocs, and MigUser.xml, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a Config.xml file to exclude an entire component from a migration. You cannot, however, exclude users by using the migration .xml files or the Config.xml file. The only way to specify which users to include and exclude is by using the User options on the command line in the ScanState tool. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md).
-
-In this topic:
-
-- [Create a custom .xml file](#create-a-custom-xml-file). You can use the following elements to specify what to exclude:
-
- - include and exclude: You can use the <include> and <exclude> elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](usmt-conflicts-and-precedence.md) apply to these elements.
-
- - [unconditionalExclude](#example-1-how-to-migrate-all-files-from-c-except-mp3-files): You can use the <unconditionalExclude> element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other <include> rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData.
-
-- [Create a Config.xml File](#create-a-config-xml-file): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax.
-
-## Create a custom .xml file
-We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications.
-
-### <include> and <exclude>
-The migration .xml files, MigApp.xml, MigDocs, and MigUser.xml, contain the <component> element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the <include> and <exclude> elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md).
-
-**Note**
-If you specify an <exclude> rule, always specify a corresponding <include> rule. Otherwise, if you do not specify an <include> rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied <exclude> rule is unnecessary.
-
-- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)
-
-- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp)
-
-- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders)
-
-- [Example 4: How to exclude a file from a specific folder](#example-4-how-to-exclude-a-file-from-a-specific-folder)
-
-- [Example 5: How to exclude a file from any location](#example-5-how-to-exclude-a-file-from-any-location)
-
-### Example 1: How to migrate all files from C:\\ except .mp3 files
-The following .xml file migrates all files located on the C: drive, except any .mp3 files.
-
-``` xml
-
-
-
- MP3 Files
-
-
-
-
- C:\* [*]
-
-
-
-
- C:\* [*.mp3]
-
-
-
-
-
-
-```
-### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp
-The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp.
-
-``` xml
-
-
- Test component
-
-
-
-
- C:\Data\* [*]
-
-
-
-
- C:\Data\temp\* [*]
-
-
-
-
-
-
-```
-
-### Example 3: How to exclude the files in a folder but include all subfolders
-The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts.
-
-``` xml
-
-
- Component to migrate all Engineering Drafts Documents without subfolders
-
-
-
-
- C:\EngineeringDrafts\* [*]
-
-
-
-
- C:\EngineeringDrafts\ [*]
-
-
-
-
-
-
-```
-
-### Example 4: How to exclude a file from a specific folder
-The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts.
-
-``` xml
-
-
- Component to migrate all Engineering Drafts Documents except Sample.doc
-
-
-
-
- C:\EngineeringDrafts\* [*]
-
-
-
-
- C:\EngineeringDrafts\ [Sample.doc]
-
-
-
-
-
-
-```
-
-### Example 5: How to exclude a file from any location
-To exclude a Sample.doc file from any location on the C: drive, use the <pattern> element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
-
-``` xml
- C:\* [Sample.doc]
-```
-
-To exclude a Sample.doc file from any drive on the computer, use the <script> element. If multiple files exist with the same name, all of these files will be excluded.
-
-``` xml
-
-```
-#### Examples of how to use XML to exclude files, folders, and registry keys
-Here are some examples of how to use XML to exclude files, folders, and registry keys. For more info, see [USMT XML Reference](usmt-xml-reference.md)
-
-**Example 1: How to exclude all .mp3 files**
-The following .xml file excludes all .mp3 files from the migration:
-
-``` xml
-
-
- Test
-
-
-
-
-
-
-
-
-
-
-
-```
-**Example 2: How to exclude all of the files on a specific drive**
-The following .xml file excludes only the files located on the C: drive.
-
-``` xml
-
-
- Test
-
-
-
-
- c:\*[*]
-
-
-
-
-
-
-```
-**Example 3: How to exclude registry keys**
-The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry key and all of its subkeys.
-
-``` xml
-
-
-
- Test
-
-
-
-
- HKCU\testReg[*]
-
-
-
-
- HKCU\*[*]
-
-
-
-
-
-
-```
-**Example 4: How to Exclude `C:\Windows` and `C:\Program Files`**
-The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the <unconditionalExclude> element takes precedence over the <include> element.
-
-``` xml
-
-
-
- Test
-
-
-
-
-
-
-
-
-
-
-
- C:\Program Files\* [*]
-C:\Windows\* [*]
-
-
-
-
-
-
-```
-## Create a Config XML File
-You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows.
-
-- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the <Applications> section of the Config.xml file.
-
-- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the <WindowsComponents> section.
-
-- **To exclude My Documents:** Specify `migrate="no"` for My Documents under the <Documents> section. Note that any <include> rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files will not.
-
-See [Config.xml File](usmt-configxml-file.md) for more information.
-
-**Note**
-To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
-
-## Related topics
-- [Customize USMT XML Files](usmt-customize-xml-files.md)
-- [USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Exclude Files and Settings (Windows 10)
+description: Exclude Files and Settings
+ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Exclude Files and Settings
+When you specify the migration .xml files, MigApp.xml, Migdocs, and MigUser.xml, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a Config.xml file to exclude an entire component from a migration. You cannot, however, exclude users by using the migration .xml files or the Config.xml file. The only way to specify which users to include and exclude is by using the User options on the command line in the ScanState tool. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md).
+
+In this topic:
+
+- [Create a custom .xml file](#create-a-custom-xml-file). You can use the following elements to specify what to exclude:
+
+ - include and exclude: You can use the <include> and <exclude> elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](usmt-conflicts-and-precedence.md) apply to these elements.
+
+ - [unconditionalExclude](#example-1-how-to-migrate-all-files-from-c-except-mp3-files): You can use the <unconditionalExclude> element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other <include> rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData.
+
+- [Create a Config.xml File](#create-a-config-xml-file): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax.
+
+## Create a custom .xml file
+We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications.
+
+### <include> and <exclude>
+The migration .xml files, MigApp.xml, MigDocs, and MigUser.xml, contain the <component> element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the <include> and <exclude> elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md).
+
+**Note**
+If you specify an <exclude> rule, always specify a corresponding <include> rule. Otherwise, if you do not specify an <include> rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied <exclude> rule is unnecessary.
+
+- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)
+
+- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp)
+
+- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders)
+
+- [Example 4: How to exclude a file from a specific folder](#example-4-how-to-exclude-a-file-from-a-specific-folder)
+
+- [Example 5: How to exclude a file from any location](#example-5-how-to-exclude-a-file-from-any-location)
+
+### Example 1: How to migrate all files from C:\\ except .mp3 files
+The following .xml file migrates all files located on the C: drive, except any .mp3 files.
+
+``` xml
+
+
+
+ MP3 Files
+
+
+
+
+ C:\* [*]
+
+
+
+
+ C:\* [*.mp3]
+
+
+
+
+
+
+```
+### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp
+The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp.
+
+``` xml
+
+
+ Test component
+
+
+
+
+ C:\Data\* [*]
+
+
+
+
+ C:\Data\temp\* [*]
+
+
+
+
+
+
+```
+
+### Example 3: How to exclude the files in a folder but include all subfolders
+The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts.
+
+``` xml
+
+
+ Component to migrate all Engineering Drafts Documents without subfolders
+
+
+
+
+ C:\EngineeringDrafts\* [*]
+
+
+
+
+ C:\EngineeringDrafts\ [*]
+
+
+
+
+
+
+```
+
+### Example 4: How to exclude a file from a specific folder
+The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts.
+
+``` xml
+
+
+ Component to migrate all Engineering Drafts Documents except Sample.doc
+
+
+
+
+ C:\EngineeringDrafts\* [*]
+
+
+
+
+ C:\EngineeringDrafts\ [Sample.doc]
+
+
+
+
+
+
+```
+
+### Example 5: How to exclude a file from any location
+To exclude a Sample.doc file from any location on the C: drive, use the <pattern> element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
+
+``` xml
+ C:\* [Sample.doc]
+```
+
+To exclude a Sample.doc file from any drive on the computer, use the <script> element. If multiple files exist with the same name, all of these files will be excluded.
+
+``` xml
+
+```
+#### Examples of how to use XML to exclude files, folders, and registry keys
+Here are some examples of how to use XML to exclude files, folders, and registry keys. For more info, see [USMT XML Reference](usmt-xml-reference.md)
+
+**Example 1: How to exclude all .mp3 files**
+The following .xml file excludes all .mp3 files from the migration:
+
+``` xml
+
+
+ Test
+
+
+
+
+
+
+
+
+
+
+
+```
+**Example 2: How to exclude all of the files on a specific drive**
+The following .xml file excludes only the files located on the C: drive.
+
+``` xml
+
+
+ Test
+
+
+
+
+ c:\*[*]
+
+
+
+
+
+
+```
+**Example 3: How to exclude registry keys**
+The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry key and all of its subkeys.
+
+``` xml
+
+
+
+ Test
+
+
+
+
+ HKCU\testReg[*]
+
+
+
+
+ HKCU\*[*]
+
+
+
+
+
+
+```
+**Example 4: How to Exclude `C:\Windows` and `C:\Program Files`**
+The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the <unconditionalExclude> element takes precedence over the <include> element.
+
+``` xml
+
+
+
+ Test
+
+
+
+
+
+
+
+
+
+
+
+ C:\Program Files\* [*]
+C:\Windows\* [*]
+
+
+
+
+
+
+```
+## Create a Config XML File
+You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows.
+
+- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the <Applications> section of the Config.xml file.
+
+- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the <WindowsComponents> section.
+
+- **To exclude My Documents:** Specify `migrate="no"` for My Documents under the <Documents> section. Note that any <include> rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files will not.
+
+See [Config.xml File](usmt-configxml-file.md) for more information.
+
+**Note**
+To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
+
+## Related topics
+- [Customize USMT XML Files](usmt-customize-xml-files.md)
+- [USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
index 6a97acb78b..3033623b75 100644
--- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
@@ -1,122 +1,123 @@
----
-title: Extract Files from a Compressed USMT Migration Store (Windows 10)
-description: Extract Files from a Compressed USMT Migration Store
-ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Extract Files from a Compressed USMT Migration Store
-
-
-When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **Usmtutils** command with the **/extract** option to recover the files from the compressed migration store. You can also use the **Usmtutils** command with the **/extract** option any time you need to recover data from a migration store.
-
-Options used with the **/extract** option can specify:
-
-- The cryptographic algorithm that was used to create the migration store.
-
-- The encryption key or the text file that contains the encryption key.
-
-- Include and exclude patterns for selective data extraction.
-
-In addition, you can specify the file patterns that you want to extract by using the **/i** option to include file patterns or the **/e** option to exclude file patterns. When both the **/i** option and the **/e** option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the ScanState and LoadState tools.
-
-## In this topic
-
-
-- [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax)
-
-- [To extract all files from a compressed migration store](#bkmk-extractallfiles)
-
-- [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles)
-
-- [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern)
-
-- [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles)
-
-### To run the USMTutils tool with the /extract option
-
-To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax:
-
-Cd /d <USMTpath> usmtutils /extract <filePath> <destinationPath> \[/i:<includePattern>\] \[/e:<excludePattern>\] \[/l:<logfile>\] \[/decrypt\[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] \[/o\]
-
-Where the placeholders have the following values:
-
-- *<USMTpath>* is the location where you have saved the USMT files and tools.
-
-- *<filePath>* is the location of the migration store.
-
-- *<destination path>* is the location of the file where you want the **/extract** option to put the extracted migration store contents.
-
-- *<includePattern>* specifies the pattern for the files to include in the extraction.
-
-- *<excludePattern>* specifies the pattern for the files to omit from the extraction.
-
-- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line.
-
-- *<logfile>* is the location and name of the log file.
-
-- *<keystring>* is the encryption key that was used to encrypt the migration store.
-
-- *<filename>* is the location and name of the text file that contains the encryption key.
-
-### To extract all files from a compressed migration store
-
-To extract everything from a compressed migration store to a file on the C:\\ drive, type:
-
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
-```
-
-### To extract specific file types from an encrypted compressed migration store
-
-To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type:
-
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt
-```
-
-In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey.
-
-### To extract all but one, or more, file types from an encrypted compressed migration store
-
-To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type:
-
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt
-```
-
-### To extract file types using the include pattern and the exclude pattern
-
-To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example:
-
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o
-```
-
-In this example, if there is a myProject.exe file, it will also be extracted because the include pattern option takes precedence over the exclude pattern option.
-
-## Related topics
-
-
-[UsmtUtils Syntax](usmt-utilities.md)
-
-[Return Codes](usmt-return-codes.md)
-
-[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
-
-
-
-
-
-
-
-
-
+---
+title: Extract Files from a Compressed USMT Migration Store (Windows 10)
+description: Extract Files from a Compressed USMT Migration Store
+ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Extract Files from a Compressed USMT Migration Store
+
+
+When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **Usmtutils** command with the **/extract** option to recover the files from the compressed migration store. You can also use the **Usmtutils** command with the **/extract** option any time you need to recover data from a migration store.
+
+Options used with the **/extract** option can specify:
+
+- The cryptographic algorithm that was used to create the migration store.
+
+- The encryption key or the text file that contains the encryption key.
+
+- Include and exclude patterns for selective data extraction.
+
+In addition, you can specify the file patterns that you want to extract by using the **/i** option to include file patterns or the **/e** option to exclude file patterns. When both the **/i** option and the **/e** option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the ScanState and LoadState tools.
+
+## In this topic
+
+
+- [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax)
+
+- [To extract all files from a compressed migration store](#bkmk-extractallfiles)
+
+- [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles)
+
+- [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern)
+
+- [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles)
+
+### To run the USMTutils tool with the /extract option
+
+To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax:
+
+Cd /d <USMTpath> usmtutils /extract <filePath> <destinationPath> \[/i:<includePattern>\] \[/e:<excludePattern>\] \[/l:<logfile>\] \[/decrypt\[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] \[/o\]
+
+Where the placeholders have the following values:
+
+- *<USMTpath>* is the location where you have saved the USMT files and tools.
+
+- *<filePath>* is the location of the migration store.
+
+- *<destination path>* is the location of the file where you want the **/extract** option to put the extracted migration store contents.
+
+- *<includePattern>* specifies the pattern for the files to include in the extraction.
+
+- *<excludePattern>* specifies the pattern for the files to omit from the extraction.
+
+- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line.
+
+- *<logfile>* is the location and name of the log file.
+
+- *<keystring>* is the encryption key that was used to encrypt the migration store.
+
+- *<filename>* is the location and name of the text file that contains the encryption key.
+
+### To extract all files from a compressed migration store
+
+To extract everything from a compressed migration store to a file on the C:\\ drive, type:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
+```
+
+### To extract specific file types from an encrypted compressed migration store
+
+To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt
+```
+
+In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey.
+
+### To extract all but one, or more, file types from an encrypted compressed migration store
+
+To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt
+```
+
+### To extract file types using the include pattern and the exclude pattern
+
+To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o
+```
+
+In this example, if there is a myProject.exe file, it will also be extracted because the include pattern option takes precedence over the exclude pattern option.
+
+## Related topics
+
+
+[UsmtUtils Syntax](usmt-utilities.md)
+
+[Return Codes](usmt-return-codes.md)
+
+[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-faq.md b/windows/deployment/usmt/usmt-faq.md
index 49092e9f6f..ff083650c6 100644
--- a/windows/deployment/usmt/usmt-faq.md
+++ b/windows/deployment/usmt/usmt-faq.md
@@ -1,137 +1,138 @@
----
-title: Frequently Asked Questions (Windows 10)
-description: Frequently Asked Questions
-ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Frequently Asked Questions
-
-
-The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.
-
-## General
-
-
-### How much space is needed on the destination computer?
-
-The destination computer needs enough available space for the following:
-
-- Operating system
-
-- Applications
-
-- Uncompressed store
-
-### Can I store the files and settings directly on the destination computer or do I need a server?
-
-You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps:
-
-1. Create and share the directory C:\\store on the destination computer.
-
-2. Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store
-
-3. Run the LoadState tool on the destination computer and specify C:\\store as the store location.
-
-### Can I migrate data between operating systems with different languages?
-
-No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language.
-
-### Can I change the location of the temporary directory on the destination computer?
-
-Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media.
-
-### How do I install USMT?
-
-Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer.
-
-### How do I uninstall USMT?
-
-If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT.
-
-## Files and Settings
-
-
-### How can I exclude a folder or a certain type of file from the migration?
-
-You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md).
-
-### What happens to files that were located on a drive that does not exist on the destination computer?
-
-USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer.
-
-## USMT .xml Files
-
-
-### Where can I get examples of USMT .xml files?
-
-The following topics include examples of USMT .xml files:
-
-- [Exclude Files and Settings](usmt-exclude-files-and-settings.md)
-
-- [Reroute Files and Settings](usmt-reroute-files-and-settings.md)
-
-- [Include Files and Settings](usmt-include-files-and-settings.md)
-
-- [Custom XML Examples](usmt-custom-xml-examples.md)
-
-### Can I use custom .xml files that were written for USMT 5.0?
-
-Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements.
-
-### How can I validate the .xml files?
-
-You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files.
-
-### Why must I list the .xml files with both the ScanState and LoadState commands?
-
-The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate.
-
-If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
-
-### Which files can I modify and specify on the command line?
-
-You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file.
-
-### What happens if I do not specify the .xml files on the command line?
-
-- **ScanState**
-
- If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated.
-
-- **LoadState**
-
- If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
-
-## Conflicts and Precedence
-
-
-### What happens when there are conflicting XML rules or conflicting objects on the destination computer?
-
-For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-
-[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)
-
-[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
-
-
-
-
-
-
-
-
-
+---
+title: Frequently Asked Questions (Windows 10)
+description: Frequently Asked Questions
+ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Frequently Asked Questions
+
+
+The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.
+
+## General
+
+
+### How much space is needed on the destination computer?
+
+The destination computer needs enough available space for the following:
+
+- Operating system
+
+- Applications
+
+- Uncompressed store
+
+### Can I store the files and settings directly on the destination computer or do I need a server?
+
+You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps:
+
+1. Create and share the directory C:\\store on the destination computer.
+
+2. Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store
+
+3. Run the LoadState tool on the destination computer and specify C:\\store as the store location.
+
+### Can I migrate data between operating systems with different languages?
+
+No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language.
+
+### Can I change the location of the temporary directory on the destination computer?
+
+Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media.
+
+### How do I install USMT?
+
+Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer.
+
+### How do I uninstall USMT?
+
+If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT.
+
+## Files and Settings
+
+
+### How can I exclude a folder or a certain type of file from the migration?
+
+You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md).
+
+### What happens to files that were located on a drive that does not exist on the destination computer?
+
+USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer.
+
+## USMT .xml Files
+
+
+### Where can I get examples of USMT .xml files?
+
+The following topics include examples of USMT .xml files:
+
+- [Exclude Files and Settings](usmt-exclude-files-and-settings.md)
+
+- [Reroute Files and Settings](usmt-reroute-files-and-settings.md)
+
+- [Include Files and Settings](usmt-include-files-and-settings.md)
+
+- [Custom XML Examples](usmt-custom-xml-examples.md)
+
+### Can I use custom .xml files that were written for USMT 5.0?
+
+Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements.
+
+### How can I validate the .xml files?
+
+You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files.
+
+### Why must I list the .xml files with both the ScanState and LoadState commands?
+
+The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate.
+
+If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
+
+### Which files can I modify and specify on the command line?
+
+You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file.
+
+### What happens if I do not specify the .xml files on the command line?
+
+- **ScanState**
+
+ If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated.
+
+- **LoadState**
+
+ If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
+
+## Conflicts and Precedence
+
+
+### What happens when there are conflicting XML rules or conflicting objects on the destination computer?
+
+For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)
+
+[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md
index 3439d25d7a..419b5652f7 100644
--- a/windows/deployment/usmt/usmt-general-conventions.md
+++ b/windows/deployment/usmt/usmt-general-conventions.md
@@ -1,106 +1,107 @@
----
-title: General Conventions (Windows 10)
-description: General Conventions
-ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# General Conventions
-
-
-This topic describes the XML helper functions.
-
-## In This Topic
-
-
-[General XML Guidelines](#bkmk-general)
-
-[Helper Functions](#bkmk-helperfunctions)
-
-## General XML Guidelines
-
-
-Before you modify the .xml files, become familiar with the following guidelines:
-
-- **XML schema**
-
- You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files.
-
-- **Conflits**
-
- In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
-- **Required elements**
-
- The required elements for a migration .xml file are **<migration>**, **<component>**, **<role>**, and **<rules>**.
-
-- **Required child elements**
-
- - USMT does not fail with an error if you do not specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration.
-
- - The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `` in **<namedElements>**, and you specify `` in **<component>** to refer to this element, the definition inside **<namedElements>** must have the required child elements, but the **<component>** element does not need to have the required child elements.
-
-- **File names with brackets**
-
- If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named **file].txt**, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`.
-
-- **Using quotation marks**
-
- When you surround code in quotation marks, you can use either double ("") or single (') quotation marks.
-
-## Helper Functions
-
-
-You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following:
-
-- **All of the parameters are strings**
-
-- **You can leave NULL parameters blank**
-
- As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function:
-
- ``` syntax
- SomeFunction("My String argument",NULL,NULL)
- ```
-
- is equivalent to:
-
- ``` syntax
- SomeFunction("My String argument")
- ```
-
-- **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object**
-
- It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves.
-
- For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters.
-
- The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**.
-
-- **You specify a location pattern in a way that is similar to how you specify an actual location**
-
- The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf.
-
- For example, the pattern **c:\\Windows\\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**.
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: General Conventions (Windows 10)
+description: General Conventions
+ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# General Conventions
+
+
+This topic describes the XML helper functions.
+
+## In This Topic
+
+
+[General XML Guidelines](#bkmk-general)
+
+[Helper Functions](#bkmk-helperfunctions)
+
+## General XML Guidelines
+
+
+Before you modify the .xml files, become familiar with the following guidelines:
+
+- **XML schema**
+
+ You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files.
+
+- **Conflits**
+
+ In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+- **Required elements**
+
+ The required elements for a migration .xml file are **<migration>**, **<component>**, **<role>**, and **<rules>**.
+
+- **Required child elements**
+
+ - USMT does not fail with an error if you do not specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration.
+
+ - The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `` in **<namedElements>**, and you specify `` in **<component>** to refer to this element, the definition inside **<namedElements>** must have the required child elements, but the **<component>** element does not need to have the required child elements.
+
+- **File names with brackets**
+
+ If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named **file].txt**, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`.
+
+- **Using quotation marks**
+
+ When you surround code in quotation marks, you can use either double ("") or single (') quotation marks.
+
+## Helper Functions
+
+
+You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following:
+
+- **All of the parameters are strings**
+
+- **You can leave NULL parameters blank**
+
+ As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function:
+
+ ``` syntax
+ SomeFunction("My String argument",NULL,NULL)
+ ```
+
+ is equivalent to:
+
+ ``` syntax
+ SomeFunction("My String argument")
+ ```
+
+- **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object**
+
+ It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves.
+
+ For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters.
+
+ The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**.
+
+- **You specify a location pattern in a way that is similar to how you specify an actual location**
+
+ The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf.
+
+ For example, the pattern **c:\\Windows\\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**.
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md
index 5c8bbb6d9b..03499dcd72 100644
--- a/windows/deployment/usmt/usmt-how-it-works.md
+++ b/windows/deployment/usmt/usmt-how-it-works.md
@@ -1,150 +1,151 @@
----
-title: How USMT Works (Windows 10)
-description: How USMT Works
-ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# How USMT Works
-
-
-USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer.
-
-- [ScanState Process](#bkmk-ssprocess)
-
-- [LoadState Process](#bkmk-lsprocess)
-
- **Note**
- For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
-
-
-## The ScanState Process
-
-
-When you run the ScanState tool on the source computer, it goes through the following process:
-
-1. It parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
-
-2. It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component.
-
- There are three types of components:
-
- - Components that migrate the operating system settings
-
- - Components that migrate application settings
-
- - Components that migrate users’ files
-
- The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line.
-
- In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
-
-3. ScanState determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you cannot exclude these profiles from the migration.
-
-4. In the "Scanning" phase, ScanState does the following for each user profile selected for migration:
-
- 1. For each component, ScanState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
-
- **Note**
- From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way.
-
-
-
- 2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory.
-
- 3. For each selected component, ScanState evaluates the <detects> section. If the condition in the <detects> section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues.
-
- 4. For each selected component, ScanState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
-
- 5. ScanState creates a list of migration units that need to be migrated by processing the various subsections under this <rules> section. Each unit is collected if it is mentioned in an <include> subsection, as long as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence in the .xml files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
- In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an <UnconditionalExclude> section is not migrated.
-
- **Note**
- ScanState ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer.
-
-
-
-5. In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile.
-
-6. In the "Saving" phase, ScanState writes the migration units that were collected to the store location.
-
- **Note**
- ScanState does not modify the source computer in any way.
-
-
-
-## The LoadState Process
-
-
-The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer.
-
-1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
-
-2. LoadState collects information about the migration components that need to be migrated.
-
- LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command.
-
- In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
-
-3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration.
-
- - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the/lac command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated.
-
- - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified.
-
- - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md).
-
-4. In the "Scanning" phase, LoadState does the following for each user profile:
-
- 1. For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
-
- **Note**
- From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way.
-
-
-
- 2. Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory).
-
- **Note**
- LoadState ignores the <detects> section specified in a component. At this point, all specified components are considered to be detected and are selected for migration.
-
-
-
- 3. For each selected component, LoadState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
-
- 4. LoadState creates a master list of migration units by processing the various subsections under the <rules> section. Each migration unit that is in an <include> subsection is migrated as long, as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
- 5. LoadState evaluates the destination computer-specific subsections; for example, the <destinationCleanup> and <locationModify> subsections.
-
- 6. If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState.
-
- **Important**
- It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran.
-
-
-
-5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed.
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
-
-
-
-
-
-
-
-
-
+---
+title: How USMT Works (Windows 10)
+description: How USMT Works
+ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# How USMT Works
+
+
+USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer.
+
+- [ScanState Process](#bkmk-ssprocess)
+
+- [LoadState Process](#bkmk-lsprocess)
+
+ **Note**
+ For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+
+
+## The ScanState Process
+
+
+When you run the ScanState tool on the source computer, it goes through the following process:
+
+1. It parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
+
+2. It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component.
+
+ There are three types of components:
+
+ - Components that migrate the operating system settings
+
+ - Components that migrate application settings
+
+ - Components that migrate users’ files
+
+ The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line.
+
+ In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
+
+3. ScanState determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you cannot exclude these profiles from the migration.
+
+4. In the "Scanning" phase, ScanState does the following for each user profile selected for migration:
+
+ 1. For each component, ScanState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
+
+ **Note**
+ From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way.
+
+
+
+ 2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory.
+
+ 3. For each selected component, ScanState evaluates the <detects> section. If the condition in the <detects> section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues.
+
+ 4. For each selected component, ScanState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
+
+ 5. ScanState creates a list of migration units that need to be migrated by processing the various subsections under this <rules> section. Each unit is collected if it is mentioned in an <include> subsection, as long as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence in the .xml files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+ In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an <UnconditionalExclude> section is not migrated.
+
+ **Note**
+ ScanState ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer.
+
+
+
+5. In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile.
+
+6. In the "Saving" phase, ScanState writes the migration units that were collected to the store location.
+
+ **Note**
+ ScanState does not modify the source computer in any way.
+
+
+
+## The LoadState Process
+
+
+The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer.
+
+1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
+
+2. LoadState collects information about the migration components that need to be migrated.
+
+ LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command.
+
+ In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
+
+3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration.
+
+ - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the/lac command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated.
+
+ - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified.
+
+ - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md).
+
+4. In the "Scanning" phase, LoadState does the following for each user profile:
+
+ 1. For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
+
+ **Note**
+ From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way.
+
+
+
+ 2. Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory).
+
+ **Note**
+ LoadState ignores the <detects> section specified in a component. At this point, all specified components are considered to be detected and are selected for migration.
+
+
+
+ 3. For each selected component, LoadState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
+
+ 4. LoadState creates a master list of migration units by processing the various subsections under the <rules> section. Each migration unit that is in an <include> subsection is migrated as long, as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+ 5. LoadState evaluates the destination computer-specific subsections; for example, the <destinationCleanup> and <locationModify> subsections.
+
+ 6. If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState.
+
+ **Important**
+ It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran.
+
+
+
+5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed.
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md
index 9fdba24603..76b904d0d7 100644
--- a/windows/deployment/usmt/usmt-how-to.md
+++ b/windows/deployment/usmt/usmt-how-to.md
@@ -1,35 +1,36 @@
----
-title: User State Migration Tool (USMT) How-to topics (Windows 10)
-description: User State Migration Tool (USMT) How-to topics
-ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) How-to topics
-The following table lists topics that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks.
-
-## In This Section
-
-|Topic |Description|
-|------|-----------|
-|[Exclude Files and Settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.|
-|[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.|
-|[Include Files and Settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.|
-|[Migrate Application Settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file does not include by default.|
-|[Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.|
-|[Migrate User Accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.|
-|[Reroute Files and Settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.|
-|[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.|
-
-## Related topics
-- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
-- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-- [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+---
+title: User State Migration Tool (USMT) How-to topics (Windows 10)
+description: User State Migration Tool (USMT) How-to topics
+ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) How-to topics
+The following table lists topics that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks.
+
+## In This Section
+
+|Topic |Description|
+|------|-----------|
+|[Exclude Files and Settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.|
+|[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.|
+|[Include Files and Settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.|
+|[Migrate Application Settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file does not include by default.|
+|[Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.|
+|[Migrate User Accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.|
+|[Reroute Files and Settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.|
+|[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.|
+
+## Related topics
+- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+- [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
index 45cd2a17a7..d19e2d5a66 100644
--- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
+++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
@@ -1,51 +1,52 @@
----
-title: Identify File Types, Files, and Folders (Windows 10)
-description: Identify File Types, Files, and Folders
-ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Identify File Types, Files, and Folders
-
-
-When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents.** , **C:\\Data** , and company-specified locations, such as **\\EngineeringDrafts**. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following:
-
-- **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses .doc, .docx and .dotx file name extension. However, it also uses other file types, such as templates (.dot files), on a less frequent basis.
-
-- **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, %WINDIR% and Program Files).
-
-- **New locations**. Decide where files should be migrated to on the destination computer for example, \\My Documents, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. This can be accomplished with location modify rules.
-
-Once you have verified which files and file types that the end users work with regularly, you will need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer.
-
-**To find the registered file types on a computer running Windows 7 or Windows 8**
-
-1. Click **Start**. Open **Control Panel**, click **Control Panel Home**, and click **Programs**.
-
-2. Click **Default Programs**, and click **Associate a file type or protocol with a program**.
-
-3. On this screen, the registered file types are displayed.
-
-For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
-
-## Related topics
-
-
-[Determine What to Migrate](usmt-determine-what-to-migrate.md)
-
-
-
-
-
-
-
-
-
+---
+title: Identify File Types, Files, and Folders (Windows 10)
+description: Identify File Types, Files, and Folders
+ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Identify File Types, Files, and Folders
+
+
+When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents.** , **C:\\Data** , and company-specified locations, such as **\\EngineeringDrafts**. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following:
+
+- **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses .doc, .docx and .dotx file name extension. However, it also uses other file types, such as templates (.dot files), on a less frequent basis.
+
+- **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, %WINDIR% and Program Files).
+
+- **New locations**. Decide where files should be migrated to on the destination computer for example, \\My Documents, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. This can be accomplished with location modify rules.
+
+Once you have verified which files and file types that the end users work with regularly, you will need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer.
+
+**To find the registered file types on a computer running Windows 7 or Windows 8**
+
+1. Click **Start**. Open **Control Panel**, click **Control Panel Home**, and click **Programs**.
+
+2. Click **Default Programs**, and click **Associate a file type or protocol with a program**.
+
+3. On this screen, the registered file types are displayed.
+
+For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
+
+## Related topics
+
+
+[Determine What to Migrate](usmt-determine-what-to-migrate.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
index 706f2c6a6e..7b4c6e95c6 100644
--- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
+++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
@@ -1,55 +1,56 @@
----
-title: Migrate EFS Files and Certificates (Windows 10)
-description: Migrate EFS Files and Certificates
-ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Migrate EFS Files and Certificates
-
-
-This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the **/efs** For options, see [ScanState Syntax](usmt-scanstate-syntax.md).
-
-## To Migrate EFS Files and Certificates
-
-
-Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found (unless you specify an **/efs** option). Therefore, you must specify **/efs:abort | skip | decryptcopy | copyraw | hardlink** with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated.
-
-**Note**
-The **/efs** options are not used with the LoadState command.
-
-
-
-Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool.
-
-You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type:
-
-``` syntax
-Cipher /D /S:
-```
-
-Where *<Path>* is the full path of the topmost parent directory where the encryption attribute is set.
-
-## Related topics
-
-
-[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
-
-[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md)
-
-
-
-
-
-
-
-
-
+---
+title: Migrate EFS Files and Certificates (Windows 10)
+description: Migrate EFS Files and Certificates
+ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Migrate EFS Files and Certificates
+
+
+This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the **/efs** For options, see [ScanState Syntax](usmt-scanstate-syntax.md).
+
+## To Migrate EFS Files and Certificates
+
+
+Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found (unless you specify an **/efs** option). Therefore, you must specify **/efs:abort | skip | decryptcopy | copyraw | hardlink** with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated.
+
+**Note**
+The **/efs** options are not used with the LoadState command.
+
+
+
+Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool.
+
+You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type:
+
+``` syntax
+Cipher /D /S:
+```
+
+Where *<Path>* is the full path of the topmost parent directory where the encryption attribute is set.
+
+## Related topics
+
+
+[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
+
+[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md
index 663964c7eb..c697169088 100644
--- a/windows/deployment/usmt/usmt-migrate-user-accounts.md
+++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md
@@ -1,96 +1,97 @@
----
-title: Migrate User Accounts (Windows 10)
-description: Migrate User Accounts
-ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Migrate User Accounts
-
-
-By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You cannot specify users in the migration XML files or by using the Config.xml file.
-
-## In this Topic
-
-
-- [To migrate all user accounts and user settings](#bkmk-migrateall)
-
-- [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo)
-
-- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone)
-
-## To migrate all user accounts and user settings
-Links to detailed explanations of commands are available in the Related Topics section.
-
-1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window:
-
- `scanstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /o`
-
-2. Log on to the destination computer as an administrator.
-
-3. Do one of the following:
-
- - If you are migrating domain accounts, specify:
-
- `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
-
- - If you are migrating local accounts along with domain accounts, specify:
-
- `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /lac /lae`
-
- **Note**
- You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer.
-
-
-
-## To migrate two domain accounts (User1 and User2)
-Links to detailed explanations of commands are available in the Related Topics section.
-
-1. Log on to the source computer as an administrator, and specify:
-
- `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:migdocs.xml /i:migapp.xml /o`
-
-2. Log on to the destination computer as an administrator.
-
-3. Specify the following:
-
- `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
-
-## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain
-Links to detailed explanations of commands are available in the Related Topics section.
-
-1. Log on to the source computer as an administrator, and type the following at the command-line prompt:
-
- `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:migdocs.xml /i:migapp.xml /o`
-
-2. Log on to the destination computer as an administrator.
-
-3. Specify the following:
-
- `loadstate \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:migdocs.xml /i:migapp.xml`
-
-## Related topics
-
-
-[Identify Users](usmt-identify-users.md)
-
-[ScanState Syntax](usmt-scanstate-syntax.md)
-
-[LoadState Syntax](usmt-loadstate-syntax.md)
-
-
-
-
-
-
-
-
-
+---
+title: Migrate User Accounts (Windows 10)
+description: Migrate User Accounts
+ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Migrate User Accounts
+
+
+By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You cannot specify users in the migration XML files or by using the Config.xml file.
+
+## In this Topic
+
+
+- [To migrate all user accounts and user settings](#bkmk-migrateall)
+
+- [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo)
+
+- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone)
+
+## To migrate all user accounts and user settings
+Links to detailed explanations of commands are available in the Related Topics section.
+
+1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window:
+
+ `scanstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /o`
+
+2. Log on to the destination computer as an administrator.
+
+3. Do one of the following:
+
+ - If you are migrating domain accounts, specify:
+
+ `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
+
+ - If you are migrating local accounts along with domain accounts, specify:
+
+ `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /lac /lae`
+
+ **Note**
+ You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer.
+
+
+
+## To migrate two domain accounts (User1 and User2)
+Links to detailed explanations of commands are available in the Related Topics section.
+
+1. Log on to the source computer as an administrator, and specify:
+
+ `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:migdocs.xml /i:migapp.xml /o`
+
+2. Log on to the destination computer as an administrator.
+
+3. Specify the following:
+
+ `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
+
+## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain
+Links to detailed explanations of commands are available in the Related Topics section.
+
+1. Log on to the source computer as an administrator, and type the following at the command-line prompt:
+
+ `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:migdocs.xml /i:migapp.xml /o`
+
+2. Log on to the destination computer as an administrator.
+
+3. Specify the following:
+
+ `loadstate \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:migdocs.xml /i:migapp.xml`
+
+## Related topics
+
+
+[Identify Users](usmt-identify-users.md)
+
+[ScanState Syntax](usmt-scanstate-syntax.md)
+
+[LoadState Syntax](usmt-loadstate-syntax.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md
index 6d80871901..4dfd12bcc1 100644
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@@ -1,60 +1,61 @@
----
-title: User State Migration Tool (USMT) Overview (Windows 10)
-description: User State Migration Tool (USMT) Overview
-ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 10/16/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) Overview
-You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md).
-
-USMT enables you to do the following:
-
-- Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md).
-
-- Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md).
-
-- Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md).
-
-## Benefits
-USMT provides the following benefits to businesses that are deploying Windows operating systems:
-
-- Safely migrates user accounts, operating system and application settings.
-
-- Lowers the cost of deploying Windows by preserving user state.
-
-- Reduces end-user downtime required to customize desktops and find missing files.
-
-- Reduces help-desk calls.
-
-- Reduces the time needed for the user to become familiar with the new operating system.
-
-- Increases employee satisfaction with the migration experience.
-
-## Limitations
-USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink.
-
-There are some scenarios in which the use of USMT is not recommended. These include:
-
-- Migrations that require end-user interaction.
-
-- Migrations that require customization on a machine-by-machine basis.
-
-## Related topics
-- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md)
-
-
-
-
-
-
-
-
+---
+title: User State Migration Tool (USMT) Overview (Windows 10)
+description: User State Migration Tool (USMT) Overview
+ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 10/16/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) Overview
+You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md).
+
+USMT enables you to do the following:
+
+- Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md).
+
+- Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md).
+
+- Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md).
+
+## Benefits
+USMT provides the following benefits to businesses that are deploying Windows operating systems:
+
+- Safely migrates user accounts, operating system and application settings.
+
+- Lowers the cost of deploying Windows by preserving user state.
+
+- Reduces end-user downtime required to customize desktops and find missing files.
+
+- Reduces help-desk calls.
+
+- Reduces the time needed for the user to become familiar with the new operating system.
+
+- Increases employee satisfaction with the migration experience.
+
+## Limitations
+USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink.
+
+There are some scenarios in which the use of USMT is not recommended. These include:
+
+- Migrations that require end-user interaction.
+
+- Migrations that require customization on a machine-by-machine basis.
+
+## Related topics
+- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md)
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md
index 1fa60664bd..0371e15cdc 100644
--- a/windows/deployment/usmt/usmt-plan-your-migration.md
+++ b/windows/deployment/usmt/usmt-plan-your-migration.md
@@ -1,71 +1,72 @@
----
-title: Plan Your Migration (Windows 10)
-description: Plan Your Migration
-ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Plan Your Migration
-
-
-Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure.
-
-In migration planning, both organizations and individuals must first identify what to migrate, including user settings, applications and application settings, and personal data files and folders. Identifying the applications to migrate is especially important so that you can avoid capturing data about applications that may be phased out.
-
-One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you will not install on the destination system is redundant. This can also introduce instability in a newly deployed computer.
-
-## In This Section
-
-
-
Test your migration before you deploy Windows to all users.
-
-
-
-
-
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Plan Your Migration (Windows 10)
+description: Plan Your Migration
+ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Plan Your Migration
+
+
+Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure.
+
+In migration planning, both organizations and individuals must first identify what to migrate, including user settings, applications and application settings, and personal data files and folders. Identifying the applications to migrate is especially important so that you can avoid capturing data about applications that may be phased out.
+
+One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you will not install on the destination system is redundant. This can also introduce instability in a newly deployed computer.
+
+## In This Section
+
+
+
Test your migration before you deploy Windows to all users.
+
+
+
+
+
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index d2862feb9a..0b9ce17b6e 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -1,470 +1,471 @@
----
-title: Recognized Environment Variables (Windows 10)
-description: Recognized Environment Variables
-ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Recognized Environment Variables
-
-
-When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the documents folder may be C:\\Users\\<Username>\\My Documents on one computer and C:\\Documents and Settings on another. You can use the asterisk (\*) wildcard character in MigUser.xml, MigApp.xml and MigDoc.xml files. However, you cannot use the asterisk (\*) wildcard characters in the Config.xml file.
-
-## In This Topic
-
-
-- [Variables that are processed for the operating system and in the context of each user](#bkmk-1)
-
-- [Variables that are recognized only in the user context](#bkmk-2)
-
-## Variables that are processed for the operating system and in the context of each user
-
-
-You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`.
-
-
-
-
-
-
-
-
-
Variable
-
Explanation
-
-
-
-
-
ALLUSERSAPPDATA
-
Same as CSIDL_COMMON_APPDATA.
-
-
-
ALLUSERSPROFILE
-
Refers to %PROFILESFOLDER%\Public or %PROFILESFOLDER%\all users.
-
-
-
COMMONPROGRAMFILES
-
Same as CSIDL_PROGRAM_FILES_COMMON.
-
-
-
COMMONPROGRAMFILES(X86)
-
Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.
-
-
-
CSIDL_COMMON_ADMINTOOLS
-
Version 10.0. The file-system directory that contains administrative tools for all users of the computer.
-
-
-
CSIDL_COMMON_ALTSTARTUP
-
The file-system directory that corresponds to the non-localized Startup program group for all users.
-
-
-
CSIDL_COMMON_APPDATA
-
The file-system directory that contains application data for all users. A typical path Windows is C:\ProgramData.
-
-
-
CSIDL_COMMON_DESKTOPDIRECTORY
-
The file-system directory that contains files and folders that appear on the desktop for all users. A typical Windows® XP path is C:\Documents and Settings\All Users\Desktop. A typical path is C:\Users\Public\Desktop.
-
-
-
CSIDL_COMMON_DOCUMENTS
-
The file-system directory that contains documents that are common to all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Documents. A typical path is C:\Users\Public\Documents.
-
-
-
CSIDL_COMMON_FAVORITES
-
The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites.
-
-
-
CSIDL_COMMON_MUSIC
-
The file-system directory that serves as a repository for music files common to all users. A typical path is C:\Users\Public\Music.
-
-
-
CSIDL_COMMON_PICTURES
-
The file-system directory that serves as a repository for image files common to all users. A typical path is C:\Users\Public\Pictures.
-
-
-
CSIDL_COMMON_PROGRAMS
-
The file-system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs.
-
-
-
CSIDL_COMMON_STARTMENU
-
The file-system directory that contains the programs and folders which appear on the Start menu for all users. A typical path in Windows is C:\ProgramData\Microsoft\Windows\Start Menu.
-
-
-
CSIDL_COMMON_STARTUP
-
The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.
-
-
-
CSIDL_COMMON_TEMPLATES
-
The file-system directory that contains the templates that are available to all users. A typical path is C:\ProgramData\Microsoft\Windows\Templates.
-
-
-
CSIDL_COMMON_VIDEO
-
The file-system directory that serves as a repository for video files common to all users. A typical path is C:\Users\Public\Videos.
-
-
-
CSIDL_DEFAULT_APPDATA
-
Refers to the Appdata folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_LOCAL_APPDATA
-
Refers to the local Appdata folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_COOKIES
-
Refers to the Cookies folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_CONTACTS
-
Refers to the Contacts folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_DESKTOP
-
Refers to the Desktop folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_DOWNLOADS
-
Refers to the Downloads folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_FAVORITES
-
Refers to the Favorites folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_HISTORY
-
Refers to the History folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_INTERNET_CACHE
-
Refers to the Internet Cache folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_PERSONAL
-
Refers to the Personal folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_MYDOCUMENTS
-
Refers to the My Documents folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_MYPICTURES
-
Refers to the My Pictures folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_MYMUSIC
-
Refers to the My Music folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_MYVIDEO
-
Refers to the My Videos folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_RECENT
-
Refers to the Recent folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_SENDTO
-
Refers to the Send To folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_STARTMENU
-
Refers to the Start Menu folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_PROGRAMS
-
Refers to the Programs folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_STARTUP
-
Refers to the Startup folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_TEMPLATES
-
Refers to the Templates folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_QUICKLAUNCH
-
Refers to the Quick Launch folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_FONTS
-
A virtual folder containing fonts. A typical path is C:\Windows\Fonts.
-
-
-
CSIDL_PROGRAM_FILESX86
-
The Program Files folder on 64-bit systems. A typical path is C:\Program Files(86).
-
-
-
CSIDL_PROGRAM_FILES_COMMONX86
-
A folder for components that are shared across applications on 64-bit systems. A typical path is C:\Program Files(86)\Common.
-
-
-
CSIDL_PROGRAM_FILES
-
The Program Files folder. A typical path is C:\Program Files.
-
-
-
CSIDL_PROGRAM_FILES_COMMON
-
A folder for components that are shared across applications. A typical path is C:\Program Files\Common.
-
-
-
CSIDL_RESOURCES
-
The file-system directory that contains resource data. A typical path is C:\Windows\Resources.
-
-
-
CSIDL_SYSTEM
-
The Windows System folder. A typical path is C:\Windows\System32.
-
-
-
CSIDL_WINDOWS
-
The Windows directory or system root. This corresponds to the %WINDIR% or %SYSTEMROOT% environment variables. A typical path is C:\Windows.
-
-
-
DEFAULTUSERPROFILE
-
Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile].
-
-
-
PROFILESFOLDER
-
Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory].
-
-
-
PROGRAMFILES
-
Same as CSIDL_PROGRAM_FILES.
-
-
-
PROGRAMFILES(X86)
-
Refers to the C:\Program Files (x86) folder on 64-bit systems.
-
-
-
SYSTEM
-
Refers to %WINDIR%\system32.
-
-
-
SYSTEM16
-
Refers to %WINDIR%\system.
-
-
-
SYSTEM32
-
Refers to %WINDIR%\system32.
-
-
-
SYSTEMPROFILE
-
Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath].
-
-
-
SYSTEMROOT
-
Refers to the root of the system drive.
-
-
-
WINDIR
-
Refers to the Windows folder located on the system drive.
-
-
-
-
-
-
-## Variables that are recognized only in the user context
-
-
-You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`.
-
-
-
-
-
-
-
-
-
Variable
-
Explanation
-
-
-
-
-
APPDATA
-
Same as CSIDL_APPDATA.
-
-
-
CSIDL_ADMINTOOLS
-
The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile.
-
-
-
CSIDL_ALTSTARTUP
-
The file-system directory that corresponds to the user's non-localized Startup program group.
-
-
-
CSIDL_APPDATA
-
The file-system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\username\Application Data or C:\Users\username\AppData\Roaming.
-
-
-
CSIDL_BITBUCKET
-
The virtual folder that contains the objects in the user's Recycle Bin.
-
-
-
CSIDL_CDBURN_AREA
-
The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning.
-
-
-
CSIDL_CONNECTIONS
-
The virtual folder representing Network Connections that contains network and dial-up connections.
-
-
-
CSIDL_CONTACTS
-
This refers to the Contacts folder in %CSIDL_PROFILE%.
-
-
-
CSIDL_CONTROLS
-
The virtual folder that contains icons for the Control Panel items.
-
-
-
CSIDL_COOKIES
-
The file-system directory that serves as a common repository for Internet cookies. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies.
-
-
-
CSIDL_DESKTOP
-
The virtual folder representing the Windows desktop.
-
-
-
CSIDL_DESKTOPDIRECTORY
-
The file-system directory used to physically store file objects on the desktop, which should not be confused with the desktop folder itself. A typical path is C:\Users\username\Desktop.
-
-
-
CSIDL_DRIVES
-
The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives.
-
-
-
CSIDL_FAVORITES
-
The file-system directory that serves as a common repository for the user's favorites. A typical path is C:\Users\Username\Favorites.
-
-
-
CSIDL_HISTORY
-
The file-system directory that serves as a common repository for Internet history items.
-
-
-
CSIDL_INTERNET
-
A virtual folder for Internet Explorer.
-
-
-
CSIDL_INTERNET_CACHE
-
The file-system directory that serves as a common repository for temporary Internet files. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files
-
-
-
CSIDL_LOCAL_APPDATA
-
The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is C:\Users\username\AppData\Local.
-
-
-
CSIDL_MYDOCUMENTS
-
The virtual folder representing My Documents.A typical path is C:\Users\Username\Documents.
-
-
-
CSIDL_MYMUSIC
-
The file-system directory that serves as a common repository for music files. A typical path is C:\Users\Username\Music.
-
-
-
CSIDL_MYPICTURES
-
The file-system directory that serves as a common repository for image files. A typical path is C:\Users\Username\Pictures.
-
-
-
CSIDL_MYVIDEO
-
The file-system directory that serves as a common repository for video files. A typical path is C:\Users\Username\Videos.
-
-
-
CSIDL_NETHOOD
-
A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts.
-
-
-
CSIDL_NETWORK
-
A virtual folder representing My Network Places, the root of the network namespace hierarchy.
-
-
-
CSIDL_PERSONAL
-
The virtual folder representing the My Documents desktop item. This is equivalent to CSIDL_MYDOCUMENTS.
-
A typical path is C:\Documents and Settings\username\My Documents.
-
-
-
CSIDL_PLAYLISTS
-
The virtual folder used to store play albums, typically C:\Users\username\My Music\Playlists.
-
-
-
CSIDL_PRINTERS
-
The virtual folder that contains installed printers.
-
-
-
CSIDL_PRINTHOOD
-
The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Printer Shortcuts.
-
-
-
CSIDL_PROFILE
-
The user's profile folder. A typical path is C:\Users\Username.
-
-
-
CSIDL_PROGRAMS
-
The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.
-
-
-
CSIDL_RECENT
-
The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent.
-
-
-
CSIDL_SENDTO
-
The file-system directory that contains Send To menu items. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\SendTo.
-
-
-
CSIDL_STARTMENU
-
The file-system directory that contains Start menu items. A typical path in Windows XP is C:\Documents and Settings\username\Start Menu. A typical path in Windows Vista, Windows 7, or Windows 8 is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu.
-
-
-
CSIDL_STARTUP
-
The file-system directory that corresponds to the user's Startup program group. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
-
-
-
CSIDL_TEMPLATES
-
The file-system directory that serves as a common repository for document templates. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Templates.
-
-
-
HOMEPATH
-
Same as the standard environment variable.
-
-
-
TEMP
-
The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.
-
-
-
TMP
-
The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.
-
-
-
USERPROFILE
-
Same as CSIDL_PROFILE.
-
-
-
USERSID
-
Represents the current user-account security identifier (SID). For example,
-
S-1-5-21-1714567821-1326601894-715345443-1026.
-
-
-
-
-
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Recognized Environment Variables (Windows 10)
+description: Recognized Environment Variables
+ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Recognized Environment Variables
+
+
+When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the documents folder may be C:\\Users\\<Username>\\My Documents on one computer and C:\\Documents and Settings on another. You can use the asterisk (\*) wildcard character in MigUser.xml, MigApp.xml and MigDoc.xml files. However, you cannot use the asterisk (\*) wildcard characters in the Config.xml file.
+
+## In This Topic
+
+
+- [Variables that are processed for the operating system and in the context of each user](#bkmk-1)
+
+- [Variables that are recognized only in the user context](#bkmk-2)
+
+## Variables that are processed for the operating system and in the context of each user
+
+
+You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`.
+
+
+
+
+
+
+
+
+
Variable
+
Explanation
+
+
+
+
+
ALLUSERSAPPDATA
+
Same as CSIDL_COMMON_APPDATA.
+
+
+
ALLUSERSPROFILE
+
Refers to %PROFILESFOLDER%\Public or %PROFILESFOLDER%\all users.
+
+
+
COMMONPROGRAMFILES
+
Same as CSIDL_PROGRAM_FILES_COMMON.
+
+
+
COMMONPROGRAMFILES(X86)
+
Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.
+
+
+
CSIDL_COMMON_ADMINTOOLS
+
Version 10.0. The file-system directory that contains administrative tools for all users of the computer.
+
+
+
CSIDL_COMMON_ALTSTARTUP
+
The file-system directory that corresponds to the non-localized Startup program group for all users.
+
+
+
CSIDL_COMMON_APPDATA
+
The file-system directory that contains application data for all users. A typical path Windows is C:\ProgramData.
+
+
+
CSIDL_COMMON_DESKTOPDIRECTORY
+
The file-system directory that contains files and folders that appear on the desktop for all users. A typical Windows® XP path is C:\Documents and Settings\All Users\Desktop. A typical path is C:\Users\Public\Desktop.
+
+
+
CSIDL_COMMON_DOCUMENTS
+
The file-system directory that contains documents that are common to all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Documents. A typical path is C:\Users\Public\Documents.
+
+
+
CSIDL_COMMON_FAVORITES
+
The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites.
+
+
+
CSIDL_COMMON_MUSIC
+
The file-system directory that serves as a repository for music files common to all users. A typical path is C:\Users\Public\Music.
+
+
+
CSIDL_COMMON_PICTURES
+
The file-system directory that serves as a repository for image files common to all users. A typical path is C:\Users\Public\Pictures.
+
+
+
CSIDL_COMMON_PROGRAMS
+
The file-system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs.
+
+
+
CSIDL_COMMON_STARTMENU
+
The file-system directory that contains the programs and folders which appear on the Start menu for all users. A typical path in Windows is C:\ProgramData\Microsoft\Windows\Start Menu.
+
+
+
CSIDL_COMMON_STARTUP
+
The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.
+
+
+
CSIDL_COMMON_TEMPLATES
+
The file-system directory that contains the templates that are available to all users. A typical path is C:\ProgramData\Microsoft\Windows\Templates.
+
+
+
CSIDL_COMMON_VIDEO
+
The file-system directory that serves as a repository for video files common to all users. A typical path is C:\Users\Public\Videos.
+
+
+
CSIDL_DEFAULT_APPDATA
+
Refers to the Appdata folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_LOCAL_APPDATA
+
Refers to the local Appdata folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_COOKIES
+
Refers to the Cookies folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_CONTACTS
+
Refers to the Contacts folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_DESKTOP
+
Refers to the Desktop folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_DOWNLOADS
+
Refers to the Downloads folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_FAVORITES
+
Refers to the Favorites folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_HISTORY
+
Refers to the History folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_INTERNET_CACHE
+
Refers to the Internet Cache folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_PERSONAL
+
Refers to the Personal folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_MYDOCUMENTS
+
Refers to the My Documents folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_MYPICTURES
+
Refers to the My Pictures folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_MYMUSIC
+
Refers to the My Music folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_MYVIDEO
+
Refers to the My Videos folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_RECENT
+
Refers to the Recent folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_SENDTO
+
Refers to the Send To folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_STARTMENU
+
Refers to the Start Menu folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_PROGRAMS
+
Refers to the Programs folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_STARTUP
+
Refers to the Startup folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_TEMPLATES
+
Refers to the Templates folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_QUICKLAUNCH
+
Refers to the Quick Launch folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_FONTS
+
A virtual folder containing fonts. A typical path is C:\Windows\Fonts.
+
+
+
CSIDL_PROGRAM_FILESX86
+
The Program Files folder on 64-bit systems. A typical path is C:\Program Files(86).
+
+
+
CSIDL_PROGRAM_FILES_COMMONX86
+
A folder for components that are shared across applications on 64-bit systems. A typical path is C:\Program Files(86)\Common.
+
+
+
CSIDL_PROGRAM_FILES
+
The Program Files folder. A typical path is C:\Program Files.
+
+
+
CSIDL_PROGRAM_FILES_COMMON
+
A folder for components that are shared across applications. A typical path is C:\Program Files\Common.
+
+
+
CSIDL_RESOURCES
+
The file-system directory that contains resource data. A typical path is C:\Windows\Resources.
+
+
+
CSIDL_SYSTEM
+
The Windows System folder. A typical path is C:\Windows\System32.
+
+
+
CSIDL_WINDOWS
+
The Windows directory or system root. This corresponds to the %WINDIR% or %SYSTEMROOT% environment variables. A typical path is C:\Windows.
+
+
+
DEFAULTUSERPROFILE
+
Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile].
+
+
+
PROFILESFOLDER
+
Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory].
+
+
+
PROGRAMFILES
+
Same as CSIDL_PROGRAM_FILES.
+
+
+
PROGRAMFILES(X86)
+
Refers to the C:\Program Files (x86) folder on 64-bit systems.
+
+
+
SYSTEM
+
Refers to %WINDIR%\system32.
+
+
+
SYSTEM16
+
Refers to %WINDIR%\system.
+
+
+
SYSTEM32
+
Refers to %WINDIR%\system32.
+
+
+
SYSTEMPROFILE
+
Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath].
+
+
+
SYSTEMROOT
+
Refers to the root of the system drive.
+
+
+
WINDIR
+
Refers to the Windows folder located on the system drive.
+
+
+
+
+
+
+## Variables that are recognized only in the user context
+
+
+You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`.
+
+
+
+
+
+
+
+
+
Variable
+
Explanation
+
+
+
+
+
APPDATA
+
Same as CSIDL_APPDATA.
+
+
+
CSIDL_ADMINTOOLS
+
The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile.
+
+
+
CSIDL_ALTSTARTUP
+
The file-system directory that corresponds to the user's non-localized Startup program group.
+
+
+
CSIDL_APPDATA
+
The file-system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\username\Application Data or C:\Users\username\AppData\Roaming.
+
+
+
CSIDL_BITBUCKET
+
The virtual folder that contains the objects in the user's Recycle Bin.
+
+
+
CSIDL_CDBURN_AREA
+
The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning.
+
+
+
CSIDL_CONNECTIONS
+
The virtual folder representing Network Connections that contains network and dial-up connections.
+
+
+
CSIDL_CONTACTS
+
This refers to the Contacts folder in %CSIDL_PROFILE%.
+
+
+
CSIDL_CONTROLS
+
The virtual folder that contains icons for the Control Panel items.
+
+
+
CSIDL_COOKIES
+
The file-system directory that serves as a common repository for Internet cookies. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies.
+
+
+
CSIDL_DESKTOP
+
The virtual folder representing the Windows desktop.
+
+
+
CSIDL_DESKTOPDIRECTORY
+
The file-system directory used to physically store file objects on the desktop, which should not be confused with the desktop folder itself. A typical path is C:\Users\username\Desktop.
+
+
+
CSIDL_DRIVES
+
The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives.
+
+
+
CSIDL_FAVORITES
+
The file-system directory that serves as a common repository for the user's favorites. A typical path is C:\Users\Username\Favorites.
+
+
+
CSIDL_HISTORY
+
The file-system directory that serves as a common repository for Internet history items.
+
+
+
CSIDL_INTERNET
+
A virtual folder for Internet Explorer.
+
+
+
CSIDL_INTERNET_CACHE
+
The file-system directory that serves as a common repository for temporary Internet files. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files
+
+
+
CSIDL_LOCAL_APPDATA
+
The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is C:\Users\username\AppData\Local.
+
+
+
CSIDL_MYDOCUMENTS
+
The virtual folder representing My Documents.A typical path is C:\Users\Username\Documents.
+
+
+
CSIDL_MYMUSIC
+
The file-system directory that serves as a common repository for music files. A typical path is C:\Users\Username\Music.
+
+
+
CSIDL_MYPICTURES
+
The file-system directory that serves as a common repository for image files. A typical path is C:\Users\Username\Pictures.
+
+
+
CSIDL_MYVIDEO
+
The file-system directory that serves as a common repository for video files. A typical path is C:\Users\Username\Videos.
+
+
+
CSIDL_NETHOOD
+
A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts.
+
+
+
CSIDL_NETWORK
+
A virtual folder representing My Network Places, the root of the network namespace hierarchy.
+
+
+
CSIDL_PERSONAL
+
The virtual folder representing the My Documents desktop item. This is equivalent to CSIDL_MYDOCUMENTS.
+
A typical path is C:\Documents and Settings\username\My Documents.
+
+
+
CSIDL_PLAYLISTS
+
The virtual folder used to store play albums, typically C:\Users\username\My Music\Playlists.
+
+
+
CSIDL_PRINTERS
+
The virtual folder that contains installed printers.
+
+
+
CSIDL_PRINTHOOD
+
The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Printer Shortcuts.
+
+
+
CSIDL_PROFILE
+
The user's profile folder. A typical path is C:\Users\Username.
+
+
+
CSIDL_PROGRAMS
+
The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.
+
+
+
CSIDL_RECENT
+
The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent.
+
+
+
CSIDL_SENDTO
+
The file-system directory that contains Send To menu items. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\SendTo.
+
+
+
CSIDL_STARTMENU
+
The file-system directory that contains Start menu items. A typical path in Windows XP is C:\Documents and Settings\username\Start Menu. A typical path in Windows Vista, Windows 7, or Windows 8 is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu.
+
+
+
CSIDL_STARTUP
+
The file-system directory that corresponds to the user's Startup program group. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
+
+
+
CSIDL_TEMPLATES
+
The file-system directory that serves as a common repository for document templates. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Templates.
+
+
+
HOMEPATH
+
Same as the standard environment variable.
+
+
+
TEMP
+
The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.
+
+
+
TMP
+
The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.
+
+
+
USERPROFILE
+
Same as CSIDL_PROFILE.
+
+
+
USERSID
+
Represents the current user-account security identifier (SID). For example,
+
S-1-5-21-1714567821-1326601894-715345443-1026.
+
+
+
+
+
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md
index c5bcd4193c..a95bb1e788 100644
--- a/windows/deployment/usmt/usmt-reference.md
+++ b/windows/deployment/usmt/usmt-reference.md
@@ -1,77 +1,78 @@
----
-title: User State Migration Toolkit (USMT) Reference (Windows 10)
-description: User State Migration Toolkit (USMT) Reference
-ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Toolkit (USMT) Reference
-
-
-## In This Section
-
-
-
Find requirements, best practices, and other considerations for performing a migration offline.
+
+
+
+
+
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+
+[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md
index eaaa49a5d4..2925570b27 100644
--- a/windows/deployment/usmt/usmt-resources.md
+++ b/windows/deployment/usmt/usmt-resources.md
@@ -1,50 +1,51 @@
----
-title: USMT Resources (Windows 10)
-description: USMT Resources
-ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# USMT Resources
-
-
-## USMT Online Resources
-
-
-- [ADK Release Notes](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx)
-
-- Microsoft Visual Studio
-
- - You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®.
-
- For more information about how to use the schema with your XML authoring environment, see the environment’s documentation.
-
-- [Ask the Directory Services Team blog](https://go.microsoft.com/fwlink/p/?LinkId=226365)
-
-- Forums:
-
- - [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=226386)
-
- - [Configuration Manager Operating System Deployment](https://go.microsoft.com/fwlink/p/?LinkId=226388)
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
-
-
-
-
-
-
-
-
-
+---
+title: USMT Resources (Windows 10)
+description: USMT Resources
+ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# USMT Resources
+
+
+## USMT Online Resources
+
+
+- [ADK Release Notes](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx)
+
+- Microsoft Visual Studio
+
+ - You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®.
+
+ For more information about how to use the schema with your XML authoring environment, see the environment’s documentation.
+
+- [Ask the Directory Services Team blog](https://go.microsoft.com/fwlink/p/?LinkId=226365)
+
+- Forums:
+
+ - [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=226386)
+
+ - [Configuration Manager Operating System Deployment](https://go.microsoft.com/fwlink/p/?LinkId=226388)
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-return-codes.md b/windows/deployment/usmt/usmt-return-codes.md
index c137197a5c..b019994baa 100644
--- a/windows/deployment/usmt/usmt-return-codes.md
+++ b/windows/deployment/usmt/usmt-return-codes.md
@@ -1,786 +1,787 @@
----
-title: Return Codes (Windows 10)
-description: Return Codes
-ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Return Codes
-
-
-This topic describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this topic provides tips to help you use the logfiles to determine why you received an error.
-
-Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md).
-
-## In This Topic
-
-
-[USMT Return Codes](#bkmk-returncodes)
-
-[USMT Error Messages](#bkmk-errormessages)
-
-[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors)
-
-## USMT Return Codes
-
-
-If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps.
-
-Return codes are grouped into the following broad categories that describe their area of error reporting:
-
-Success or User Cancel
-
-Invalid Command Lines
-
-Setup and Initialization
-
-Non-fatal Errors
-
-Fatal Errors
-
-As a best practice, we recommend that you set verbosity level to 5, **/v**:5, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger.
-
-## USMT Error Messages
-
-
-Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received.
-
-You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=147060).
-
-## Troubleshooting Return Codes and Error Messages
-
-
-The following table lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions.
-
-
-
-
-
-
-
-
-
-
-
-
Return code value
-
Return code
-
Error message
-
Troubleshooting, mitigation, workarounds
-
Category
-
-
-
-
-
0
-
USMT_SUCCESS
-
Successful run
-
Not applicable
-
Success or Cancel
-
-
-
1
-
USMT_DISPLAY_HELP
-
Command line help requested
-
Not applicable
-
Success or Cancel
-
-
-
2
-
USMT_STATUS_CANCELED
-
Gather was aborted because of an EFS file
-
Not applicable
-
-
-
-
-
-
User chose to cancel (such as pressing CTRL+C)
-
Not applicable
-
Success or Cancel
-
-
-
3
-
USMT_WOULD_HAVE_FAILED
-
At least one error was skipped as a result of /c
-
Review ScanState, LoadState, or UsmtUtils log for details about command-line errors.
-
-
-
-
11
-
USMT_INVALID_PARAMETERS
-
/all conflicts with /ui, /ue or /uel
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/auto expects an optional parameter for the script folder
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/encrypt can't be used with /nocompress
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/encrypt requires /key or /keyfile
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/genconfig can't be used with most other options
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/genmigxml can't be used with most other options
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/hardlink requires /nocompress
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/key and /keyfile both specified
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/key or /keyfile used without enabling encryption
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/lae is only used with /lac
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/listfiles cannot be used with /p
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/offline requires a valid path to an XML file describing offline paths
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/offlinewindir requires a valid path to offline windows folder
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/offlinewinold requires a valid path to offline windows folder
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
A command was already specified
-
Verify that the command-line syntax is correct and that there are no duplicate commands.
-
-
-
-
-
-
An option argument is missing
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
An option is specified more than once and is ambiguous
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed.
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Command line arguments are required. Specify /? for options.
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Command line option is not valid
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
EFS parameter specified is not valid for /efs
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
File argument is invalid for /genconfig
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
File argument is invalid for /genmigxml
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Invalid space estimate path. Check the parameters and/or file system permissions
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
List file path argument is invalid for /listfiles
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Retry argument must be an integer
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Settings store argument specified is invalid
-
Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.
-
-
-
-
-
-
Specified encryption algorithm is not supported
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
The /efs:hardlink requires /hardlink
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
The store parameter is required but not specified
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
The source-to-target domain mapping is invalid for /md
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
The source-to-target user account mapping is invalid for /mu
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Undefined or incomplete command line option
-
Review ScanState log or LoadState log for details about command-line errors.
-
Invalid Command Lines
-
-
-
-
-
Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
User exclusion argument is invalid
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08)
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Volume shadow copy feature is not supported with a hardlink store
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Wait delay argument must be an integer
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
12
-
USMT_ERROR_OPTION_PARAM_TOO_LARGE
-
Command line arguments cannot exceed 256 characters
-
Review ScanState log or LoadState log for details about command-line errors.
-
Invalid Command Lines
-
-
-
-
-
Specified settings store path exceeds the maximum allowed length of 256 characters
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
13
-
USMT_INIT_LOGFILE_FAILED
-
Log path argument is invalid for /l
-
When /l is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct.
-
Invalid Command Lines
-
-
-
14
-
USMT_ERROR_USE_LAC
-
Unable to create a local account because /lac was not specified
-
When creating local accounts, the command-line options /lac and /lae should be used.
-
Invalid Command Lines
-
-
-
26
-
USMT_INIT_ERROR
-
Multiple Windows installations found
-
Listfiles.txt could not be created. Verify that the location you specified for the creation of this file is valid.
-
Setup and Initialization
-
-
-
-
-
Software malfunction or unknown exception
-
Check all loaded .xml files for errors, common error when using /I to load the Config.xml file.
-
-
-
-
-
-
Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries
-
Verify that the offline input file is present and that it has valid entries. USMT could not find valid offline operating system. Verify your offline directory mapping.
-
-
-
-
27
-
USMT_INVALID_STORE_LOCATION
-
A store path can't be used because an existing store exists; specify /o to overwrite
-
Specify /o to overwrite an existing intermediate or migration store.
-
Setup and Initialization
-
-
-
-
-
A store path is missing or has incomplete data
-
Make sure that the store path is accessible and that the proper permission levels are set.
-
-
-
-
-
-
An error occurred during store creation
-
Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.
-
-
-
-
-
-
An inappropriate device such as a floppy disk was specified for the store
-
Make sure that the store path is accessible and that the proper permission levels are set.
-
-
-
-
-
-
Invalid store path; check the store parameter and/or file system permissions
-
Invalid store path; check the store parameter and/or file system permissions
-
-
-
-
-
-
The file layout and/or file content is not recognized as a valid store
-
Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.
-
-
-
-
-
-
The store path holds a store incompatible with the current USMT version
-
Make sure that the store path is accessible and that the proper permission levels are set.
-
-
-
-
-
-
The store save location is read-only or does not support a requested storage option
-
Make sure that the store path is accessible and that the proper permission levels are set.
-
-
-
-
28
-
USMT_UNABLE_GET_SCRIPTFILES
-
Script file is invalid for /i
-
Check all specified migration .xml files for errors. This is a common error when using /i to load the Config.xml file.
-
Setup and Initialization
-
-
-
-
-
Unable to find a script file specified by /i
-
Verify the location of your script files, and ensure that the command-line options are correct.
-
-
-
-
29
-
USMT_FAILED_MIGSTARTUP
-
A minimum of 250 MB of free space is required for temporary files
-
Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable USMT_WORKING_DIR=<path> to redirect the temporary files working directory.
-
Setup and Initialization
-
-
-
-
-
Another process is preventing migration; only one migration tool can run at a time
-
Check the ScanState log file for migration .xml file errors.
-
-
-
-
-
-
Failed to start main processing, look in log for system errors or check the installation
-
Check the ScanState log file for migration .xml file errors.
-
-
-
-
-
-
Migration failed because of an XML error; look in the log for specific details
-
Check the ScanState log file for migration .xml file errors.
-
-
-
-
-
-
Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table
-
Check the ScanState log file for migration .xml file errors.
-
-
-
-
31
-
USMT_UNABLE_FINDMIGUNITS
-
An error occurred during the discover phase; the log should have more specific information
-
Check the ScanState log file for migration .xml file errors.
-
Setup and Initialization
-
-
-
32
-
USMT_FAILED_SETMIGRATIONTYPE
-
An error occurred processing the migration system
-
Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.
-
Setup and Initialization
-
-
-
33
-
USMT_UNABLE_READKEY
-
Error accessing the file specified by the /keyfile parameter
-
Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.
-
Setup and Initialization
-
-
-
-
-
The encryption key must have at least one character
-
Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.
-
-
-
-
34
-
USMT_ERROR_INSUFFICIENT_RIGHTS
-
Directory removal requires elevated privileges
-
Log on as Administrator, and run with elevated privileges.
-
Setup and Initialization
-
-
-
-
-
No rights to create user profiles; log in as Administrator; run with elevated privileges
-
Log on as Administrator, and run with elevated privileges.
-
-
-
-
-
-
No rights to read or delete user profiles; log in as Administrator, run with elevated privileges
-
Log on as Administrator, and run with elevated privileges.
-
-
-
-
35
-
USMT_UNABLE_DELETE_STORE
-
A reboot is required to remove the store
-
Reboot to delete any files that could not be deleted when the command was executed.
-
Setup and Initialization
-
-
-
-
-
A store path can't be used because it contains data that could not be overwritten
-
A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use USMTUtils /rd command to delete the store.
-
-
-
-
-
-
There was an error removing the store
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
36
-
USMT_ERROR_UNSUPPORTED_PLATFORM
-
Compliance check failure; please check the logs for details
-
Investigate whether there is an active temporary profile on the system.
-
Setup and Initialization
-
-
-
-
-
Use of /offline is not supported during apply
-
The /offline command was not used while running in the Windows Preinstallation Environment (WinPE).
-
-
-
-
-
-
Use /offline to run gather on this platform
-
The /offline command was not used while running in WinPE.
-
-
-
-
37
-
USMT_ERROR_NO_INVALID_KEY
-
The store holds encrypted data but the correct encryption key was not provided
-
Verify that you have included the correct encryption /key or /keyfile.
-
Setup and Initialization
-
-
-
38
-
USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE
-
An error occurred during store access
-
Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.
-
Setup and Initialization
-
-
-
39
-
USMT_UNABLE_TO_READ_CONFIG_FILE
-
Error reading Config.xml
-
Review ScanState log or LoadState log for details about command-line errors in the Config.xml file.
-
Setup and Initialization
-
-
-
-
-
File argument is invalid for /config
-
Check the command line you used to load the Config.xml file. You can use online Help by typing /? on the command line.
-
-
-
-
40
-
USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG
-
Error writing to the progress log
-
The Progress log could not be created. Verify that the location is valid and that you have write access.
-
Setup and Initialization
-
-
-
-
-
Progress log argument is invalid for /progress
-
The Progress log could not be created. Verify that the location is valid and that you have write access.
-
-
-
-
41
-
USMT_PREFLIGHT_FILE_CREATION_FAILED
-
Can't overwrite existing file
-
The Progress log could not be created. Verify that the location is valid and that you have write access.
-
Setup and Initialization
-
-
-
-
-
Invalid space estimate path. Check the parameters and/or file system permissions
-
Review ScanState log or LoadState log for details about command-line errors.
USMT exited but can continue with the /c command-line option, with the optional configurable <ErrorControl> section or by using the /vsc command-line option.
-
Non-fatal Errors
-
-
-
71
-
USMT_INIT_OPERATING_ENVIRONMENT_FAILED
-
A Windows Win32 API error occurred
-
Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.
-
Fatal Errors
-
-
-
-
-
An error occurred when attempting to initialize the diagnostic mechanisms such as the log
-
Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.
-
-
-
-
-
-
Failed to record diagnostic information
-
Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.
-
-
-
-
-
-
Unable to start. Make sure you are running USMT with elevated privileges
-
Exit USMT and log in again with elevated privileges.
-
-
-
-
72
-
USMT_UNABLE_DOMIGRATION
-
An error occurred closing the store
-
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
-
Fatal Errors
-
-
-
-
-
An error occurred in the apply process
-
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
-
-
-
-
-
-
An error occurred in the gather process
-
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
-
-
-
-
-
-
Out of disk space while writing the store
-
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
-
-
-
-
-
-
Out of temporary disk space on the local system
-
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
-
-
-
-
-
-
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-
-[Log Files](usmt-log-files.md)
-
-
-
-
-
-
-
-
-
+---
+title: Return Codes (Windows 10)
+description: Return Codes
+ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Return Codes
+
+
+This topic describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this topic provides tips to help you use the logfiles to determine why you received an error.
+
+Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md).
+
+## In This Topic
+
+
+[USMT Return Codes](#bkmk-returncodes)
+
+[USMT Error Messages](#bkmk-errormessages)
+
+[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors)
+
+## USMT Return Codes
+
+
+If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps.
+
+Return codes are grouped into the following broad categories that describe their area of error reporting:
+
+Success or User Cancel
+
+Invalid Command Lines
+
+Setup and Initialization
+
+Non-fatal Errors
+
+Fatal Errors
+
+As a best practice, we recommend that you set verbosity level to 5, **/v**:5, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger.
+
+## USMT Error Messages
+
+
+Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received.
+
+You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=147060).
+
+## Troubleshooting Return Codes and Error Messages
+
+
+The following table lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions.
+
+
+
+
+
+
+
+
+
+
+
+
Return code value
+
Return code
+
Error message
+
Troubleshooting, mitigation, workarounds
+
Category
+
+
+
+
+
0
+
USMT_SUCCESS
+
Successful run
+
Not applicable
+
Success or Cancel
+
+
+
1
+
USMT_DISPLAY_HELP
+
Command line help requested
+
Not applicable
+
Success or Cancel
+
+
+
2
+
USMT_STATUS_CANCELED
+
Gather was aborted because of an EFS file
+
Not applicable
+
+
+
+
+
+
User chose to cancel (such as pressing CTRL+C)
+
Not applicable
+
Success or Cancel
+
+
+
3
+
USMT_WOULD_HAVE_FAILED
+
At least one error was skipped as a result of /c
+
Review ScanState, LoadState, or UsmtUtils log for details about command-line errors.
+
+
+
+
11
+
USMT_INVALID_PARAMETERS
+
/all conflicts with /ui, /ue or /uel
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/auto expects an optional parameter for the script folder
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/encrypt can't be used with /nocompress
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/encrypt requires /key or /keyfile
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/genconfig can't be used with most other options
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/genmigxml can't be used with most other options
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/hardlink requires /nocompress
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/key and /keyfile both specified
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/key or /keyfile used without enabling encryption
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/lae is only used with /lac
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/listfiles cannot be used with /p
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/offline requires a valid path to an XML file describing offline paths
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/offlinewindir requires a valid path to offline windows folder
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/offlinewinold requires a valid path to offline windows folder
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
A command was already specified
+
Verify that the command-line syntax is correct and that there are no duplicate commands.
+
+
+
+
+
+
An option argument is missing
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
An option is specified more than once and is ambiguous
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed.
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Command line arguments are required. Specify /? for options.
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Command line option is not valid
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
EFS parameter specified is not valid for /efs
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
File argument is invalid for /genconfig
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
File argument is invalid for /genmigxml
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Invalid space estimate path. Check the parameters and/or file system permissions
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
List file path argument is invalid for /listfiles
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Retry argument must be an integer
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Settings store argument specified is invalid
+
Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.
+
+
+
+
+
+
Specified encryption algorithm is not supported
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
The /efs:hardlink requires /hardlink
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
The store parameter is required but not specified
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
The source-to-target domain mapping is invalid for /md
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
The source-to-target user account mapping is invalid for /mu
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Undefined or incomplete command line option
+
Review ScanState log or LoadState log for details about command-line errors.
+
Invalid Command Lines
+
+
+
+
+
Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
User exclusion argument is invalid
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08)
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Volume shadow copy feature is not supported with a hardlink store
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Wait delay argument must be an integer
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
12
+
USMT_ERROR_OPTION_PARAM_TOO_LARGE
+
Command line arguments cannot exceed 256 characters
+
Review ScanState log or LoadState log for details about command-line errors.
+
Invalid Command Lines
+
+
+
+
+
Specified settings store path exceeds the maximum allowed length of 256 characters
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
13
+
USMT_INIT_LOGFILE_FAILED
+
Log path argument is invalid for /l
+
When /l is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct.
+
Invalid Command Lines
+
+
+
14
+
USMT_ERROR_USE_LAC
+
Unable to create a local account because /lac was not specified
+
When creating local accounts, the command-line options /lac and /lae should be used.
+
Invalid Command Lines
+
+
+
26
+
USMT_INIT_ERROR
+
Multiple Windows installations found
+
Listfiles.txt could not be created. Verify that the location you specified for the creation of this file is valid.
+
Setup and Initialization
+
+
+
+
+
Software malfunction or unknown exception
+
Check all loaded .xml files for errors, common error when using /I to load the Config.xml file.
+
+
+
+
+
+
Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries
+
Verify that the offline input file is present and that it has valid entries. USMT could not find valid offline operating system. Verify your offline directory mapping.
+
+
+
+
27
+
USMT_INVALID_STORE_LOCATION
+
A store path can't be used because an existing store exists; specify /o to overwrite
+
Specify /o to overwrite an existing intermediate or migration store.
+
Setup and Initialization
+
+
+
+
+
A store path is missing or has incomplete data
+
Make sure that the store path is accessible and that the proper permission levels are set.
+
+
+
+
+
+
An error occurred during store creation
+
Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.
+
+
+
+
+
+
An inappropriate device such as a floppy disk was specified for the store
+
Make sure that the store path is accessible and that the proper permission levels are set.
+
+
+
+
+
+
Invalid store path; check the store parameter and/or file system permissions
+
Invalid store path; check the store parameter and/or file system permissions
+
+
+
+
+
+
The file layout and/or file content is not recognized as a valid store
+
Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.
+
+
+
+
+
+
The store path holds a store incompatible with the current USMT version
+
Make sure that the store path is accessible and that the proper permission levels are set.
+
+
+
+
+
+
The store save location is read-only or does not support a requested storage option
+
Make sure that the store path is accessible and that the proper permission levels are set.
+
+
+
+
28
+
USMT_UNABLE_GET_SCRIPTFILES
+
Script file is invalid for /i
+
Check all specified migration .xml files for errors. This is a common error when using /i to load the Config.xml file.
+
Setup and Initialization
+
+
+
+
+
Unable to find a script file specified by /i
+
Verify the location of your script files, and ensure that the command-line options are correct.
+
+
+
+
29
+
USMT_FAILED_MIGSTARTUP
+
A minimum of 250 MB of free space is required for temporary files
+
Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable USMT_WORKING_DIR=<path> to redirect the temporary files working directory.
+
Setup and Initialization
+
+
+
+
+
Another process is preventing migration; only one migration tool can run at a time
+
Check the ScanState log file for migration .xml file errors.
+
+
+
+
+
+
Failed to start main processing, look in log for system errors or check the installation
+
Check the ScanState log file for migration .xml file errors.
+
+
+
+
+
+
Migration failed because of an XML error; look in the log for specific details
+
Check the ScanState log file for migration .xml file errors.
+
+
+
+
+
+
Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table
+
Check the ScanState log file for migration .xml file errors.
+
+
+
+
31
+
USMT_UNABLE_FINDMIGUNITS
+
An error occurred during the discover phase; the log should have more specific information
+
Check the ScanState log file for migration .xml file errors.
+
Setup and Initialization
+
+
+
32
+
USMT_FAILED_SETMIGRATIONTYPE
+
An error occurred processing the migration system
+
Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.
+
Setup and Initialization
+
+
+
33
+
USMT_UNABLE_READKEY
+
Error accessing the file specified by the /keyfile parameter
+
Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.
+
Setup and Initialization
+
+
+
+
+
The encryption key must have at least one character
+
Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.
+
+
+
+
34
+
USMT_ERROR_INSUFFICIENT_RIGHTS
+
Directory removal requires elevated privileges
+
Log on as Administrator, and run with elevated privileges.
+
Setup and Initialization
+
+
+
+
+
No rights to create user profiles; log in as Administrator; run with elevated privileges
+
Log on as Administrator, and run with elevated privileges.
+
+
+
+
+
+
No rights to read or delete user profiles; log in as Administrator, run with elevated privileges
+
Log on as Administrator, and run with elevated privileges.
+
+
+
+
35
+
USMT_UNABLE_DELETE_STORE
+
A reboot is required to remove the store
+
Reboot to delete any files that could not be deleted when the command was executed.
+
Setup and Initialization
+
+
+
+
+
A store path can't be used because it contains data that could not be overwritten
+
A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use USMTUtils /rd command to delete the store.
+
+
+
+
+
+
There was an error removing the store
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
36
+
USMT_ERROR_UNSUPPORTED_PLATFORM
+
Compliance check failure; please check the logs for details
+
Investigate whether there is an active temporary profile on the system.
+
Setup and Initialization
+
+
+
+
+
Use of /offline is not supported during apply
+
The /offline command was not used while running in the Windows Preinstallation Environment (WinPE).
+
+
+
+
+
+
Use /offline to run gather on this platform
+
The /offline command was not used while running in WinPE.
+
+
+
+
37
+
USMT_ERROR_NO_INVALID_KEY
+
The store holds encrypted data but the correct encryption key was not provided
+
Verify that you have included the correct encryption /key or /keyfile.
+
Setup and Initialization
+
+
+
38
+
USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE
+
An error occurred during store access
+
Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.
+
Setup and Initialization
+
+
+
39
+
USMT_UNABLE_TO_READ_CONFIG_FILE
+
Error reading Config.xml
+
Review ScanState log or LoadState log for details about command-line errors in the Config.xml file.
+
Setup and Initialization
+
+
+
+
+
File argument is invalid for /config
+
Check the command line you used to load the Config.xml file. You can use online Help by typing /? on the command line.
+
+
+
+
40
+
USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG
+
Error writing to the progress log
+
The Progress log could not be created. Verify that the location is valid and that you have write access.
+
Setup and Initialization
+
+
+
+
+
Progress log argument is invalid for /progress
+
The Progress log could not be created. Verify that the location is valid and that you have write access.
+
+
+
+
41
+
USMT_PREFLIGHT_FILE_CREATION_FAILED
+
Can't overwrite existing file
+
The Progress log could not be created. Verify that the location is valid and that you have write access.
+
Setup and Initialization
+
+
+
+
+
Invalid space estimate path. Check the parameters and/or file system permissions
+
Review ScanState log or LoadState log for details about command-line errors.
USMT exited but can continue with the /c command-line option, with the optional configurable <ErrorControl> section or by using the /vsc command-line option.
+
Non-fatal Errors
+
+
+
71
+
USMT_INIT_OPERATING_ENVIRONMENT_FAILED
+
A Windows Win32 API error occurred
+
Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.
+
Fatal Errors
+
+
+
+
+
An error occurred when attempting to initialize the diagnostic mechanisms such as the log
+
Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.
+
+
+
+
+
+
Failed to record diagnostic information
+
Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.
+
+
+
+
+
+
Unable to start. Make sure you are running USMT with elevated privileges
+
Exit USMT and log in again with elevated privileges.
+
+
+
+
72
+
USMT_UNABLE_DOMIGRATION
+
An error occurred closing the store
+
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
+
Fatal Errors
+
+
+
+
+
An error occurred in the apply process
+
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
+
+
+
+
+
+
An error occurred in the gather process
+
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
+
+
+
+
+
+
Out of disk space while writing the store
+
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
+
+
+
+
+
+
Out of temporary disk space on the local system
+
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
+
+
+
+
+
+
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+[Log Files](usmt-log-files.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index 83afe8628b..7214707bfe 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -1,873 +1,874 @@
----
-title: ScanState Syntax (Windows 10)
-description: ScanState Syntax
-ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# ScanState Syntax
-
-
-The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store.
-
-## In This Topic
-
-
-[Before You Begin](#bkmk-beforeyoubegin)
-
-[Syntax](#bkmk-syntax)
-
-[Storage Options](#bkmk-storageoptions)
-
-[Migration Rule Options](#bkmk-migrationruleoptions)
-
-[Monitoring Options](#bkmk-monitoringoptions)
-
-[User Options](#bkmk-useroptions)
-
-[Encrypted File Options](#bkmk-efs)
-
-[Incompatible Command-Line Options](#bkmk-iclo)
-
-## Before You Begin
-
-
-Before you run the **ScanState** command, note the following:
-
-- To ensure that all operating system settings migrate, in most cases you must run the **ScanState** commands in administrator mode from an account with administrative credentials.
-
-- If you encrypt the migration store, you will be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information is not kept anywhere in the migration store. You will need this information when you run the LoadState command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message.
-
-- For information about software requirements for running the **ScanState** command, see [USMT Requirements](usmt-requirements.md).
-
-- Unless otherwise noted, you can use each option only once when running a tool on the command line.
-
-- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration.
-
-- The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible.
-
-- The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan.
-
-## Syntax
-
-
-This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator.
-
-The **ScanState** command's syntax is:
-
-scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\]
-
-For example:
-
-To create a Config.xml file in the current directory, use:
-
-`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13`
-
-To create an encrypted store using the Config.xml file and the default migration .xml files, use:
-
-`scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"`
-
-## Storage Options
-
-
-
-
-
-
-
-
-
-
Command-Line Option
-
Description
-
-
-
-
-
StorePath
-
Indicates a folder where files and settings will be saved. Note that StorePath cannot be C:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.
-
-
-
/apps
-
Scans the image for apps and includes them and their associated registry settings.
-
-
-
/ppkg [<FileName>]
-
Exports to a specific file location.
-
-
-
/o
-
Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the ScanState command will fail if the migration store already contains data. You cannot use this option more than once on a command line.
-
-
-
/vsc
-
This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the <ErrorControl> section.
-
This option can be used only with the ScanState executable file and cannot be combined with the /hardlink option.
-
-
-
/hardlink
-
Enables the creation of a hard-link migration store at the specified location. The /nocompress option must be specified with the /hardlink option.
-
-
-
/encrypt [{/key:<KeyString> | /keyfile:<file>]}
-
Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key in one of the following ways:
-
-
/key:KeyString specifies the encryption key. If there is a space in KeyString, you will need to surround KeyString with quotation marks.
-
/keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key.
-
-
We recommend that KeyString be at least eight characters long, but it cannot exceed 256 characters. The /key and /keyfile options cannot be used on the same command line. The /encrypt and /nocompress options cannot be used on the same command line.
-
-Important
You should use caution with this option, because anyone who has access to the ScanState command-line script will also have access to the encryption key.
-
-
-
-
-
The following example shows the ScanState command and the /key option:
The /encrypt option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see Migration Store Encryption.
-
-
-
/nocompress
-
Disables compression of data and saves the files to a hidden folder named "File" at StorePath\USMT. Compression is enabled by default. Combining the /nocompress option with the /hardlink option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the /nocompress option with the /hardlink option.
-
The /nocompress and /encrypt options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the LoadState command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.
-
-
-
-## Run the ScanState Command on an Offline Windows System
-
-
-You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows.
-
-There are several benefits to running the **ScanState** command on an offline Windows image, including:
-
-- **Improved Performance.**
-
- Because WinPE is a thin operating system, there are fewer running services. In this environment, the **ScanState** command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly.
-
-- **Simplified end to end deployment process.**
-
- Migrating data from Windows.old simplifies the end-to-end deployment process by enabling the migration process to occur after the new operating system is installed.
-
-- **Improved success of migration.**
-
- The migration success rate is increased because files will not be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system.
-
-- **Ability to recover an unbootable computer.**
-
- It might be possible to recover and migrate data from an unbootable computer.
-
-## Offline Migration Options
-
-
-
-
-
-
-
-
-
-
Command-Line Option
-
Definition
-
-
-
-
-
/offline:"path to an offline.xml file"
-
This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration.
-
-
-
/offlinewindir:"path to a Windows directory"
-
This option specifies the offline Windows directory that the ScanState command gathers user state from. The offline directory can be Windows.old when you run the ScanState command in Windows or a Windows directory when you run the ScanState command in WinPE.
-
-
-
/offlinewinold:"Windows.old directory"
-
This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.
-
-
-
-
-
-
-## Migration Rule Options
-
-
-USMT provides the following options to specify what files you want to migrate.
-
-
-
-
-
-
-
-
-
Command-Line Option
-
Description
-
-
-
-
-
/i:[Path]FileName
-
(include)
-
Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the Frequently Asked Questions topic.
-
-
-
/genconfig:[Path]FileName
-
(Generate Config.xml)
-
Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the /i option, when you specify this option.
-
After you create this file, you will need to make use of it with the ScanState command using the /config option.
-
The only options that you can specify with this option are the /i, /v, and /l options. You cannot specify StorePath, because the /genconfig option does not create a store. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.
-
Examples:
-
-
The following example creates a Config.xml file in the current directory:
Specifies the Config.xml file that the ScanState command should use to create the store. You cannot use this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.
-
The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:
This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml/i:MigApp.xml /v:5.
-
-
-
/genmigxml:path to a file
-
This option specifies that the ScanState command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the ScanState command is running.
-
-
-
/targetwindows8
-
Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:
-
-
To create a Config.xml file by using the /genconfig option. Using the /targetwindows8 option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.
-
To create a migration store. Using the /targetwindows8 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows8 command-line option, some settings can be lost during the migration.
-
-
-
-
/targetwindows7
-
Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:
-
-
To create a Config.xml file by using the /genconfig option. Using the /targetwindows7 option optimizes the Config.xml file so that it only contains components that relate to Windows 7.
-
To create a migration store. Using the /targetwindows7 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows7 command-line option, some settings can be lost during the migration.
-
-
-
-
/localonly
-
Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the /localonly option is not specified, then the ScanState command will copy files from these removable or network drives into the store.
-
Anything that is not considered a fixed drive by the OS will be excluded by /localonly. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see Exclude Files and Settings.
-
The /localonly command-line option includes or excludes data in the migration as identified in the following table:
-
-
-
-
-
-
-
-
Drive type
-
Behavior with /localonly
-
-
-
-
-
Removable drives such as a USB flash drive
-
Excluded
-
-
-
Network drives
-
Excluded
-
-
-
Fixed drives
-
Included
-
-
-
-
-
-
-
-
-
-
-## Monitoring Options
-
-
-USMT provides several options that you can use to analyze problems that occur during migration.
-
-**Note**
-The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option.
-
-
-
-
-
-
-
-
-
-
-
Command-Line Option
-
Description
-
-
-
-
-
/listfiles:<FileName>
-
You can use the /listfiles command-line option with the ScanState command to generate a text file that lists all of the files included in the migration.
-
-
-
/l:[Path]FileName
-
Specifies the location and name of the ScanState log.
-
You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can use the /v option to adjust the amount of output.
-
If you run the ScanState or LoadState commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:scan.log command.
-
-
-
/v:<VerbosityLevel>
-
(Verbosity)
-
Enables verbose output in the ScanState log file. The default value is 0.
-
You can set the VerbosityLevel to one of the following levels:
Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.
When this option is specified, the ScanState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the ScanState command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the /c option, the ScanState command will exit on the first error.
-
You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file.
-
-
-
/r:<TimesToRetry>
-
(Retry)
-
Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.
-
While storing the user state, the /r option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.
-
-
-
/w:<SecondsBeforeRetry>
-
(Wait)
-
Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.
-
-
-
/p:<pathToFile>
-
When the ScanState command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:
To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the /p option, without specifying "pathtoafile", in USMT. If you specify only the /p option, the storage space estimations are created in the same manner as with USMT3.x releases.
-
-
-
/? or /help
-
Displays Help at the command line.
-
-
-
-
-
-
-## User Options
-
-
-By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md) and [Migrate User Accounts](usmt-migrate-user-accounts.md).
-
-
-
-
-
-
-
-
-
Command-Line Option
-
Description
-
-
-
-
-
/all
-
Migrates all of the users on the computer.
-
USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /all option, you cannot also use the /ui, /ue or /uel options.
-
-
-
/ui:<DomainName>\<UserName>
-
or
-
/ui:<ComputerName>\<LocalUserName>
-
(User include)
-
Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.
-
-Note
If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.
-
-
-
-
-
For example:
-
-
To include only User2 from the Fabrikam domain, type:
-
/ue:*\* /ui:fabrikam\user2
-
To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:
-
/uel:30 /ui:fabrikam\*
-
In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.
-
-
For more examples, see the descriptions of the /ue and /ui options in this table.
-
-
-
/uel:<NumberOfDays>
-
or
-
/uel:<YYYY/MM/DD>
-
or
-
/uel:0
-
(User exclude based on last logon)
-
Migrates the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.
-
You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.
-
-Note
The /uel option is not valid in offline migrations.
-
-
-
-
-
-
/uel:0 migrates any users who are currently logged on.
-
/uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.
-
/uel:1 migrates users whose account has been modified within the last 24 hours.
-
/uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.
Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.
-
-
-
-## How to Use /ui and /ue
-
-
-The following examples apply to both the /**ui** and /**ue** options. You can replace the /**ue** option with the /**ui** option to include, rather than exclude, the specified users.
-
-
-
-
-
-
-
-
-
Behavior
-
Command
-
-
-
-
-
Exclude the user named User One in the Fabrikam domain.
-
/ue:"fabrikam\user one"
-
-
-
Exclude the user named User1 in the Fabrikam domain.
-
/ue:fabrikam\user1
-
-
-
Exclude the local user named User1.
-
/ue:%computername%\user1
-
-
-
Exclude all domain users.
-
/ue:Domain\*
-
-
-
Exclude all local users.
-
/ue:%computername%\*
-
-
-
Exclude users in all domains named User1, User2, and so on.
-
/ue:*\user*
-
-
-
-
-
-
-## Using the Options Together
-
-
-You can use the /**uel**, /**ue** and /**ui** options together to migrate only the users that you want migrated.
-
-The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option.
-
-The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days.
-
-
-
-
-
-
-
-
-
Behavior
-
Command
-
-
-
-
-
Include only User2 from the Fabrikam domain and exclude all other users.
-
/ue:*\* /ui:fabrikam\user2
-
-
-
Include only the local user named User1 and exclude all other users.
-
/ue:*\* /ui:user1
-
-
-
Include only the domain users from Contoso, except Contoso\User1.
-
This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:
-
-
On the ScanState command line, type: /ue:*\* /ui:contoso\*
-
On the LoadState command line, type: /ue:contoso\user1
-
-
-
-
Include only local (non-domain) users.
-
/ue:*\* /ui:%computername%\*
-
-
-
-
-
-
-## Encrypted File Options
-
-
-You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior.
-
-For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).
-
-**Note**
-EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files
-
-
-
-**Caution**
-Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
-
-
-
-
-
-
-
-
-
-
-
Command-Line Option
-
Explanation
-
-
-
-
-
/efs:hardlink
-
Creates a hard link to the EFS file instead of copying it. Use only with the /hardlink and the /nocompress options.
-
-
-
/efs:abort
-
Causes the ScanState command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default.
-
-
-
/efs:skip
-
Causes the ScanState command to ignore EFS files.
-
-
-
/efs:decryptcopy
-
Causes the ScanState command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file cannot be decrypted. If the ScanState command succeeds, the file will be unencrypted in the migration store, and once you run the LoadState command, the file will be copied to the destination computer.
-
-
-
/efs:copyraw
-
Causes the ScanState command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an /efs option. Therefore you should specify the /efs:copyraw option with the ScanState command to migrate the encrypted file. Then, when you run the LoadState command, the encrypted file and the EFS certificate will be automatically migrated.
All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see Migrate EFS Files and Certificates.
-
-
-
-
-
-
-
-
-
-
-## Incompatible Command-Line Options
-
-
-The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option.
-
-
-
-
-
-
-
-
-
-
-
-
Command-Line Option
-
/keyfile
-
/nocompress
-
/genconfig
-
/all
-
-
-
-
-
/i
-
-
-
-
-
-
-
/o
-
-
-
-
-
-
-
/v
-
-
-
-
-
-
-
/nocompress
-
-
-
X
-
N/A
-
-
-
/localonly
-
-
-
X
-
-
-
-
/key
-
X
-
-
X
-
-
-
-
/encrypt
-
Required*
-
X
-
X
-
-
-
-
/keyfile
-
N/A
-
-
X
-
-
-
-
/l
-
-
-
-
-
-
-
/progress
-
-
-
X
-
-
-
-
/r
-
-
-
X
-
-
-
-
/w
-
-
-
X
-
-
-
-
/c
-
-
-
X
-
-
-
-
/p
-
-
-
X
-
N/A
-
-
-
/all
-
-
-
X
-
-
-
-
/ui
-
-
-
X
-
X
-
-
-
/ue
-
-
-
X
-
X
-
-
-
/uel
-
-
-
X
-
X
-
-
-
/efs:<option>
-
-
-
X
-
-
-
-
/genconfig
-
-
-
N/A
-
-
-
-
/config
-
-
-
X
-
-
-
-
<StorePath>
-
-
-
X
-
-
-
-
-
-
-
-**Note**
-You must specify either the /**key** or /**keyfile** option with the /**encrypt** option.
-
-
-
-## Related topics
-
-
-[XML Elements Library](usmt-xml-elements-library.md)
-
-
-
-
-
-
-
-
-
+---
+title: ScanState Syntax (Windows 10)
+description: ScanState Syntax
+ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# ScanState Syntax
+
+
+The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store.
+
+## In This Topic
+
+
+[Before You Begin](#bkmk-beforeyoubegin)
+
+[Syntax](#bkmk-syntax)
+
+[Storage Options](#bkmk-storageoptions)
+
+[Migration Rule Options](#bkmk-migrationruleoptions)
+
+[Monitoring Options](#bkmk-monitoringoptions)
+
+[User Options](#bkmk-useroptions)
+
+[Encrypted File Options](#bkmk-efs)
+
+[Incompatible Command-Line Options](#bkmk-iclo)
+
+## Before You Begin
+
+
+Before you run the **ScanState** command, note the following:
+
+- To ensure that all operating system settings migrate, in most cases you must run the **ScanState** commands in administrator mode from an account with administrative credentials.
+
+- If you encrypt the migration store, you will be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information is not kept anywhere in the migration store. You will need this information when you run the LoadState command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message.
+
+- For information about software requirements for running the **ScanState** command, see [USMT Requirements](usmt-requirements.md).
+
+- Unless otherwise noted, you can use each option only once when running a tool on the command line.
+
+- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration.
+
+- The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible.
+
+- The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan.
+
+## Syntax
+
+
+This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator.
+
+The **ScanState** command's syntax is:
+
+scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\]
+
+For example:
+
+To create a Config.xml file in the current directory, use:
+
+`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13`
+
+To create an encrypted store using the Config.xml file and the default migration .xml files, use:
+
+`scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"`
+
+## Storage Options
+
+
+
+
+
+
+
+
+
+
Command-Line Option
+
Description
+
+
+
+
+
StorePath
+
Indicates a folder where files and settings will be saved. Note that StorePath cannot be C:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.
+
+
+
/apps
+
Scans the image for apps and includes them and their associated registry settings.
+
+
+
/ppkg [<FileName>]
+
Exports to a specific file location.
+
+
+
/o
+
Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the ScanState command will fail if the migration store already contains data. You cannot use this option more than once on a command line.
+
+
+
/vsc
+
This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the <ErrorControl> section.
+
This option can be used only with the ScanState executable file and cannot be combined with the /hardlink option.
+
+
+
/hardlink
+
Enables the creation of a hard-link migration store at the specified location. The /nocompress option must be specified with the /hardlink option.
+
+
+
/encrypt [{/key:<KeyString> | /keyfile:<file>]}
+
Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key in one of the following ways:
+
+
/key:KeyString specifies the encryption key. If there is a space in KeyString, you will need to surround KeyString with quotation marks.
+
/keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key.
+
+
We recommend that KeyString be at least eight characters long, but it cannot exceed 256 characters. The /key and /keyfile options cannot be used on the same command line. The /encrypt and /nocompress options cannot be used on the same command line.
+
+Important
You should use caution with this option, because anyone who has access to the ScanState command-line script will also have access to the encryption key.
+
+
+
+
+
The following example shows the ScanState command and the /key option:
The /encrypt option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see Migration Store Encryption.
+
+
+
/nocompress
+
Disables compression of data and saves the files to a hidden folder named "File" at StorePath\USMT. Compression is enabled by default. Combining the /nocompress option with the /hardlink option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the /nocompress option with the /hardlink option.
+
The /nocompress and /encrypt options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the LoadState command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.
+
+
+
+## Run the ScanState Command on an Offline Windows System
+
+
+You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows.
+
+There are several benefits to running the **ScanState** command on an offline Windows image, including:
+
+- **Improved Performance.**
+
+ Because WinPE is a thin operating system, there are fewer running services. In this environment, the **ScanState** command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly.
+
+- **Simplified end to end deployment process.**
+
+ Migrating data from Windows.old simplifies the end-to-end deployment process by enabling the migration process to occur after the new operating system is installed.
+
+- **Improved success of migration.**
+
+ The migration success rate is increased because files will not be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system.
+
+- **Ability to recover an unbootable computer.**
+
+ It might be possible to recover and migrate data from an unbootable computer.
+
+## Offline Migration Options
+
+
+
+
+
+
+
+
+
+
Command-Line Option
+
Definition
+
+
+
+
+
/offline:"path to an offline.xml file"
+
This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration.
+
+
+
/offlinewindir:"path to a Windows directory"
+
This option specifies the offline Windows directory that the ScanState command gathers user state from. The offline directory can be Windows.old when you run the ScanState command in Windows or a Windows directory when you run the ScanState command in WinPE.
+
+
+
/offlinewinold:"Windows.old directory"
+
This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.
+
+
+
+
+
+
+## Migration Rule Options
+
+
+USMT provides the following options to specify what files you want to migrate.
+
+
+
+
+
+
+
+
+
Command-Line Option
+
Description
+
+
+
+
+
/i:[Path]FileName
+
(include)
+
Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the Frequently Asked Questions topic.
+
+
+
/genconfig:[Path]FileName
+
(Generate Config.xml)
+
Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the /i option, when you specify this option.
+
After you create this file, you will need to make use of it with the ScanState command using the /config option.
+
The only options that you can specify with this option are the /i, /v, and /l options. You cannot specify StorePath, because the /genconfig option does not create a store. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.
+
Examples:
+
+
The following example creates a Config.xml file in the current directory:
Specifies the Config.xml file that the ScanState command should use to create the store. You cannot use this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.
+
The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:
This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml/i:MigApp.xml /v:5.
+
+
+
/genmigxml:path to a file
+
This option specifies that the ScanState command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the ScanState command is running.
+
+
+
/targetwindows8
+
Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:
+
+
To create a Config.xml file by using the /genconfig option. Using the /targetwindows8 option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.
+
To create a migration store. Using the /targetwindows8 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows8 command-line option, some settings can be lost during the migration.
+
+
+
+
/targetwindows7
+
Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:
+
+
To create a Config.xml file by using the /genconfig option. Using the /targetwindows7 option optimizes the Config.xml file so that it only contains components that relate to Windows 7.
+
To create a migration store. Using the /targetwindows7 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows7 command-line option, some settings can be lost during the migration.
+
+
+
+
/localonly
+
Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the /localonly option is not specified, then the ScanState command will copy files from these removable or network drives into the store.
+
Anything that is not considered a fixed drive by the OS will be excluded by /localonly. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see Exclude Files and Settings.
+
The /localonly command-line option includes or excludes data in the migration as identified in the following table:
+
+
+
+
+
+
+
+
Drive type
+
Behavior with /localonly
+
+
+
+
+
Removable drives such as a USB flash drive
+
Excluded
+
+
+
Network drives
+
Excluded
+
+
+
Fixed drives
+
Included
+
+
+
+
+
+
+
+
+
+
+## Monitoring Options
+
+
+USMT provides several options that you can use to analyze problems that occur during migration.
+
+**Note**
+The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option.
+
+
+
+
+
+
+
+
+
+
+
Command-Line Option
+
Description
+
+
+
+
+
/listfiles:<FileName>
+
You can use the /listfiles command-line option with the ScanState command to generate a text file that lists all of the files included in the migration.
+
+
+
/l:[Path]FileName
+
Specifies the location and name of the ScanState log.
+
You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can use the /v option to adjust the amount of output.
+
If you run the ScanState or LoadState commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:scan.log command.
+
+
+
/v:<VerbosityLevel>
+
(Verbosity)
+
Enables verbose output in the ScanState log file. The default value is 0.
+
You can set the VerbosityLevel to one of the following levels:
Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.
When this option is specified, the ScanState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the ScanState command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the /c option, the ScanState command will exit on the first error.
+
You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file.
+
+
+
/r:<TimesToRetry>
+
(Retry)
+
Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.
+
While storing the user state, the /r option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.
+
+
+
/w:<SecondsBeforeRetry>
+
(Wait)
+
Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.
+
+
+
/p:<pathToFile>
+
When the ScanState command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:
To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the /p option, without specifying "pathtoafile", in USMT. If you specify only the /p option, the storage space estimations are created in the same manner as with USMT3.x releases.
+
+
+
/? or /help
+
Displays Help at the command line.
+
+
+
+
+
+
+## User Options
+
+
+By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md) and [Migrate User Accounts](usmt-migrate-user-accounts.md).
+
+
+
+
+
+
+
+
+
Command-Line Option
+
Description
+
+
+
+
+
/all
+
Migrates all of the users on the computer.
+
USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /all option, you cannot also use the /ui, /ue or /uel options.
+
+
+
/ui:<DomainName>\<UserName>
+
or
+
/ui:<ComputerName>\<LocalUserName>
+
(User include)
+
Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.
+
+Note
If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.
+
+
+
+
+
For example:
+
+
To include only User2 from the Fabrikam domain, type:
+
/ue:*\* /ui:fabrikam\user2
+
To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:
+
/uel:30 /ui:fabrikam\*
+
In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.
+
+
For more examples, see the descriptions of the /ue and /ui options in this table.
+
+
+
/uel:<NumberOfDays>
+
or
+
/uel:<YYYY/MM/DD>
+
or
+
/uel:0
+
(User exclude based on last logon)
+
Migrates the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.
+
You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.
+
+Note
The /uel option is not valid in offline migrations.
+
+
+
+
+
+
/uel:0 migrates any users who are currently logged on.
+
/uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.
+
/uel:1 migrates users whose account has been modified within the last 24 hours.
+
/uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.
Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.
+
+
+
+## How to Use /ui and /ue
+
+
+The following examples apply to both the /**ui** and /**ue** options. You can replace the /**ue** option with the /**ui** option to include, rather than exclude, the specified users.
+
+
+
+
+
+
+
+
+
Behavior
+
Command
+
+
+
+
+
Exclude the user named User One in the Fabrikam domain.
+
/ue:"fabrikam\user one"
+
+
+
Exclude the user named User1 in the Fabrikam domain.
+
/ue:fabrikam\user1
+
+
+
Exclude the local user named User1.
+
/ue:%computername%\user1
+
+
+
Exclude all domain users.
+
/ue:Domain\*
+
+
+
Exclude all local users.
+
/ue:%computername%\*
+
+
+
Exclude users in all domains named User1, User2, and so on.
+
/ue:*\user*
+
+
+
+
+
+
+## Using the Options Together
+
+
+You can use the /**uel**, /**ue** and /**ui** options together to migrate only the users that you want migrated.
+
+The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option.
+
+The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days.
+
+
+
+
+
+
+
+
+
Behavior
+
Command
+
+
+
+
+
Include only User2 from the Fabrikam domain and exclude all other users.
+
/ue:*\* /ui:fabrikam\user2
+
+
+
Include only the local user named User1 and exclude all other users.
+
/ue:*\* /ui:user1
+
+
+
Include only the domain users from Contoso, except Contoso\User1.
+
This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:
+
+
On the ScanState command line, type: /ue:*\* /ui:contoso\*
+
On the LoadState command line, type: /ue:contoso\user1
+
+
+
+
Include only local (non-domain) users.
+
/ue:*\* /ui:%computername%\*
+
+
+
+
+
+
+## Encrypted File Options
+
+
+You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior.
+
+For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).
+
+**Note**
+EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files
+
+
+
+**Caution**
+Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
+
+
+
+
+
+
+
+
+
+
+
Command-Line Option
+
Explanation
+
+
+
+
+
/efs:hardlink
+
Creates a hard link to the EFS file instead of copying it. Use only with the /hardlink and the /nocompress options.
+
+
+
/efs:abort
+
Causes the ScanState command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default.
+
+
+
/efs:skip
+
Causes the ScanState command to ignore EFS files.
+
+
+
/efs:decryptcopy
+
Causes the ScanState command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file cannot be decrypted. If the ScanState command succeeds, the file will be unencrypted in the migration store, and once you run the LoadState command, the file will be copied to the destination computer.
+
+
+
/efs:copyraw
+
Causes the ScanState command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an /efs option. Therefore you should specify the /efs:copyraw option with the ScanState command to migrate the encrypted file. Then, when you run the LoadState command, the encrypted file and the EFS certificate will be automatically migrated.
All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see Migrate EFS Files and Certificates.
+
+
+
+
+
+
+
+
+
+
+## Incompatible Command-Line Options
+
+
+The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option.
+
+
+
+
+
+
+
+
+
+
+
+
Command-Line Option
+
/keyfile
+
/nocompress
+
/genconfig
+
/all
+
+
+
+
+
/i
+
+
+
+
+
+
+
/o
+
+
+
+
+
+
+
/v
+
+
+
+
+
+
+
/nocompress
+
+
+
X
+
N/A
+
+
+
/localonly
+
+
+
X
+
+
+
+
/key
+
X
+
+
X
+
+
+
+
/encrypt
+
Required*
+
X
+
X
+
+
+
+
/keyfile
+
N/A
+
+
X
+
+
+
+
/l
+
+
+
+
+
+
+
/progress
+
+
+
X
+
+
+
+
/r
+
+
+
X
+
+
+
+
/w
+
+
+
X
+
+
+
+
/c
+
+
+
X
+
+
+
+
/p
+
+
+
X
+
N/A
+
+
+
/all
+
+
+
X
+
+
+
+
/ui
+
+
+
X
+
X
+
+
+
/ue
+
+
+
X
+
X
+
+
+
/uel
+
+
+
X
+
X
+
+
+
/efs:<option>
+
+
+
X
+
+
+
+
/genconfig
+
+
+
N/A
+
+
+
+
/config
+
+
+
X
+
+
+
+
<StorePath>
+
+
+
X
+
+
+
+
+
+
+
+**Note**
+You must specify either the /**key** or /**keyfile** option with the /**encrypt** option.
+
+
+
+## Related topics
+
+
+[XML Elements Library](usmt-xml-elements-library.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md
index 69321a476c..c237c8528c 100644
--- a/windows/deployment/usmt/usmt-topics.md
+++ b/windows/deployment/usmt/usmt-topics.md
@@ -1,30 +1,31 @@
----
-title: User State Migration Tool (USMT) Overview Topics (Windows 10)
-description: User State Migration Tool (USMT) Overview Topics
-ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) Overview Topics
-The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe. USMT also includes a set of three modifiable .xml files: MigApp.xml, MigDocs.xml, and MigUser.xml. Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
-
-## In This Section
-
-|Topic |Description|
-|------|-----------|
-|[User State Migration Tool (USMT) Overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.|
-|[Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.|
-|[Windows Upgrade and Migration Considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.|
-
-## Related topics
-- [User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
-- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-- [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+---
+title: User State Migration Tool (USMT) Overview Topics (Windows 10)
+description: User State Migration Tool (USMT) Overview Topics
+ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) Overview Topics
+The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe. USMT also includes a set of three modifiable .xml files: MigApp.xml, MigDocs.xml, and MigUser.xml. Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
+
+## In This Section
+
+|Topic |Description|
+|------|-----------|
+|[User State Migration Tool (USMT) Overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.|
+|[Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.|
+|[Windows Upgrade and Migration Considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.|
+
+## Related topics
+- [User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+- [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md
index 085f3892d2..78a8e200ce 100644
--- a/windows/deployment/usmt/usmt-troubleshooting.md
+++ b/windows/deployment/usmt/usmt-troubleshooting.md
@@ -1,73 +1,74 @@
----
-title: User State Migration Tool (USMT) Troubleshooting (Windows 10)
-description: User State Migration Tool (USMT) Troubleshooting
-ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) Troubleshooting
-
-
-The following table describes topics that address common User State Migration Tool (USMT) 10.0 issues and questions. These topics describe tools that you can use to troubleshoot issues that arise during your migration.
-
-## In This Section
-
-
-
-
-
-
-## Related topics
-
-
-[USMT Best Practices](usmt-best-practices.md)
-
-[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
-
-[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
-
-[User State Migration Toolkit (USMT) Reference](usmt-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: User State Migration Tool (USMT) Troubleshooting (Windows 10)
+description: User State Migration Tool (USMT) Troubleshooting
+ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) Troubleshooting
+
+
+The following table describes topics that address common User State Migration Tool (USMT) 10.0 issues and questions. These topics describe tools that you can use to troubleshoot issues that arise during your migration.
+
+## In This Section
+
+
+
+
+
+
+## Related topics
+
+
+[USMT Best Practices](usmt-best-practices.md)
+
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+
+[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+
+[User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md
index 4e9269a29d..6973daa26a 100644
--- a/windows/deployment/usmt/usmt-utilities.md
+++ b/windows/deployment/usmt/usmt-utilities.md
@@ -1,351 +1,352 @@
----
-title: UsmtUtils Syntax (Windows 10)
-description: UsmtUtils Syntax
-ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# UsmtUtils Syntax
-
-
-This topic describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities:
-
-- Improve your ability to determine cryptographic options for your migration.
-
-- Assist in removing hard-link stores that cannot otherwise be deleted due to a sharing lock.
-
-- Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted.
-
-- Extract files from the compressed migration store when you migrate files and settings to the destination computer.
-
-## In This Topic
-
-
-[Usmtutils.exe](#bkmk-usmtutils-exe)
-
-[Verify Options](#bkmk-verifyoptions)
-
-[Extract Options](#bkmk-extractoptions)
-
-## Usmtutils.exe
-
-
-The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options.
-
-The syntax for UsmtUtils.exe is:
-
-usmtutils \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\] | /extract *<filepath>* *<destinationPath>* \[options\]\]
-
-
-
-
-
-
-
-
-
Command-line Option
-
Description
-
-
-
-
-
/ec
-
Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this on a destination computer to determine which algorithm to use with the /encrypt command before you run the ScanState tool on the source computer.
-
-
-
/rd<storeDir>
-
Removes the directory path specified by the <storeDir> argument on the computer. You can use this command to delete hard-link migration stores that cannot otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes.
-
For example:
-
usmtutils /rd D:\MyHardLinkStore
-
-
-
/y
-
Overrides the accept deletions prompt when used with the /rd option. When you use the /y option with the /rd option, you will not be prompted to accept the deletions before USMT deletes the directories.
-
-
-
/verify
-
Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.
-
See Verify Options for syntax and options to use with /verify.
-
-
-
/extract
-
Recovers files from a compressed USMT migration store.
-
See Extract Options for syntax and options to use with /extract.
-
-
-
-
-
-
-## Verify Options
-
-
-Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md).
-
-The syntax for **/verify** is:
-
-usmtutils /verify\[:*<reportType>*\] *<filePath>* \[/l:*<logfile>*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*<AlgID>*\] {/key:*<keystring>* | /keyfile:*<filename>*}\]
-
-
-
-
-
-
-
-
-
Command-line Option
-
Description
-
-
-
-
-
<reportType>
-
Specifies whether to report on all files, corrupted files only, or the status of the catalog.
-
-
Summary. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default.
-
all. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either “CORRUPTED” or “OK” depending on the status of the file. The last entry reports the corruption status of the "CATALOG" of the store. A catalog file contains metadata for all files in a migration store. The LoadState tool requires a valid catalog file in order to open the migration store. Returns "OK" if the catalog file is intact and LoadState can open the migration store and "CORRUPTED" if the migration store is corrupted.
-
failureonly. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store.
-
Catalog. Returns only the status of the catalog file.
-
-
-
-
/l:
-
<logfilePath>
-
Specifies the location and name of the log file.
-
-
-
/v:<VerbosityLevel>
-
(Verbosity)
-
Enables verbose output in the UsmtUtils log file. The default value is 0.
-
You can set the VerbosityLevel to one of the following levels:
-
-
-
-
-
-
-
-
Level
-
Explanation
-
-
-
-
-
0
-
Only the default errors and warnings are enabled.
-
-
-
1
-
Enables verbose output.
-
-
-
4
-
Enables error and status output.
-
-
-
5
-
Enables verbose and status output.
-
-
-
8
-
Enables error output to a debugger.
-
-
-
9
-
Enables verbose output to a debugger.
-
-
-
12
-
Enables error and status output to a debugger.
-
-
-
13
-
Enables verbose, status, and debugger output.
-
-
-
-
-
-
-
/decrypt<AlgID>/:<KeyString>
-
or
-
/decrypt<AlgID>/:<“Key String”>
-
or
-
/decrypt:<AlgID>/keyfile:<FileName>
-
Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, specify a /key or /keyfile option as follows:
-
-
<AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.
-
<AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.
-
/key:<KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.
-
/keyfile: <FileName> specifies the location and name of a text (.txt) file that contains the encryption key.
-
-
-
-Some examples of **/verify** commands:
-
-- `usmtutils /verify D:\MyMigrationStore\store.mig`
-
-- `usmtutils /verify:catalog D:\MyMigrationStore\store.mig`
-
-- `usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
-
-- `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt`
-
-## Extract Options
-
-
-Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
-
-The syntax for **/extract** is:
-
-/extract *<filePath>* *<destinationPath>* \[/i:*<includePattern>*\] \[/e: *<excludePattern>*\] \[/l: *<logfile>*\] \[/v: *VerbosityLevel>*\] \[/decrypt\[:*<AlgID>*\] {key: *<keystring>* | /keyfile: *<filename>*}\] \[/o\]
-
-
-
-
-
-
-
-
-
Command-line Option
-
Description
-
-
-
-
-
<filePath>
-
Path to the USMT migration store.
-
For example:
-
D:\MyMigrationStore\USMT\store.mig
-
-
-
<destinationPath>
-
Path to the folder where the tool puts the individual files.
-
-
-
/i:<includePattern>
-
Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.
-
-
-
/e:<excludePattern>
-
Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.
-
-
-
/l:<logfilePath>
-
Specifies the location and name of the log file.
-
-
-
/v:<VerbosityLevel>
-
(Verbosity)
-
Enables verbose output in the UsmtUtils log file. The default value is 0.
-
You can set the VerbosityLevel to one of the following levels:
-
-
-
-
-
-
-
-
Level
-
Explanation
-
-
-
-
-
0
-
Only the default errors and warnings are enabled.
-
-
-
1
-
Enables verbose output.
-
-
-
4
-
Enables error and status output.
-
-
-
5
-
Enables verbose and status output.
-
-
-
8
-
Enables error output to a debugger.
-
-
-
9
-
Enables verbose output to a debugger.
-
-
-
12
-
Enables error and status output to a debugger.
-
-
-
13
-
Enables verbose, status, and debugger output.
-
-
-
-
-
-
-
/decrypt<AlgID>/key:<KeyString>
-
or
-
/decrypt<AlgID>/:<“Key String”>
-
or
-
/decrypt:<AlgID>/keyfile:<FileName>
-
Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, you must also specify a /key or /keyfile option as follows:
-
-
<AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.
-
<AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.
-
/key: <KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.
-
/keyfile:<FileName> specifies a text (.txt) file that contains the encryption key
-
-
-
-Some examples of **/extract** commands:
-
-- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore`
-
-- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt`
-
-- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt`
-
-- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o`
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
-
-[Return Codes](usmt-return-codes.md)
-
-
-
-
-
-
-
-
-
+---
+title: UsmtUtils Syntax (Windows 10)
+description: UsmtUtils Syntax
+ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# UsmtUtils Syntax
+
+
+This topic describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities:
+
+- Improve your ability to determine cryptographic options for your migration.
+
+- Assist in removing hard-link stores that cannot otherwise be deleted due to a sharing lock.
+
+- Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted.
+
+- Extract files from the compressed migration store when you migrate files and settings to the destination computer.
+
+## In This Topic
+
+
+[Usmtutils.exe](#bkmk-usmtutils-exe)
+
+[Verify Options](#bkmk-verifyoptions)
+
+[Extract Options](#bkmk-extractoptions)
+
+## Usmtutils.exe
+
+
+The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options.
+
+The syntax for UsmtUtils.exe is:
+
+usmtutils \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\] | /extract *<filepath>* *<destinationPath>* \[options\]\]
+
+
+
+
+
+
+
+
+
Command-line Option
+
Description
+
+
+
+
+
/ec
+
Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this on a destination computer to determine which algorithm to use with the /encrypt command before you run the ScanState tool on the source computer.
+
+
+
/rd<storeDir>
+
Removes the directory path specified by the <storeDir> argument on the computer. You can use this command to delete hard-link migration stores that cannot otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes.
+
For example:
+
usmtutils /rd D:\MyHardLinkStore
+
+
+
/y
+
Overrides the accept deletions prompt when used with the /rd option. When you use the /y option with the /rd option, you will not be prompted to accept the deletions before USMT deletes the directories.
+
+
+
/verify
+
Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.
+
See Verify Options for syntax and options to use with /verify.
+
+
+
/extract
+
Recovers files from a compressed USMT migration store.
+
See Extract Options for syntax and options to use with /extract.
+
+
+
+
+
+
+## Verify Options
+
+
+Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md).
+
+The syntax for **/verify** is:
+
+usmtutils /verify\[:*<reportType>*\] *<filePath>* \[/l:*<logfile>*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*<AlgID>*\] {/key:*<keystring>* | /keyfile:*<filename>*}\]
+
+
+
+
+
+
+
+
+
Command-line Option
+
Description
+
+
+
+
+
<reportType>
+
Specifies whether to report on all files, corrupted files only, or the status of the catalog.
+
+
Summary. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default.
+
all. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either “CORRUPTED” or “OK” depending on the status of the file. The last entry reports the corruption status of the "CATALOG" of the store. A catalog file contains metadata for all files in a migration store. The LoadState tool requires a valid catalog file in order to open the migration store. Returns "OK" if the catalog file is intact and LoadState can open the migration store and "CORRUPTED" if the migration store is corrupted.
+
failureonly. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store.
+
Catalog. Returns only the status of the catalog file.
+
+
+
+
/l:
+
<logfilePath>
+
Specifies the location and name of the log file.
+
+
+
/v:<VerbosityLevel>
+
(Verbosity)
+
Enables verbose output in the UsmtUtils log file. The default value is 0.
+
You can set the VerbosityLevel to one of the following levels:
+
+
+
+
+
+
+
+
Level
+
Explanation
+
+
+
+
+
0
+
Only the default errors and warnings are enabled.
+
+
+
1
+
Enables verbose output.
+
+
+
4
+
Enables error and status output.
+
+
+
5
+
Enables verbose and status output.
+
+
+
8
+
Enables error output to a debugger.
+
+
+
9
+
Enables verbose output to a debugger.
+
+
+
12
+
Enables error and status output to a debugger.
+
+
+
13
+
Enables verbose, status, and debugger output.
+
+
+
+
+
+
+
/decrypt<AlgID>/:<KeyString>
+
or
+
/decrypt<AlgID>/:<“Key String”>
+
or
+
/decrypt:<AlgID>/keyfile:<FileName>
+
Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, specify a /key or /keyfile option as follows:
+
+
<AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.
+
<AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.
+
/key:<KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.
+
/keyfile: <FileName> specifies the location and name of a text (.txt) file that contains the encryption key.
+
+
+
+Some examples of **/verify** commands:
+
+- `usmtutils /verify D:\MyMigrationStore\store.mig`
+
+- `usmtutils /verify:catalog D:\MyMigrationStore\store.mig`
+
+- `usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
+
+- `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt`
+
+## Extract Options
+
+
+Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
+
+The syntax for **/extract** is:
+
+/extract *<filePath>* *<destinationPath>* \[/i:*<includePattern>*\] \[/e: *<excludePattern>*\] \[/l: *<logfile>*\] \[/v: *VerbosityLevel>*\] \[/decrypt\[:*<AlgID>*\] {key: *<keystring>* | /keyfile: *<filename>*}\] \[/o\]
+
+
+
+
+
+
+
+
+
Command-line Option
+
Description
+
+
+
+
+
<filePath>
+
Path to the USMT migration store.
+
For example:
+
D:\MyMigrationStore\USMT\store.mig
+
+
+
<destinationPath>
+
Path to the folder where the tool puts the individual files.
+
+
+
/i:<includePattern>
+
Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.
+
+
+
/e:<excludePattern>
+
Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.
+
+
+
/l:<logfilePath>
+
Specifies the location and name of the log file.
+
+
+
/v:<VerbosityLevel>
+
(Verbosity)
+
Enables verbose output in the UsmtUtils log file. The default value is 0.
+
You can set the VerbosityLevel to one of the following levels:
+
+
+
+
+
+
+
+
Level
+
Explanation
+
+
+
+
+
0
+
Only the default errors and warnings are enabled.
+
+
+
1
+
Enables verbose output.
+
+
+
4
+
Enables error and status output.
+
+
+
5
+
Enables verbose and status output.
+
+
+
8
+
Enables error output to a debugger.
+
+
+
9
+
Enables verbose output to a debugger.
+
+
+
12
+
Enables error and status output to a debugger.
+
+
+
13
+
Enables verbose, status, and debugger output.
+
+
+
+
+
+
+
/decrypt<AlgID>/key:<KeyString>
+
or
+
/decrypt<AlgID>/:<“Key String”>
+
or
+
/decrypt:<AlgID>/keyfile:<FileName>
+
Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, you must also specify a /key or /keyfile option as follows:
+
+
<AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.
+
<AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.
+
/key: <KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.
+
/keyfile:<FileName> specifies a text (.txt) file that contains the encryption key
+
+
+
+Some examples of **/extract** commands:
+
+- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore`
+
+- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt`
+
+- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt`
+
+- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o`
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
+
+[Return Codes](usmt-return-codes.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index 4fc36c33bc..b3e8cae84e 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -1,429 +1,430 @@
----
-title: What does USMT migrate (Windows 10)
-description: What does USMT migrate
-ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 09/12/2017
-ms.topic: article
----
-
-# What does USMT migrate?
-
-
-## In this topic
-
-
-- [Default migration scripts](#bkmk-defaultmigscripts)
-
-- [User Data](#bkmk-3)
-
-- [Operating-system components](#bkmk-4)
-
-- [Supported applications](#bkmk-2)
-
-- [What USMT does not migrate](#no)
-
-## Default migration scripts
-
-
-The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts:
-
-- **MigApp.XML.** Rules to migrate application settings.
-
-- **MigDocs.XML.** Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files.
-
-- **MigUser.XML.** Rules to migrate user profiles and user data.
-
- MigUser.xml gathers everything in a user’s profile and then does a file extension- based search of most of the system for other user data. If data doesn’t match either of these criteria, the data won’t be migrated. For the most part, this file describes a "core" migration.
-
- The following data does not migrate with MigUser.xml:
-
- - Files outside the user profile that don’t match one of the file extensions in MigUser.xml.
-
- - Access control lists (ACLs) for folders outside the user profile.
-
-## User data
-
-
-This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs.
-
-- **Folders from each user profile.** When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following:
-
- My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites.
-
- >[!IMPORTANT]
- >Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
-
-- **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8:
-
- - Shared Documents
-
- - Shared Video
-
- - Shared Music
-
- - Shared desktop files
-
- - Shared Pictures
-
- - Shared Start menu
-
- - Shared Favorites
-
-- **File types.** When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects and then migrates files with any of the following file extensions:
-
- **.accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.**
-
- **Note**
- The asterisk (\*) stands for zero or more characters.
-
-
-
-- **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration.
-
-**Important**
-To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `c:\test docs`.
-
-
-
-## Operating-system components
-
-
-USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8
-
-The following components are migrated by default using the manifest files:
-
-- Accessibility settings
-
-- Address book
-
-- Command-prompt settings
-
-- \*Desktop wallpaper
-
-- EFS files
-
-- Favorites
-
-- Folder options
-
-- Fonts
-
-- Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then clicking **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the Config.xml file is required.
-
-- \*Windows Internet Explorer® settings
-
-- Microsoft® Open Database Connectivity (ODBC) settings
-
-- Mouse and keyboard settings
-
-- Network drive mapping
-
-- \*Network printer mapping
-
-- \*Offline files
-
-- \*Phone and modem options
-
-- RAS connection and phone book (.pbk) files
-
-- \*Regional settings
-
-- Remote Access
-
-- \*Taskbar settings
-
-- User personal certificates (all)
-
-- Windows Mail.
-
-- \*Windows Media Player
-
-- Windows Rights Management
-
-\* These settings are not available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md).
-
-**Important**
-This list may not be complete. There may be additional components that are migrated.
-
-
-
-**Note**
-Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool.
-
-
-
-## Supported applications
-
-
-Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers.
-
-**Note**
-The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office.
-
-
-
-**Note**
-USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate.
-
-
-
-When you specify the MigApp.xml file, USMT migrates the settings for the following applications:
-
-
-
-
-
-
-
-
-
Product
-
Version
-
-
-
-
-
Adobe Acrobat Reader
-
9
-
-
-
AOL Instant Messenger
-
6.8
-
-
-
Adobe Creative Suite
-
2
-
-
-
Adobe Photoshop CS
-
8, 9
-
-
-
Adobe ImageReady CS
-
-
-
-
Apple iTunes
-
6, 7, 8
-
-
-
Apple QuickTime Player
-
5, 6, 7
-
-
-
Apple Safari
-
3.1.2
-
-
-
Google Chrome
-
beta
-
-
-
Google Picasa
-
3
-
-
-
Google Talk
-
beta
-
-
-
IBM Lotus 1-2-3
-
9
-
-
-
IBM Lotus Notes
-
6,7, 8
-
-
-
IBM Lotus Organizer
-
5
-
-
-
IBM Lotus WordPro
-
9.9
-
-
-
Intuit Quicken Deluxe
-
2009
-
-
-
Money Plus Business
-
2008
-
-
-
Money Plus Home
-
2008
-
-
-
Mozilla Firefox
-
3
-
-
-
Microsoft Office
-
2003, 2007, 2010
-
-
-
Microsoft Office Access®
-
2003, 2007, 2010
-
-
-
Microsoft Office Excel®
-
2003, 2007, 2010
-
-
-
Microsoft Office FrontPage®
-
2003, 2007, 2010
-
-
-
Microsoft Office OneNote®
-
2003, 2007, 2010
-
-
-
Microsoft Office Outlook®
-
2003, 2007, 2010
-
-
-
Microsoft Office PowerPoint®
-
2003, 2007, 2010
-
-
-
Microsoft Office Publisher
-
2003, 2007, 2010
-
-
-
Microsoft Office Word
-
2003, 2007, 2010
-
-
-
Opera Software Opera
-
9.5
-
-
-
Microsoft Outlook Express
-
(only mailbox file)
-
-
-
Microsoft Project
-
2003, 2007
-
-
-
Microsoft Office Visio®
-
2003, 2007
-
-
-
RealPlayer Basic
-
11
-
-
-
Sage Peachtree
-
2009
-
-
-
Skype
-
3.8
-
-
-
Windows Live Mail
-
12, 14
-
-
-
Windows Live Messenger
-
8.5, 14
-
-
-
Windows Live MovieMaker
-
14
-
-
-
Windows Live Photo Gallery
-
12, 14
-
-
-
Windows Live Writer
-
12, 14
-
-
-
Windows Mail
-
(Windows 7 and 8)
-
-
-
Microsoft Works
-
9
-
-
-
Yahoo Messenger
-
9
-
-
-
Microsoft Zune™ Software
-
3
-
-
-
-
-
-
-## What USMT does not migrate
-
-
-The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md).
-
-### Application settings
-
-USMT does not migrate the following application settings:
-
-- Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version.
-
-- Application settings and some operating-system settings when a local account is created. For example, if you run /lac to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate.
-
-- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system.
-
-- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application will not start. You may encounter problems when:
-
- - You change the default installation location on 32-bit destination computers.
-
- - You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”.
-
-### Operating-System settings
-
-USMT does not migrate the following operating-system settings.
-
-- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files.
-
-- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer.
-
-- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer.
-
-- Customized icons for shortcuts may not migrate.
-
-- Taskbar settings, when the source computer is running Windows XP.
-
-You should also note the following:
-
-- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as administrator**.
-
-- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
-
-### Start menu layout
-
-Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
-
-## Related topics
-
-
-[Plan your migration](usmt-plan-your-migration.md)
-
-
-
-
-
-
-
-
-
+---
+title: What does USMT migrate (Windows 10)
+description: What does USMT migrate
+ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 09/12/2017
+ms.topic: article
+---
+
+# What does USMT migrate?
+
+
+## In this topic
+
+
+- [Default migration scripts](#bkmk-defaultmigscripts)
+
+- [User Data](#bkmk-3)
+
+- [Operating-system components](#bkmk-4)
+
+- [Supported applications](#bkmk-2)
+
+- [What USMT does not migrate](#no)
+
+## Default migration scripts
+
+
+The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts:
+
+- **MigApp.XML.** Rules to migrate application settings.
+
+- **MigDocs.XML.** Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files.
+
+- **MigUser.XML.** Rules to migrate user profiles and user data.
+
+ MigUser.xml gathers everything in a user’s profile and then does a file extension- based search of most of the system for other user data. If data doesn’t match either of these criteria, the data won’t be migrated. For the most part, this file describes a "core" migration.
+
+ The following data does not migrate with MigUser.xml:
+
+ - Files outside the user profile that don’t match one of the file extensions in MigUser.xml.
+
+ - Access control lists (ACLs) for folders outside the user profile.
+
+## User data
+
+
+This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs.
+
+- **Folders from each user profile.** When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following:
+
+ My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites.
+
+ >[!IMPORTANT]
+ >Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
+
+- **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8:
+
+ - Shared Documents
+
+ - Shared Video
+
+ - Shared Music
+
+ - Shared desktop files
+
+ - Shared Pictures
+
+ - Shared Start menu
+
+ - Shared Favorites
+
+- **File types.** When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects and then migrates files with any of the following file extensions:
+
+ **.accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.**
+
+ **Note**
+ The asterisk (\*) stands for zero or more characters.
+
+
+
+- **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration.
+
+**Important**
+To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `c:\test docs`.
+
+
+
+## Operating-system components
+
+
+USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8
+
+The following components are migrated by default using the manifest files:
+
+- Accessibility settings
+
+- Address book
+
+- Command-prompt settings
+
+- \*Desktop wallpaper
+
+- EFS files
+
+- Favorites
+
+- Folder options
+
+- Fonts
+
+- Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then clicking **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the Config.xml file is required.
+
+- \*Windows Internet Explorer® settings
+
+- Microsoft® Open Database Connectivity (ODBC) settings
+
+- Mouse and keyboard settings
+
+- Network drive mapping
+
+- \*Network printer mapping
+
+- \*Offline files
+
+- \*Phone and modem options
+
+- RAS connection and phone book (.pbk) files
+
+- \*Regional settings
+
+- Remote Access
+
+- \*Taskbar settings
+
+- User personal certificates (all)
+
+- Windows Mail.
+
+- \*Windows Media Player
+
+- Windows Rights Management
+
+\* These settings are not available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md).
+
+**Important**
+This list may not be complete. There may be additional components that are migrated.
+
+
+
+**Note**
+Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool.
+
+
+
+## Supported applications
+
+
+Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers.
+
+**Note**
+The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office.
+
+
+
+**Note**
+USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate.
+
+
+
+When you specify the MigApp.xml file, USMT migrates the settings for the following applications:
+
+
+
+
+
+
+
+
+
Product
+
Version
+
+
+
+
+
Adobe Acrobat Reader
+
9
+
+
+
AOL Instant Messenger
+
6.8
+
+
+
Adobe Creative Suite
+
2
+
+
+
Adobe Photoshop CS
+
8, 9
+
+
+
Adobe ImageReady CS
+
+
+
+
Apple iTunes
+
6, 7, 8
+
+
+
Apple QuickTime Player
+
5, 6, 7
+
+
+
Apple Safari
+
3.1.2
+
+
+
Google Chrome
+
beta
+
+
+
Google Picasa
+
3
+
+
+
Google Talk
+
beta
+
+
+
IBM Lotus 1-2-3
+
9
+
+
+
IBM Lotus Notes
+
6,7, 8
+
+
+
IBM Lotus Organizer
+
5
+
+
+
IBM Lotus WordPro
+
9.9
+
+
+
Intuit Quicken Deluxe
+
2009
+
+
+
Money Plus Business
+
2008
+
+
+
Money Plus Home
+
2008
+
+
+
Mozilla Firefox
+
3
+
+
+
Microsoft Office
+
2003, 2007, 2010
+
+
+
Microsoft Office Access®
+
2003, 2007, 2010
+
+
+
Microsoft Office Excel®
+
2003, 2007, 2010
+
+
+
Microsoft Office FrontPage®
+
2003, 2007, 2010
+
+
+
Microsoft Office OneNote®
+
2003, 2007, 2010
+
+
+
Microsoft Office Outlook®
+
2003, 2007, 2010
+
+
+
Microsoft Office PowerPoint®
+
2003, 2007, 2010
+
+
+
Microsoft Office Publisher
+
2003, 2007, 2010
+
+
+
Microsoft Office Word
+
2003, 2007, 2010
+
+
+
Opera Software Opera
+
9.5
+
+
+
Microsoft Outlook Express
+
(only mailbox file)
+
+
+
Microsoft Project
+
2003, 2007
+
+
+
Microsoft Office Visio®
+
2003, 2007
+
+
+
RealPlayer Basic
+
11
+
+
+
Sage Peachtree
+
2009
+
+
+
Skype
+
3.8
+
+
+
Windows Live Mail
+
12, 14
+
+
+
Windows Live Messenger
+
8.5, 14
+
+
+
Windows Live MovieMaker
+
14
+
+
+
Windows Live Photo Gallery
+
12, 14
+
+
+
Windows Live Writer
+
12, 14
+
+
+
Windows Mail
+
(Windows 7 and 8)
+
+
+
Microsoft Works
+
9
+
+
+
Yahoo Messenger
+
9
+
+
+
Microsoft Zune™ Software
+
3
+
+
+
+
+
+
+## What USMT does not migrate
+
+
+The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md).
+
+### Application settings
+
+USMT does not migrate the following application settings:
+
+- Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version.
+
+- Application settings and some operating-system settings when a local account is created. For example, if you run /lac to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate.
+
+- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system.
+
+- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application will not start. You may encounter problems when:
+
+ - You change the default installation location on 32-bit destination computers.
+
+ - You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”.
+
+### Operating-System settings
+
+USMT does not migrate the following operating-system settings.
+
+- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files.
+
+- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer.
+
+- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer.
+
+- Customized icons for shortcuts may not migrate.
+
+- Taskbar settings, when the source computer is running Windows XP.
+
+You should also note the following:
+
+- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as administrator**.
+
+- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
+
+### Start menu layout
+
+Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
+
+## Related topics
+
+
+[Plan your migration](usmt-plan-your-migration.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 62a9dc2999..b13ffc7af8 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -3,6 +3,7 @@ title: Configure VDA for Windows 10 Subscription Activation
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA
keywords: upgrade, update, task sequence, deploy
@@ -12,7 +13,6 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro
-author: greg-lindsay
ms.topic: article
ms.collection: M365-modern-desktop
---
diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md
index 06362064ff..b55db69a98 100644
--- a/windows/deployment/volume-activation/activate-forest-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-vamt.md
@@ -1,50 +1,51 @@
----
-title: Activate an Active Directory Forest Online (Windows 10)
-description: Activate an Active Directory Forest Online
-ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Activate an Active Directory Forest Online
-
-You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain.
-
-**Important**
-ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
-
-## Requirements
-
-Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
-- VAMT is installed on a host computer that has Internet access.
-- VAMT has administrative permissions to the Active Directory domain.
-- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node.
-
-**To perform an online Active Directory forest activation**
-
-1. Open VAMT.
-2. In the left-side pane, click the **Active Directory-Based Activation** node.
-3. In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box.
-4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest.
-5. If required, enter a new Active Directory-Based Activation Object name
-
- **Important**
- If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
-
-6. Click **Install Key**.
-7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action.
-
-The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane.
-
-## Related topics
-
-- [Scenario 1: Online Activation](scenario-online-activation-vamt.md)
-- [Add and Remove Computers](add-remove-computers-vamt.md)
+---
+title: Activate an Active Directory Forest Online (Windows 10)
+description: Activate an Active Directory Forest Online
+ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Activate an Active Directory Forest Online
+
+You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain.
+
+**Important**
+ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
+
+## Requirements
+
+Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
+- VAMT is installed on a host computer that has Internet access.
+- VAMT has administrative permissions to the Active Directory domain.
+- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node.
+
+**To perform an online Active Directory forest activation**
+
+1. Open VAMT.
+2. In the left-side pane, click the **Active Directory-Based Activation** node.
+3. In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box.
+4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest.
+5. If required, enter a new Active Directory-Based Activation Object name
+
+ **Important**
+ If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
+
+6. Click **Install Key**.
+7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action.
+
+The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane.
+
+## Related topics
+
+- [Scenario 1: Online Activation](scenario-online-activation-vamt.md)
+- [Add and Remove Computers](add-remove-computers-vamt.md)
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index 01010689aa..f2d59868c4 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -1,144 +1,145 @@
----
-title: Activate using Key Management Service (Windows 10)
-ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description:
-keywords: vamt, volume activation, activation, windows activation
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 10/16/2017
-ms.topic: article
----
-
-# Activate using Key Management Service
-
-**Applies to**
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
-
-**Looking for retail activation?**
-
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
-
-There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host:
-- Host KMS on a computer running Windows 10
-- Host KMS on a computer running Windows Server 2012 R2
-- Host KMS on a computer running an earlier version of Windows
-
-Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2015/09/15/windows-10-volume-activation-tips/).
-
-## Key Management Service in Windows 10
-
-Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7.
-Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
-To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services.
-
-**Configure KMS in Windows 10**
-
-1. Open an elevated command prompt.
-2. Enter one of the following commands.
- - To install a KMS key, type **slmgr.vbs /ipk <KmsKey>**.
- - To activate online, type **slmgr.vbs /ato**.
- - To activate by using the telephone, type **slui.exe 4**.
-3. After activating the KMS key, restart the Software Protection Service.
-
-For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032).
-
-## Key Management Service in Windows Server 2012 R2
-Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
-
-**Note**
-You cannot install a client KMS key into the KMS in Windows Server.
-
-This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden.
-
-**Note**
-
-If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687).
-
-**Configure KMS in Windows Server 2012 R2**
-
-1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials.
-2. Launch Server Manager.
-3. Add the Volume Activation Services role, as shown in Figure 4.
-
- 
-
- **Figure 4**. Adding the Volume Activation Services role in Server Manager\
-
-4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
-
- 
-
- **Figure 5**. Launching the Volume Activation Tools
-
- 5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
- This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
-
- 
-
- **Figure 6**. Configuring the computer as a KMS host
-
-5. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
-
- 
-
- **Figure 7**. Installing your KMS host key
-
-6. If asked to confirm replacement of an existing key, click **Yes**.
-7. After the product key is installed, you must activate it. Click **Next** (Figure 8).
-
- 
-
- **Figure 8**. Activating the software
-
- The KMS key can be activated online or by phone. See Figure 9.
-
- 
-
- **Figure 9**. Choosing to activate online
-
-Now that the KMS host is configured, it will begin to listen for activation requests. However, it will not activate clients successfully until the activation threshold is met.
-
-## Verifying the configuration of Key Management Service
-
-You can verify KMS volume activation from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message.
-**Note**
-
-If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2.
-
-To verify that KMS volume activation works, complete the following steps:
-
-1. On the KMS host, open the event log and confirm that DNS publishing is successful.
-2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.
-The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
-3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.
-
-The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
-
-For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://go.microsoft.com/fwlink/p/?LinkId=733639).
-
-## Key Management Service in earlier versions of Windows
-
-If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
-
-1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
-2. Request a new KMS host key from the Volume Licensing Service Center.
-3. Install the new KMS host key on your KMS host.
-4. Activate the new KMS host key by running the slmgr.vbs script.
-
-For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590).
-
-## See also
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+---
+title: Activate using Key Management Service (Windows 10)
+ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description:
+keywords: vamt, volume activation, activation, windows activation
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 10/16/2017
+ms.topic: article
+---
+
+# Activate using Key Management Service
+
+**Applies to**
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host:
+- Host KMS on a computer running Windows 10
+- Host KMS on a computer running Windows Server 2012 R2
+- Host KMS on a computer running an earlier version of Windows
+
+Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2015/09/15/windows-10-volume-activation-tips/).
+
+## Key Management Service in Windows 10
+
+Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7.
+Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
+To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services.
+
+**Configure KMS in Windows 10**
+
+To activate by using the telephone, use the slmgr.vbs script.
+
+1. Run **slmgr.vbs /dti** and confirm the installation ID.
+2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
+3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
+4. Run **slmgr.vbs /atp \**.
+
+For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032).
+
+## Key Management Service in Windows Server 2012 R2
+Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
+
+**Note**
+You cannot install a client KMS key into the KMS in Windows Server.
+
+This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden.
+
+**Note**
+
+If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687).
+
+**Configure KMS in Windows Server 2012 R2**
+
+1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials.
+2. Launch Server Manager.
+3. Add the Volume Activation Services role, as shown in Figure 4.
+
+ 
+
+ **Figure 4**. Adding the Volume Activation Services role in Server Manager\
+
+4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
+
+ 
+
+ **Figure 5**. Launching the Volume Activation Tools
+
+ 5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
+ This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
+
+ 
+
+ **Figure 6**. Configuring the computer as a KMS host
+
+5. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
+
+ 
+
+ **Figure 7**. Installing your KMS host key
+
+6. If asked to confirm replacement of an existing key, click **Yes**.
+7. After the product key is installed, you must activate it. Click **Next** (Figure 8).
+
+ 
+
+ **Figure 8**. Activating the software
+
+ The KMS key can be activated online or by phone. See Figure 9.
+
+ 
+
+ **Figure 9**. Choosing to activate online
+
+Now that the KMS host is configured, it will begin to listen for activation requests. However, it will not activate clients successfully until the activation threshold is met.
+
+## Verifying the configuration of Key Management Service
+
+You can verify KMS volume activation from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message.
+
+> [!NOTE]
+> If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2.
+
+To verify that KMS volume activation works, complete the following steps:
+
+1. On the KMS host, open the event log and confirm that DNS publishing is successful.
+2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.
+The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
+3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.
+
+The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
+
+For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://go.microsoft.com/fwlink/p/?LinkId=733639).
+
+## Key Management Service in earlier versions of Windows
+
+If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
+
+1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
+2. Request a new KMS host key from the Volume Licensing Service Center.
+3. Install the new KMS host key on your KMS host.
+4. Activate the new KMS host key by running the slmgr.vbs script.
+
+For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590).
+
+## See also
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
index 0664a272c5..b88d65def4 100644
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@@ -1,127 +1,128 @@
----
-title: Activate clients running Windows 10 (Windows 10)
-description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
-ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: vamt, volume activation, activation, windows activation
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Activate clients running Windows 10
-
-**Applies to**
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
-
-**Looking for retail activation?**
-
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
-
-After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works.
-Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer.
-If activation or reactivation is required, the following sequence occurs:
-1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals.
-2. If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer’s GVLK.
-3. The computer tries to activate against Microsoft servers if it is configured with a MAK.
-
-If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart.
-
-## How Key Management Service works
-
-KMS uses a client–server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
-
-### Key Management Service activation thresholds
-
-You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met.
-
-A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more.
-When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met.
-
-In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated.
-
-### Activation count cache
-
-To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
-However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days.
-The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
-
-### Key Management Service connectivity
-
-KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements.
-
-### Key Management Service activation renewal
-
-KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computer’s activation is renewed, the activation validity interval begins again.
-
-### Publication of the Key Management Service
-
-The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
-
-### Client discovery of the Key Management Service
-
-By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
-Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters.
-If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
-By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
-
-### Domain Name System server configuration
-
-The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
-The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records.
-
-### Activating the first Key Management Service host
-
-KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
-
-### Activating subsequent Key Management Service hosts
-
-Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization’s KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
-
-## How Multiple Activation Key works
-
-A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
-
-You can activate computers by using a MAK in two ways:
-- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
-
- 
-
- **Figure 16**. MAK independent activation
-- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
-
- 
-
- **Figure 17**. MAK proxy activation with the VAMT
-
-A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold.
-
-You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment.
-
-### Multiple Activation Key architecture and activation
-
-MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet.
-In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID.
-
-## Activating as a standard user
-
-Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.”
-
-## See also
-
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
-
-
+---
+title: Activate clients running Windows 10 (Windows 10)
+description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
+ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: vamt, volume activation, activation, windows activation
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Activate clients running Windows 10
+
+**Applies to**
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works.
+Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer.
+If activation or reactivation is required, the following sequence occurs:
+1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals.
+2. If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer’s GVLK.
+3. The computer tries to activate against Microsoft servers if it is configured with a MAK.
+
+If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart.
+
+## How Key Management Service works
+
+KMS uses a client–server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
+
+### Key Management Service activation thresholds
+
+You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met.
+
+A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more.
+When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met.
+
+In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated.
+
+### Activation count cache
+
+To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
+However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days.
+The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
+
+### Key Management Service connectivity
+
+KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements.
+
+### Key Management Service activation renewal
+
+KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computer’s activation is renewed, the activation validity interval begins again.
+
+### Publication of the Key Management Service
+
+The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
+
+### Client discovery of the Key Management Service
+
+By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
+Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters.
+If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
+By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
+
+### Domain Name System server configuration
+
+The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
+The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records.
+
+### Activating the first Key Management Service host
+
+KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
+
+### Activating subsequent Key Management Service hosts
+
+Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization’s KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
+
+## How Multiple Activation Key works
+
+A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
+
+You can activate computers by using a MAK in two ways:
+- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
+
+ 
+
+ **Figure 16**. MAK independent activation
+- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
+
+ 
+
+ **Figure 17**. MAK proxy activation with the VAMT
+
+A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold.
+
+You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment.
+
+### Multiple Activation Key architecture and activation
+
+MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet.
+In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID.
+
+## Activating as a standard user
+
+Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.”
+
+## See also
+
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+
diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
index fc7b9b051d..51152d7b78 100644
--- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
@@ -1,39 +1,40 @@
----
-title: Add and Remove a Product Key (Windows 10)
-description: Add and Remove a Product Key
-ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Add and Remove a Product Key
-
-Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database.
-
-## To Add a Product Key
-
-1. Open VAMT.
-2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu.
-3. Click **Add product keys** to open the **Add Product Keys** dialog box.
-4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys:
- - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**.
- - To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
-
- **Note**
- If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
-
-## Remove a Product Key
-
-- To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network.
-
-## Related topics
-
-- [Manage Product Keys](manage-product-keys-vamt.md)
+---
+title: Add and Remove a Product Key (Windows 10)
+description: Add and Remove a Product Key
+ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Add and Remove a Product Key
+
+Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database.
+
+## To Add a Product Key
+
+1. Open VAMT.
+2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu.
+3. Click **Add product keys** to open the **Add Product Keys** dialog box.
+4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys:
+ - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**.
+ - To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
+
+ **Note**
+ If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
+
+## Remove a Product Key
+
+- To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network.
+
+## Related topics
+
+- [Manage Product Keys](manage-product-keys-vamt.md)
diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
index d56ff58a30..19d405b786 100644
--- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
@@ -1,71 +1,72 @@
----
-title: Appendix Information sent to Microsoft during activation (Windows 10)
-ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description:
-keywords: vamt, volume activation, activation, windows activation
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Appendix: Information sent to Microsoft during activation
-**Applies to**
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
-
-**Looking for retail activation?**
-
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
-
-When you activate a computer running Windows 10, the following information is sent to Microsoft:
-
-- The Microsoft product code (a five-digit code that identifies the Windows product you are activating)
-- A channel ID or site code that identifies how the Windows product was originally obtained
-
- For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer.
-
-- The date of installation and whether the installation was successful
-- Information that helps confirm that your Windows product key has not been altered
-- Computer make and model
-- Version information for the operating system and software
-- Region and language settings
-- A unique number called a *globally unique identifier*, which is assigned to your computer
-- Product key (hashed) and product ID
-- BIOS name, revision number, and revision date
-- Volume serial number (hashed) of the hard disk drive
-- The result of the activation check
-
- This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled:
-
- - The activation exploit’s identifier
- - The activation exploit’s current state, such as cleaned or quarantined
- - Computer manufacturer’s identification
- - The activation exploit’s file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit
-- The name and a hash of the contents of your computer’s startup instructions file
-- If your Windows license is on a subscription basis, information about how your subscription works
-
-Standard computer information is also sent, but your computer’s IP address is only retained temporarily.
-
-## Use of information
-
-Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers.
-For additional details, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879).
-
-## See also
-
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
-
-
+---
+title: Appendix Information sent to Microsoft during activation (Windows 10)
+ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description:
+keywords: vamt, volume activation, activation, windows activation
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Appendix: Information sent to Microsoft during activation
+**Applies to**
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+When you activate a computer running Windows 10, the following information is sent to Microsoft:
+
+- The Microsoft product code (a five-digit code that identifies the Windows product you are activating)
+- A channel ID or site code that identifies how the Windows product was originally obtained
+
+ For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer.
+
+- The date of installation and whether the installation was successful
+- Information that helps confirm that your Windows product key has not been altered
+- Computer make and model
+- Version information for the operating system and software
+- Region and language settings
+- A unique number called a *globally unique identifier*, which is assigned to your computer
+- Product key (hashed) and product ID
+- BIOS name, revision number, and revision date
+- Volume serial number (hashed) of the hard disk drive
+- The result of the activation check
+
+ This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled:
+
+ - The activation exploit’s identifier
+ - The activation exploit’s current state, such as cleaned or quarantined
+ - Computer manufacturer’s identification
+ - The activation exploit’s file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit
+- The name and a hash of the contents of your computer’s startup instructions file
+- If your Windows license is on a subscription basis, information about how your subscription works
+
+Standard computer information is also sent, but your computer’s IP address is only retained temporarily.
+
+## Use of information
+
+Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers.
+For additional details, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879).
+
+## See also
+
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+
diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md
index 5b77d96564..d0b685c936 100644
--- a/windows/deployment/volume-activation/import-export-vamt-data.md
+++ b/windows/deployment/volume-activation/import-export-vamt-data.md
@@ -1,51 +1,52 @@
----
-title: Import and Export VAMT Data (Windows 10)
-description: Import and Export VAMT Data
-ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Import and Export VAMT Data
-
-You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data.
-You can import data or export data during the following scenarios:
-- Import and merge data from previous versions of VAMT.
-- Export data to use to perform proxy activations.
-
-**Warning**
-Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported.
-
-## Import VAMT Data
-
-**To import data into VAMT**
-1. Open VAMT.
-2. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box.
-3. In the **Import List** dialog box, navigate to the .cilx file location, select the file, and click **Open**.
-4. In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully.
-
-## Export VAMT Data
-
-Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file:
-1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products.
-2. If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export.
-3. In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box.
-4. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file.
-5. Under **Export options**, select one of the following data-type options:
- - Export products and product keys
- - Export products only
- - Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked.
-6. If you have selected products to export, select the **Export selected product rows only** check box.
-7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully.
-
-## Related topics
-
-- [Perform Proxy Activation](proxy-activation-vamt.md)
+---
+title: Import and Export VAMT Data (Windows 10)
+description: Import and Export VAMT Data
+ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Import and Export VAMT Data
+
+You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data.
+You can import data or export data during the following scenarios:
+- Import and merge data from previous versions of VAMT.
+- Export data to use to perform proxy activations.
+
+**Warning**
+Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported.
+
+## Import VAMT Data
+
+**To import data into VAMT**
+1. Open VAMT.
+2. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box.
+3. In the **Import List** dialog box, navigate to the .cilx file location, select the file, and click **Open**.
+4. In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully.
+
+## Export VAMT Data
+
+Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file:
+1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products.
+2. If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export.
+3. In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box.
+4. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file.
+5. Under **Export options**, select one of the following data-type options:
+ - Export products and product keys
+ - Export products only
+ - Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked.
+6. If you have selected products to export, select the **Export selected product rows only** check box.
+7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully.
+
+## Related topics
+
+- [Perform Proxy Activation](proxy-activation-vamt.md)
diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md
index dc1c9eaa35..5524910ada 100644
--- a/windows/deployment/volume-activation/install-configure-vamt.md
+++ b/windows/deployment/volume-activation/install-configure-vamt.md
@@ -1,34 +1,35 @@
----
-title: Install and Configure VAMT (Windows 10)
-description: Install and Configure VAMT
-ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Install and Configure VAMT
-
-This section describes how to install and configure the Volume Activation Management Tool (VAMT).
-
-## In this Section
-
-|Topic |Description |
-|------|------------|
-|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. |
-|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. |
-|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. |
-
-## Related topics
-
-- [Introduction to VAMT](introduction-vamt.md)
-
-
+---
+title: Install and Configure VAMT (Windows 10)
+description: Install and Configure VAMT
+ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Install and Configure VAMT
+
+This section describes how to install and configure the Volume Activation Management Tool (VAMT).
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. |
+|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. |
+|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. |
+
+## Related topics
+
+- [Introduction to VAMT](introduction-vamt.md)
+
+
diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
index 3fe43074c1..31d97d082e 100644
--- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md
+++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
@@ -1,43 +1,44 @@
----
-title: Install a KMS Client Key (Windows 10)
-description: Install a KMS Client Key
-ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Install a KMS Client Key
-
-You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation.
-
-**Note**
-By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products.
-
-**To install a KMS Client key**
-1. Open VAMT.
-2. In the left-side pane click **Products** to open the product list view in the center pane.
-3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-5. Click **Filter**. VAMT displays the filtered list in the center pane.
-6. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
-7. The **Install Product Key** dialog box displays the keys that are available to be installed.
-8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**.
-
- VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
-
- The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
-
-## Related topics
-
-- [Perform KMS Activation](kms-activation-vamt.md)
+---
+title: Install a KMS Client Key (Windows 10)
+description: Install a KMS Client Key
+ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Install a KMS Client Key
+
+You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation.
+
+**Note**
+By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products.
+
+**To install a KMS Client key**
+1. Open VAMT.
+2. In the left-side pane click **Products** to open the product list view in the center pane.
+3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+5. Click **Filter**. VAMT displays the filtered list in the center pane.
+6. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
+7. The **Install Product Key** dialog box displays the keys that are available to be installed.
+8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**.
+
+ VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+ The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
+
+## Related topics
+
+- [Perform KMS Activation](kms-activation-vamt.md)
diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md
index 96908f97d1..4726fc4429 100644
--- a/windows/deployment/volume-activation/install-product-key-vamt.md
+++ b/windows/deployment/volume-activation/install-product-key-vamt.md
@@ -1,45 +1,46 @@
----
-title: Install a Product Key (Windows 10)
-description: Install a Product Key
-ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Install a Product Key
-
-You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
-
-**To install a Product key**
-1. Open VAMT.
-2. In the left-side pane, click the product that you want to install keys onto.
-3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-5. Click **Filter**.
-6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
-7. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
-8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time.
-9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
-
- The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
-
- **Note**
- Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right
- Volume License Key for Windows](https://go.microsoft.com/fwlink/p/?linkid=238382).
-
-## Related topics
-
-- [Manage Product Keys](manage-product-keys-vamt.md)
-
-
+---
+title: Install a Product Key (Windows 10)
+description: Install a Product Key
+ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Install a Product Key
+
+You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
+
+**To install a Product key**
+1. Open VAMT.
+2. In the left-side pane, click the product that you want to install keys onto.
+3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+5. Click **Filter**.
+6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+7. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
+8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time.
+9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+ The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
+
+ **Note**
+ Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right
+ Volume License Key for Windows](https://go.microsoft.com/fwlink/p/?linkid=238382).
+
+## Related topics
+
+- [Manage Product Keys](manage-product-keys-vamt.md)
+
+
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index 791d49e497..f03b9eea97 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -1,66 +1,67 @@
----
-title: Introduction to VAMT (Windows 10)
-description: Introduction to VAMT
-ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Introduction to VAMT
-
-The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
-
-**Note**
-VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
-
-## In this Topic
-- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
-- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
-- [Enterprise Environment](#bkmk-enterpriseenvironment)
-- [VAMT User Interface](#bkmk-userinterface)
-
-## Managing Multiple Activation Key (MAK) and Retail Activation
-
-You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
-- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
-- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
-
-## Managing Key Management Service (KMS) Activation
-
-In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
-VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
-
-## Enterprise Environment
-
-VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
-
-
-
-In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
-The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
-
-## VAMT User Interface
-
-The following screenshot shows the VAMT graphical user interface.
-
-
-
-VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
-- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
-- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
-- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
-- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
-- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
-
-## Related topics
-- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
-
-
+---
+title: Introduction to VAMT (Windows 10)
+description: Introduction to VAMT
+ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Introduction to VAMT
+
+The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
+
+**Note**
+VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
+
+## In this Topic
+- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
+- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
+- [Enterprise Environment](#bkmk-enterpriseenvironment)
+- [VAMT User Interface](#bkmk-userinterface)
+
+## Managing Multiple Activation Key (MAK) and Retail Activation
+
+You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
+- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
+- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
+
+## Managing Key Management Service (KMS) Activation
+
+In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
+VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
+
+## Enterprise Environment
+
+VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
+
+
+
+In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
+The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
+
+## VAMT User Interface
+
+The following screenshot shows the VAMT graphical user interface.
+
+
+
+VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
+- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
+- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
+- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
+- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
+- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
+
+## Related topics
+- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
+
+
diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md
index 318cd0cb65..1f0fba1201 100644
--- a/windows/deployment/volume-activation/manage-activations-vamt.md
+++ b/windows/deployment/volume-activation/manage-activations-vamt.md
@@ -1,33 +1,34 @@
----
-title: Manage Activations (Windows 10)
-description: Manage Activations
-ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Manage Activations
-
-This section describes how to activate a client computer, by using a variety of activation methods.
-
-## In this Section
-
-|Topic |Description |
-|------|------------|
-|[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. |
-|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. |
-|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). |
-|[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. |
-|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. |
-|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. |
-
-
-
+---
+title: Manage Activations (Windows 10)
+description: Manage Activations
+ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Manage Activations
+
+This section describes how to activate a client computer, by using a variety of activation methods.
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. |
+|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. |
+|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). |
+|[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. |
+|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. |
+|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. |
+
+
+
diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md
index bedd50af8f..f127b566ab 100644
--- a/windows/deployment/volume-activation/manage-product-keys-vamt.md
+++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md
@@ -1,29 +1,30 @@
----
-title: Manage Product Keys (Windows 10)
-description: Manage Product Keys
-ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Manage Product Keys
-
-This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database.
-## In this Section
-
-|Topic |Description |
-|------|------------|
-|[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. |
-|[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. |
-|[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. |
-
-
-
+---
+title: Manage Product Keys (Windows 10)
+description: Manage Product Keys
+ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Manage Product Keys
+
+This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database.
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. |
+|[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. |
+|[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. |
+
+
+
diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md
index 7d068975cd..aeb0f2ba2f 100644
--- a/windows/deployment/volume-activation/manage-vamt-data.md
+++ b/windows/deployment/volume-activation/manage-vamt-data.md
@@ -1,25 +1,26 @@
----
-title: Manage VAMT Data (Windows 10)
-description: Manage VAMT Data
-ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Manage VAMT Data
-
-This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
-
-## In this Section
-|Topic |Description |
-|------|------------|
-|[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. |
-|[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. |
+---
+title: Manage VAMT Data (Windows 10)
+description: Manage VAMT Data
+ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Manage VAMT Data
+
+This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
+
+## In this Section
+|Topic |Description |
+|------|------------|
+|[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. |
+|[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. |
diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md
index ea131b996d..143855e843 100644
--- a/windows/deployment/volume-activation/monitor-activation-client.md
+++ b/windows/deployment/volume-activation/monitor-activation-client.md
@@ -1,44 +1,45 @@
----
-title: Monitor activation (Windows 10)
-ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description:
-keywords: vamt, volume activation, activation, windows activation
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.topic: article
----
-
-# Monitor activation
-
-**Applies to**
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
-
-**Looking for retail activation?**
-
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
-
-You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include:
-- Using the Volume Licensing Service Center website to track use of MAK keys.
-- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](https://technet.microsoft.com/library/ff793433.aspx).)
-- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.)
-- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290).
-- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager.
-- See [Troubleshooting activation error codes](https://docs.microsoft.com/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS).
-- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section.
-
-## See also
-
-[Volume Activation for Windows 10](volume-activation-windows-10.md)
+---
+title: Monitor activation (Windows 10)
+ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description:
+keywords: vamt, volume activation, activation, windows activation
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.topic: article
+---
+
+# Monitor activation
+
+**Applies to**
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include:
+- Using the Volume Licensing Service Center website to track use of MAK keys.
+- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](https://technet.microsoft.com/library/ff793433.aspx).)
+- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.)
+- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290).
+- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager.
+- See [Troubleshooting activation error codes](https://docs.microsoft.com/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS).
+- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section.
+
+## See also
+
+[Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md
index 45f237024f..20a2b3b6c8 100644
--- a/windows/deployment/volume-activation/online-activation-vamt.md
+++ b/windows/deployment/volume-activation/online-activation-vamt.md
@@ -1,55 +1,56 @@
----
-title: Perform Online Activation (Windows 10)
-description: Perform Online Activation
-ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Perform Online Activation
-
-You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key.
-
-## Requirements
-
-Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
-- VAMT is installed on a central computer that has network access to all client computers.
-- Both the VAMT host and client computers have Internet access.
-- The products that you want to activate are added to VAMT.
-- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
-
-The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking
-**Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
-
-## To Perform an Online Activation
-
-**To perform an online activation**
-1. Open VAMT.
-2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-4. Click **Filter**. VAMT displays the filtered list in the center pane.
-5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
-6. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button.
-7. Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
-8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
-
- The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
-
- **Note**
- Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation.
-
- **Note**
- You can use online activation to select products that have different key types and activate the products at the same time.
-
-## Related topics
-- [Manage Activations](manage-activations-vamt.md)
+---
+title: Perform Online Activation (Windows 10)
+description: Perform Online Activation
+ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Perform Online Activation
+
+You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key.
+
+## Requirements
+
+Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
+- VAMT is installed on a central computer that has network access to all client computers.
+- Both the VAMT host and client computers have Internet access.
+- The products that you want to activate are added to VAMT.
+- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking
+**Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
+
+## To Perform an Online Activation
+
+**To perform an online activation**
+1. Open VAMT.
+2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+4. Click **Filter**. VAMT displays the filtered list in the center pane.
+5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+6. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button.
+7. Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
+8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+ The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
+
+ **Note**
+ Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation.
+
+ **Note**
+ You can use online activation to select products that have different key types and activate the products at the same time.
+
+## Related topics
+- [Manage Activations](manage-activations-vamt.md)
diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md
index 65dd923d7e..52fa995e65 100644
--- a/windows/deployment/volume-activation/remove-products-vamt.md
+++ b/windows/deployment/volume-activation/remove-products-vamt.md
@@ -1,35 +1,36 @@
----
-title: Remove Products (Windows 10)
-description: Remove Products
-ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Remove Products
-
-To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane.
-
-**To delete one or more products**
-1. Click a product node in the left-side pane.
-2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-4. Click **Filter**. VAMT displays the filtered list in the center pane.
-5. Select the products you want to delete.
-6. Click **Delete** in the **Selected Items** menu in the right-side pane.
-7. On the **Confirm Delete Selected Products** dialog box, click **OK**.
-
-## Related topics
-- [Add and Manage Products](add-manage-products-vamt.md)
-
-
+---
+title: Remove Products (Windows 10)
+description: Remove Products
+ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Remove Products
+
+To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane.
+
+**To delete one or more products**
+1. Click a product node in the left-side pane.
+2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+4. Click **Filter**. VAMT displays the filtered list in the center pane.
+5. Select the products you want to delete.
+6. Click **Delete** in the **Selected Items** menu in the right-side pane.
+7. On the **Confirm Delete Selected Products** dialog box, click **OK**.
+
+## Related topics
+- [Add and Manage Products](add-manage-products-vamt.md)
+
+
diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
index 34263037b3..2130befc33 100644
--- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
@@ -1,48 +1,49 @@
----
-title: Scenario 3 KMS Client Activation (Windows 10)
-description: Scenario 3 KMS Client Activation
-ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Scenario 3: KMS Client Activation
-
-In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
-
-The procedure that is described below assumes the following:
-- The KMS Service is enabled and available to all KMS clients.
-- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information.
-
-## Activate KMS Clients
-
-1. Open VAMT.
-2. To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
-3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options:
- - **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead.
- - **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain.
- - **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host.
-4. In the left-side pane, in the **Products** node, click the product that you want to activate.
-5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-7. Click **Filter**. VAMT displays the filtered list in the center pane.
-8. Select the products that you want to activate.
-9. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
-10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
-
-The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
-
-## Related topics
-- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
-
-
+---
+title: Scenario 3 KMS Client Activation (Windows 10)
+description: Scenario 3 KMS Client Activation
+ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Scenario 3: KMS Client Activation
+
+In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
+
+The procedure that is described below assumes the following:
+- The KMS Service is enabled and available to all KMS clients.
+- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information.
+
+## Activate KMS Clients
+
+1. Open VAMT.
+2. To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
+3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options:
+ - **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead.
+ - **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain.
+ - **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host.
+4. In the left-side pane, in the **Products** node, click the product that you want to activate.
+5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+7. Click **Filter**. VAMT displays the filtered list in the center pane.
+8. Select the products that you want to activate.
+9. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
+10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
+
+## Related topics
+- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
+
+
diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md
index 038839adb4..b223b876bd 100644
--- a/windows/deployment/volume-activation/update-product-status-vamt.md
+++ b/windows/deployment/volume-activation/update-product-status-vamt.md
@@ -1,38 +1,39 @@
----
-title: Update Product Status (Windows 10)
-description: Update Product Status
-ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Update Product Status
-
-After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database.
-To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
-
-**Note**
-The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated.
-
-## Update the license status of a product
-
-1. Open VAMT.
-2. In the **Products** list, select one or more products that need to have their status updated.
-3. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer.
-4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
-
- VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
-
- **Note**
- If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view.
-
-## Related topics
-- [Add and Manage Products](add-manage-products-vamt.md)
+---
+title: Update Product Status (Windows 10)
+description: Update Product Status
+ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Update Product Status
+
+After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database.
+To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+**Note**
+The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated.
+
+## Update the license status of a product
+
+1. Open VAMT.
+2. In the **Products** list, select one or more products that need to have their status updated.
+3. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer.
+4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
+
+ VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
+
+ **Note**
+ If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view.
+
+## Related topics
+- [Add and Manage Products](add-manage-products-vamt.md)
diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md
index e9c0da934f..3b555d3b7f 100644
--- a/windows/deployment/volume-activation/vamt-requirements.md
+++ b/windows/deployment/volume-activation/vamt-requirements.md
@@ -1,46 +1,47 @@
----
-title: VAMT Requirements (Windows 10)
-description: VAMT Requirements
-ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# VAMT Requirements
-
-This topic includes info about the product key and system requirements for VAMT.
-
-## Product Key Requirements
-
-The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys.
-
-|Product key type |Where to obtain |
-|-----------------|----------------|
-|
Multiple Activation Key (MAK)
Key Management Service (KMS) host key (CSVLK)
KMS client setup keys (GVLK)
|Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). |
-|Retail product keys |Obtained at time of product purchase. |
-
-## System Requirements
-
-The following table lists the system requirements for the VAMT host computer.
-
-| Item | Minimum system requirement |
-| ---- | ---------------------------|
-| Computer and Processor | 1 GHz x86 or x64 processor |
-| Memory | 1 GB RAM for x86 or 2 GB RAM for x64 |
-| Hard Disk | 16 GB available hard disk space for x86 or 20 GB for x64 |
-| External Drive | Removable media (Optional) |
-| Display | 1024x768 or higher resolution monitor |
-| Network | Connectivity to remote computers via Windows Management Instrumentation (TCP/IP) and Microsoft Activation Web Service on the Internet via HTTPS |
-| Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. |
-| Additional Requirements |
Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).
If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
|
-
-## Related topics
-- [Install and Configure VAMT](install-configure-vamt.md)
+---
+title: VAMT Requirements (Windows 10)
+description: VAMT Requirements
+ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# VAMT Requirements
+
+This topic includes info about the product key and system requirements for VAMT.
+
+## Product Key Requirements
+
+The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys.
+
+|Product key type |Where to obtain |
+|-----------------|----------------|
+|
Multiple Activation Key (MAK)
Key Management Service (KMS) host key (CSVLK)
KMS client setup keys (GVLK)
|Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). |
+|Retail product keys |Obtained at time of product purchase. |
+
+## System Requirements
+
+The following table lists the system requirements for the VAMT host computer.
+
+| Item | Minimum system requirement |
+| ---- | ---------------------------|
+| Computer and Processor | 1 GHz x86 or x64 processor |
+| Memory | 1 GB RAM for x86 or 2 GB RAM for x64 |
+| Hard Disk | 16 GB available hard disk space for x86 or 20 GB for x64 |
+| External Drive | Removable media (Optional) |
+| Display | 1024x768 or higher resolution monitor |
+| Network | Connectivity to remote computers via Windows Management Instrumentation (TCP/IP) and Microsoft Activation Web Service on the Internet via HTTPS |
+| Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. |
+| Additional Requirements |
Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).
If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
|
+
+## Related topics
+- [Install and Configure VAMT](install-configure-vamt.md)
diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md
index ae1576bb5f..a2e5f633c5 100644
--- a/windows/deployment/volume-activation/vamt-step-by-step.md
+++ b/windows/deployment/volume-activation/vamt-step-by-step.md
@@ -1,32 +1,33 @@
----
-title: VAMT Step-by-Step Scenarios (Windows 10)
-description: VAMT Step-by-Step Scenarios
-ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# VAMT Step-by-Step Scenarios
-
-This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started.
-
-## In this Section
-
-|Topic |Description |
-|------|------------|
-|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. |
-|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. |
-|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
-
-## Related topics
-- [Introduction to VAMT](introduction-vamt.md)
-
-
+---
+title: VAMT Step-by-Step Scenarios (Windows 10)
+description: VAMT Step-by-Step Scenarios
+ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# VAMT Step-by-Step Scenarios
+
+This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started.
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. |
+|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. |
+|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
+
+## Related topics
+- [Introduction to VAMT](introduction-vamt.md)
+
+
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index 3ae808a4af..99b5479318 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -12,7 +12,6 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 80dc7ea0eb..61d5af710d 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -5,6 +5,7 @@ ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
keywords: upgrade, in-place, configuration, deploy
ms.prod: w10
@@ -12,7 +13,6 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md
index 31c2c53103..3b2e91c7cd 100644
--- a/windows/deployment/windows-10-deployment-tools-reference.md
+++ b/windows/deployment/windows-10-deployment-tools-reference.md
@@ -5,17 +5,17 @@ ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.date: 07/12/2017
ms.topic: article
---
-# Windows 10 deployment tools
+# Windows 10 deployment tools reference
Learn about the tools available to deploy Windows 10.
diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md
index a71caf0006..33f7b49f5e 100644
--- a/windows/deployment/windows-10-deployment-tools.md
+++ b/windows/deployment/windows-10-deployment-tools.md
@@ -5,12 +5,12 @@ ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.date: 10/16/2017
ms.topic: article
---
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index c36f0c2cdc..d362478ccc 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -13,7 +13,6 @@ manager: laurawi
ms.audience: itpro
author: greg-lindsay
audience: itpro
-author: greg-lindsay
ms.collection: M365-modern-desktop
ms.topic: article
---
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index 24743735e8..38a56db227 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -9,10 +9,10 @@ ms.date: 10/20/2017
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md
index dfa95cf6e1..7f9f5e72ad 100644
--- a/windows/deployment/windows-10-missing-fonts.md
+++ b/windows/deployment/windows-10-missing-fonts.md
@@ -1,103 +1,104 @@
----
-title: How to install fonts missing after upgrading to Windows 10
-description: Some of the fonts are missing from the system after you upgrade to Windows 10.
-keywords: deploy, upgrade, FoD, optional feature
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: itpro
author: greg-lindsay
-ms.audience: itpro
author: greg-lindsay
-ms.date: 10/31/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-# How to install fonts that are missing after upgrading to Windows 10
-
-> Applies to: Windows 10
-
-When you upgrade from the Windows 7, Windows 8, or Windows 8.1 operating system to Windows 10, certain fonts are no longer available by default post-upgrade. To reduce the operating system footprint, improve performance, and optimize disk space usage, we moved many of the fonts that were previously shipped with prior versions of Windows to the optional features of Windows 10. If you install a fresh instance of Windows 10, or upgrade an older version of Windows to Windows 10, these optional features are not enabled by default. As a result, these fonts appear to be missing from the system.
-
-If you have documents created using the missing fonts, these documents might display differently on Windows 10.
-
-For example, if you have an English (or French, German, or Spanish) version of Windows 10 installed, you might notice that fonts such as the following are appear to be missing:
-
-- Gautami
-- Meiryo
-- Narkism/Batang
-- BatangChe
-- Dotum
-- DotumChe
-- Gulim
-- GulimChe
-- Gungsuh
-- GungsuhChe
-
-If you want to use these fonts, you can enable the optional feature to add these back to your system. Be aware that this is a permanent change in behavior for Windows 10, and it will remain this way in future releases.
-
-## Installing language-associated features via language settings:
-
-If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. You do this the Settings app.
-
-For example, here are the steps to install the fonts associated with the Hebrew language:
-
-1. Click **Start > Settings**.
-2. In Settings, click **Time & language**, and then click **Region & language**.
-3. If Hebrew is not included in the list of languages, click the plus sign (**+**) to add a language.
-4. Find Hebrew, and then click it to add it to your language list.
-
-Once you have added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This should only take a few minutes.
-
-> Note: The optional features are installed by Windows Update. This means you need to be online for the Windows Update service to work.
-
-## Install optional fonts manually without changing language settings:
-
-If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings.
-
-For example, here are the steps to install the fonts associated with the Hebrew language without adding the Hebrew language itself to your language preferences:
-
-1. Click **Start > Settings**.
-2. In Settings, click **Apps**, click **Apps & features**, and then click **Manage optional features**.
-
-3. If you don't see **Hebrew Supplemental Fonts** in the list of installed features, click the plus sign (**+**) to add a feature.
-4. Select **Hebrew Supplemental Fonts** in the list, and then click **Install**.
-
-> Note: The optional features are installed by Windows Update. You need to be online for the Windows Update service to work.
-
-## Fonts included in optional font features
-
-Here is a comprehensive list of the font families in each of the optional features. Some font families might include multiple fonts for different weights and styles.
-
-- Arabic Script Supplemental Fonts: Aldhabi, Andalus, Arabic Typesetting, Microsoft Uighur, Sakkal Majalla, Simplified Arabic, Traditional Arabic, Urdu Typesetting
-- Bangla Script Supplemental Fonts: Shonar Bangla, Vrinda
-- Canadian Aboriginal Syllabics Supplemental Fonts: Euphemia
-- Cherokee Supplemental Fonts: Plantagenet Cherokee
-- Chinese (Simplified) Supplemental Fonts: DengXian, FangSong, KaiTi, SimHei
-- Chinese (Traditional) Supplemental Fonts: DFKai-SB, MingLiU, MingLiU_HKSCS, PMingLiU
-- Devanagari Supplemental Fonts: Aparajita, Kokila, Mangal, Sanskrit Text, Utsaah
-- Ethiopic Supplemental Fonts: Nyala
-- Gujarati Supplemental Fonts: Shruti
-- Gurmukhi Supplemental Fonts: Raavi
-- Hebrew Supplemental Fonts: Aharoni Bold, David, FrankRuehl, Gisha, Levanim MT, Miriam, Miriam Fixed, Narkism, Rod
-- Japanese Supplemental Fonts: Meiryo, Meiryo UI, MS Gothic, MS PGothic, MS UI Gothic, MS Mincho, MS PMincho, Yu Mincho
-- Kannada Supplemental Fonts: Tunga
-- Khmer Supplemental Fonts: DaunPenh, Khmer UI, MoolBoran
-- Korean Supplemental Fonts: Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe
-- Lao Supplemental Fonts: DokChampa, Lao UI
-- Malayalam Supplemental Fonts: Karthika
-- Odia Supplemental Fonts: Kalinga
-- Pan-European Supplemental Fonts: Arial Nova, Georgia Pro, Gill Sans Nova, Neue Haas Grotesk, Rockwell Nova, Verdana Pro
-- Sinhala Supplemental Fonts: Iskoola Pota
-- Syriac Supplemental Fonts: Estrangelo Edessa
-- Tamil Supplemental Fonts: Latha, Vijaya
-- Telugu Supplemental Fonts: Gautami, Vani
-- Thai Supplemental Fonts: Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DilleniaUPC, EucrosiaUPC, FreesiaUPC, IrisUPC, JasmineUPC, KodchiangUPC, Leelawadee, LilyUPC
-
-## Related Topics
-
-[Download the list of all available language FODs](https://download.microsoft.com/download/0/A/A/0AA4342D-3933-4216-A90D-3BA8392FB1D1/Windows%2010%201703%20FOD%20to%20LP%20Mapping%20Table.xlsx)
-
-[Features On Demand V2 (Capabilities)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities#span-idrelatedtopicsspanrelated-topics)
-
-[Add Language Packs to Windows](/windows-hardware/manufacture/desktop/add-language-packs-to-windows)
+---
+title: How to install fonts missing after upgrading to Windows 10
+description: Some of the fonts are missing from the system after you upgrade to Windows 10.
+keywords: deploy, upgrade, FoD, optional feature
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.localizationpriority: medium
+audience: itpro
+author: greg-lindsay
+ms.audience: itpro
+ms.date: 10/31/2017
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+# How to install fonts that are missing after upgrading to Windows 10
+
+> Applies to: Windows 10
+
+When you upgrade from the Windows 7, Windows 8, or Windows 8.1 operating system to Windows 10, certain fonts are no longer available by default post-upgrade. To reduce the operating system footprint, improve performance, and optimize disk space usage, we moved many of the fonts that were previously shipped with prior versions of Windows to the optional features of Windows 10. If you install a fresh instance of Windows 10, or upgrade an older version of Windows to Windows 10, these optional features are not enabled by default. As a result, these fonts appear to be missing from the system.
+
+If you have documents created using the missing fonts, these documents might display differently on Windows 10.
+
+For example, if you have an English (or French, German, or Spanish) version of Windows 10 installed, you might notice that fonts such as the following are appear to be missing:
+
+- Gautami
+- Meiryo
+- Narkism/Batang
+- BatangChe
+- Dotum
+- DotumChe
+- Gulim
+- GulimChe
+- Gungsuh
+- GungsuhChe
+
+If you want to use these fonts, you can enable the optional feature to add these back to your system. Be aware that this is a permanent change in behavior for Windows 10, and it will remain this way in future releases.
+
+## Installing language-associated features via language settings:
+
+If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. You do this the Settings app.
+
+For example, here are the steps to install the fonts associated with the Hebrew language:
+
+1. Click **Start > Settings**.
+2. In Settings, click **Time & language**, and then click **Region & language**.
+3. If Hebrew is not included in the list of languages, click the plus sign (**+**) to add a language.
+4. Find Hebrew, and then click it to add it to your language list.
+
+Once you have added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This should only take a few minutes.
+
+> Note: The optional features are installed by Windows Update. This means you need to be online for the Windows Update service to work.
+
+## Install optional fonts manually without changing language settings:
+
+If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings.
+
+For example, here are the steps to install the fonts associated with the Hebrew language without adding the Hebrew language itself to your language preferences:
+
+1. Click **Start > Settings**.
+2. In Settings, click **Apps**, click **Apps & features**, and then click **Manage optional features**.
+
+3. If you don't see **Hebrew Supplemental Fonts** in the list of installed features, click the plus sign (**+**) to add a feature.
+4. Select **Hebrew Supplemental Fonts** in the list, and then click **Install**.
+
+> Note: The optional features are installed by Windows Update. You need to be online for the Windows Update service to work.
+
+## Fonts included in optional font features
+
+Here is a comprehensive list of the font families in each of the optional features. Some font families might include multiple fonts for different weights and styles.
+
+- Arabic Script Supplemental Fonts: Aldhabi, Andalus, Arabic Typesetting, Microsoft Uighur, Sakkal Majalla, Simplified Arabic, Traditional Arabic, Urdu Typesetting
+- Bangla Script Supplemental Fonts: Shonar Bangla, Vrinda
+- Canadian Aboriginal Syllabics Supplemental Fonts: Euphemia
+- Cherokee Supplemental Fonts: Plantagenet Cherokee
+- Chinese (Simplified) Supplemental Fonts: DengXian, FangSong, KaiTi, SimHei
+- Chinese (Traditional) Supplemental Fonts: DFKai-SB, MingLiU, MingLiU_HKSCS, PMingLiU
+- Devanagari Supplemental Fonts: Aparajita, Kokila, Mangal, Sanskrit Text, Utsaah
+- Ethiopic Supplemental Fonts: Nyala
+- Gujarati Supplemental Fonts: Shruti
+- Gurmukhi Supplemental Fonts: Raavi
+- Hebrew Supplemental Fonts: Aharoni Bold, David, FrankRuehl, Gisha, Levanim MT, Miriam, Miriam Fixed, Narkism, Rod
+- Japanese Supplemental Fonts: Meiryo, Meiryo UI, MS Gothic, MS PGothic, MS UI Gothic, MS Mincho, MS PMincho, Yu Mincho
+- Kannada Supplemental Fonts: Tunga
+- Khmer Supplemental Fonts: DaunPenh, Khmer UI, MoolBoran
+- Korean Supplemental Fonts: Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe
+- Lao Supplemental Fonts: DokChampa, Lao UI
+- Malayalam Supplemental Fonts: Karthika
+- Odia Supplemental Fonts: Kalinga
+- Pan-European Supplemental Fonts: Arial Nova, Georgia Pro, Gill Sans Nova, Neue Haas Grotesk, Rockwell Nova, Verdana Pro
+- Sinhala Supplemental Fonts: Iskoola Pota
+- Syriac Supplemental Fonts: Estrangelo Edessa
+- Tamil Supplemental Fonts: Latha, Vijaya
+- Telugu Supplemental Fonts: Gautami, Vani
+- Thai Supplemental Fonts: Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DilleniaUPC, EucrosiaUPC, FreesiaUPC, IrisUPC, JasmineUPC, KodchiangUPC, Leelawadee, LilyUPC
+
+## Related Topics
+
+[Download the list of all available language FODs](https://download.microsoft.com/download/0/A/A/0AA4342D-3933-4216-A90D-3BA8392FB1D1/Windows%2010%201703%20FOD%20to%20LP%20Mapping%20Table.xlsx)
+
+[Features On Demand V2 (Capabilities)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities#span-idrelatedtopicsspanrelated-topics)
+
+[Add Language Packs to Windows](/windows-hardware/manufacture/desktop/add-language-packs-to-windows)
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index a9ffbb1c73..c10e477cff 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -11,9 +11,9 @@ ms.date: 10/11/2017
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index ba8078e40c..67a95f1168 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -10,9 +10,9 @@ ms.localizationpriority: medium
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index e86a065bf5..f4ab49b62a 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -3,6 +3,7 @@ title: Configure a test lab to deploy Windows 10
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
ms.prod: w10
@@ -12,7 +13,6 @@ ms.pagetype: deploy
keywords: deployment, automate, tools, configure, mdt, sccm
ms.localizationpriority: medium
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
index 412dceea4f..bd8b4b1db5 100644
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@@ -1,90 +1,91 @@
----
-title: Switch to Windows 10 Pro/Enterprise from S mode
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional.
-keywords: Windows 10 S switch, S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.prod: w10
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-# Switch to Windows 10 Pro or Enterprise from S mode
-
-We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later.
-
-
-A number of other transformations are possible depending on which version and edition of Windows 10 you are starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means:
-
-
-
-
-| If a device is running this version of Windows 10 | and this edition of Windows 10 | then you can switch or convert it to this edition of Windows 10 by these methods: | | |
-|-------------|---------------------|-----------------------------------|-------------------------------|--------------------------------------------|
-| | | **Store for Education** (switch/convert all devices in your tenant) | **Microsoft Store** (switch/convert one device at a time) | **Intune** (switch/convert any number of devices selected by admin) |
-| **Windows 10, version 1709** | Pro in S mode | Pro EDU | Pro | Not by this method |
-| | Pro | Pro EDU | Not by any method | Not by any method |
-| | Home | Not by any method | Not by any method | Not by any method |
-| | | | | |
-| **Windows 10, version 1803** | Pro in S mode | Pro EDU in S mode | Pro | Not by this method |
-| | Pro | Pro EDU | Not by any method | Not by any method |
-| | Home in S mode | Not by any method | Home | Not by this method |
-| | Home | Not by any method | Not by any method | Not by any method |
-| | | | | |
-| **Windows 10, version 1809** | Pro in S mode | Pro EDU in S mode | Pro | Pro |
-| | Pro | Pro EDU | Not by any method | Not by any method |
-| | Home in S mode | Not by any method | Home | Home |
-| | Home | Not by any method | Not by any method | Not by any method |
-
-
-Use the following information to switch to Windows 10 Pro through the Microsoft Store.
-> [!IMPORTANT]
-> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
-
-## Switch one device through the Microsoft Store
-Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device.
-
-Note these differences affecting switching modes in various releases of Windows 10:
-
-- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible.
-- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**.
-- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
-
-
-1. Sign into the Microsoft Store using your Microsoft account.
-2. Search for "S mode".
-3. In the offer, select **Buy**, **Get**, or **Learn more.**
-
-You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
-
-## Switch one or more devices by using Microsoft Intune
-
-Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE - this gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle.
-
-1. Start Microsoft Intune.
-2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**.
-3. Follow the instructions to complete the switch.
-
-
-## Block users from switching
-
-You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10.
-To set this, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
-
-## S mode management with CSPs
-
-In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](https://docs.microsoft.com/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode).
-
-
-## Related topics
-
-[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
-[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows 10 Pro Education](https://docs.microsoft.com/education/windows/test-windows10s-for-edu)
-[Introduction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/intune/what-is-intune)
+---
+title: Switch to Windows 10 Pro/Enterprise from S mode
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional.
+keywords: Windows 10 S switch, S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Switch to Windows 10 Pro or Enterprise from S mode
+
+We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later.
+
+
+A number of other transformations are possible depending on which version and edition of Windows 10 you are starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means:
+
+
+
+
+| If a device is running this version of Windows 10 | and this edition of Windows 10 | then you can switch or convert it to this edition of Windows 10 by these methods: | | |
+|-------------|---------------------|-----------------------------------|-------------------------------|--------------------------------------------|
+| | | **Store for Education** (switch/convert all devices in your tenant) | **Microsoft Store** (switch/convert one device at a time) | **Intune** (switch/convert any number of devices selected by admin) |
+| **Windows 10, version 1709** | Pro in S mode | Pro EDU | Pro | Not by this method |
+| | Pro | Pro EDU | Not by any method | Not by any method |
+| | Home | Not by any method | Not by any method | Not by any method |
+| | | | | |
+| **Windows 10, version 1803** | Pro in S mode | Pro EDU in S mode | Pro | Not by this method |
+| | Pro | Pro EDU | Not by any method | Not by any method |
+| | Home in S mode | Not by any method | Home | Not by this method |
+| | Home | Not by any method | Not by any method | Not by any method |
+| | | | | |
+| **Windows 10, version 1809** | Pro in S mode | Pro EDU in S mode | Pro | Pro |
+| | Pro | Pro EDU | Not by any method | Not by any method |
+| | Home in S mode | Not by any method | Home | Home |
+| | Home | Not by any method | Not by any method | Not by any method |
+
+
+Use the following information to switch to Windows 10 Pro through the Microsoft Store.
+> [!IMPORTANT]
+> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
+
+## Switch one device through the Microsoft Store
+Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device.
+
+Note these differences affecting switching modes in various releases of Windows 10:
+
+- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible.
+- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**.
+- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
+
+
+1. Sign into the Microsoft Store using your Microsoft account.
+2. Search for "S mode".
+3. In the offer, select **Buy**, **Get**, or **Learn more.**
+
+You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
+
+## Switch one or more devices by using Microsoft Intune
+
+Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE - this gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle.
+
+1. Start Microsoft Intune.
+2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**.
+3. Follow the instructions to complete the switch.
+
+
+## Block users from switching
+
+You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10.
+To set this, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
+
+## S mode management with CSPs
+
+In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](https://docs.microsoft.com/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode).
+
+
+## Related topics
+
+[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
+[Windows 10 Pro Education](https://docs.microsoft.com/education/windows/test-windows10s-for-edu)
+[Introduction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/intune/what-is-intune)
diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md
index 861ef1b1ad..d8d6f47273 100644
--- a/windows/deployment/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md
@@ -1,97 +1,98 @@
----
-title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10)
-description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
-ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Windows ADK for Windows 10 scenarios for IT Pros
-
-
-The [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx).
-
-In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](https://msdn.microsoft.com/library/windows/hardware/dn938361.aspx).
-
-Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center.
-
-### Create a Windows image using command-line tools
-
-[DISM](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx) is used to mount and service Windows images.
-
-Here are some things you can do with DISM:
-
-- [Mount an offline image](https://msdn.microsoft.com/library/windows/hardware/dn938321.aspx)
-- [Add drivers to an offline image](https://msdn.microsoft.com/library/windows/hardware/dn898469.aspx)
-- [Enable or disable Windows features](https://msdn.microsoft.com/library/windows/hardware/dn898567.aspx)
-- [Add or remove packages](https://msdn.microsoft.com/library/windows/hardware/dn898481.aspx)
-- [Add language packs](https://msdn.microsoft.com/library/windows/hardware/dn898470.aspx)
-- [Add Universal Windows apps](https://msdn.microsoft.com/library/windows/hardware/dn898600.aspx)
-- [Upgrade the Windows edition](https://msdn.microsoft.com/library/windows/hardware/dn898500.aspx)
-
-[Sysprep](https://msdn.microsoft.com/library/windows/hardware/dn938335.aspx) prepares a Windows installation for imaging and allows you to capture a customized installation.
-
-Here are some things you can do with Sysprep:
-
-- [Generalize a Windows installation](https://msdn.microsoft.com/library/windows/hardware/dn938334.aspx)
-- [Customize the default user profile](https://msdn.microsoft.com/library/windows/hardware/dn898521.aspx)
-- [Use answer files](https://msdn.microsoft.com/library/windows/hardware/dn938346.aspx)
-
-[Windows PE (WinPE)](https://msdn.microsoft.com/library/windows/hardware/dn938389.aspx) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
-
-Here are ways you can create a WinPE image:
-
-- [Create a bootable USB drive](https://msdn.microsoft.com/library/windows/hardware/dn938386.aspx)
-- [Create a Boot CD, DVD, ISO, or VHD](https://msdn.microsoft.com/library/windows/hardware/dn938385.aspx)
-
-[Windows Recovery Environment (Windows RE)](https://msdn.microsoft.com/library/windows/hardware/dn938364.aspx) is a recovery environment that can repair common operating system problems.
-
-Here are some things you can do with Windows RE:
-
-- [Customize Windows RE](https://msdn.microsoft.com/library/windows/hardware/dn898523.aspx)
-- [Push-button reset](https://msdn.microsoft.com/library/windows/hardware/dn938307.aspx)
-
-[Windows System Image Manager (Windows SIM)](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx) helps you create answer files that change Windows settings and run scripts during installation.
-
-Here are some things you can do with Windows SIM:
-
-- [Create answer file](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx)
-- [Add a driver path to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915062.aspx)
-- [Add a package to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915066.aspx)
-- [Add a custom command to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915058.aspx)
-
-For a list of settings you can change, see [Unattended Windows Setup Reference](https://msdn.microsoft.com/library/windows/hardware/dn923277.aspx) on the MSDN Hardware Dev Center.
-
-### Create a Windows image using Windows ICD
-
-Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, or Windows 10 IoT Core (IoT Core) image.
-
-Here are some things you can do with Windows ICD:
-
-- [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx)
-- [Export a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916110.aspx)
-- [Build and deploy an image for Windows 10 for desktop editions](https://msdn.microsoft.com/library/windows/hardware/dn916105.aspx)
-
-### IT Pro Windows deployment tools
-
-There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet:
-
-- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
-- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10)
+description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
+ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Windows ADK for Windows 10 scenarios for IT Pros
+
+
+The [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx).
+
+In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](https://msdn.microsoft.com/library/windows/hardware/dn938361.aspx).
+
+Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center.
+
+### Create a Windows image using command-line tools
+
+[DISM](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx) is used to mount and service Windows images.
+
+Here are some things you can do with DISM:
+
+- [Mount an offline image](https://msdn.microsoft.com/library/windows/hardware/dn938321.aspx)
+- [Add drivers to an offline image](https://msdn.microsoft.com/library/windows/hardware/dn898469.aspx)
+- [Enable or disable Windows features](https://msdn.microsoft.com/library/windows/hardware/dn898567.aspx)
+- [Add or remove packages](https://msdn.microsoft.com/library/windows/hardware/dn898481.aspx)
+- [Add language packs](https://msdn.microsoft.com/library/windows/hardware/dn898470.aspx)
+- [Add Universal Windows apps](https://msdn.microsoft.com/library/windows/hardware/dn898600.aspx)
+- [Upgrade the Windows edition](https://msdn.microsoft.com/library/windows/hardware/dn898500.aspx)
+
+[Sysprep](https://msdn.microsoft.com/library/windows/hardware/dn938335.aspx) prepares a Windows installation for imaging and allows you to capture a customized installation.
+
+Here are some things you can do with Sysprep:
+
+- [Generalize a Windows installation](https://msdn.microsoft.com/library/windows/hardware/dn938334.aspx)
+- [Customize the default user profile](https://msdn.microsoft.com/library/windows/hardware/dn898521.aspx)
+- [Use answer files](https://msdn.microsoft.com/library/windows/hardware/dn938346.aspx)
+
+[Windows PE (WinPE)](https://msdn.microsoft.com/library/windows/hardware/dn938389.aspx) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
+
+Here are ways you can create a WinPE image:
+
+- [Create a bootable USB drive](https://msdn.microsoft.com/library/windows/hardware/dn938386.aspx)
+- [Create a Boot CD, DVD, ISO, or VHD](https://msdn.microsoft.com/library/windows/hardware/dn938385.aspx)
+
+[Windows Recovery Environment (Windows RE)](https://msdn.microsoft.com/library/windows/hardware/dn938364.aspx) is a recovery environment that can repair common operating system problems.
+
+Here are some things you can do with Windows RE:
+
+- [Customize Windows RE](https://msdn.microsoft.com/library/windows/hardware/dn898523.aspx)
+- [Push-button reset](https://msdn.microsoft.com/library/windows/hardware/dn938307.aspx)
+
+[Windows System Image Manager (Windows SIM)](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx) helps you create answer files that change Windows settings and run scripts during installation.
+
+Here are some things you can do with Windows SIM:
+
+- [Create answer file](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx)
+- [Add a driver path to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915062.aspx)
+- [Add a package to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915066.aspx)
+- [Add a custom command to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915058.aspx)
+
+For a list of settings you can change, see [Unattended Windows Setup Reference](https://msdn.microsoft.com/library/windows/hardware/dn923277.aspx) on the MSDN Hardware Dev Center.
+
+### Create a Windows image using Windows ICD
+
+Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, or Windows 10 IoT Core (IoT Core) image.
+
+Here are some things you can do with Windows ICD:
+
+- [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx)
+- [Export a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916110.aspx)
+- [Build and deploy an image for Windows 10 for desktop editions](https://msdn.microsoft.com/library/windows/hardware/dn916105.aspx)
+
+### IT Pro Windows deployment tools
+
+There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet:
+
+- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
+- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md
index 9b7c22ee03..b2e8164e4c 100644
--- a/windows/deployment/windows-autopilot/TOC.md
+++ b/windows/deployment/windows-autopilot/TOC.md
@@ -1,33 +1,2 @@
-# [Windows Autopilot deployment](index.md)
-# [What's new](windows-autopilot-whats-new.md)
-# Understanding Windows Autopilot
-## [Overview](windows-autopilot.md)
-## [Requirements](windows-autopilot-requirements.md)
-## [Scenarios and capabilities](windows-autopilot-scenarios.md)
-## [Get started](demonstrate-deployment-on-vm.md)
-
-# Deployment scenarios
-## [Deployment processes](deployment-process.md)
-## [User-driven mode](user-driven.md)
-## [Self-deploying mode](self-deploying.md)
-## [Windows Autopilot Reset](windows-autopilot-reset.md)
-## [White glove](white-glove.md)
-## [Support for existing devices](existing-devices.md)
-
-# Administering Windows Autopilot
-## [Registering devices](add-devices.md)
-## [Configuring device profiles](profiles.md)
-## [Enrollment Status Page](enrollment-status.md)
-## [BitLocker encryption](bitlocker.md)
-## [DFCI management](dfci-management.md)
-## [Windows Autopilot update](autopilot-update.md)
-## [Troubleshooting](troubleshooting.md)
-## [Policy conflicts](policy-conflicts.md)
-## [Known issues](known-issues.md)
-
-# Support
-## [FAQ](autopilot-faq.md)
-## [Contacts](autopilot-support.md)
-## [Registration authorization](registration-auth.md)
-## [Device guidelines](autopilot-device-guidelines.md)
-## [Motherboard replacement](autopilot-mbr.md)
+# [Windows Autopilot deployment](index.yml)
+## [Get started](demonstrate-deployment-on-vm.md)
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md
deleted file mode 100644
index cb55dd325b..0000000000
--- a/windows/deployment/windows-autopilot/add-devices.md
+++ /dev/null
@@ -1,175 +0,0 @@
----
-title: Adding devices
-ms.reviewer:
-manager: laurawi
-description: How to add devices to Windows Autopilot
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Adding devices to Windows Autopilot
-
-**Applies to**
-
-- Windows 10
-
-Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually.
-
-## OEM registration
-
-When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers and resellers" section of the [Windows Autopilot information page](https://aka.ms/windowsautopilot).
-
-Before an OEM can register devices on behalf of an organization, the organization must grant the OEM permission to do so. This process is initiated by the OEM, with approval granted by an Azure AD global administrator from the organization. See the "Customer Consent" section of the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#oem-authorization).
-
-## Reseller, distributor, or partner registration
-
-Customers may purchase devices from resellers, distributors, or other partners. As long as these resellers, distributors, and partners are part of the [Cloud Solution Partners (CSP) program](https://partner.microsoft.com/en-us/cloud-solution-provider), they too can register devices on behalf of the customer.
-
-As with OEMs, CSP partners must be granted permission to register devices on behalf of an organization. This follows the process described on the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#csp-authorization). The CSP partner initiates a request to establish a relationship with the organization, with approval granted by a global administrator from the organization. Once approved, CSP partners add devices using [Partner Center](https://partner.microsoft.com/en-us/pcv/dashboard/overview), either directly through the web site or via available APIs that can automate the same tasks.
-
-Windows Autopilot does not require delegated administrator permissions when establishing the relationship between the CSP partner and the organization. As part of the approval process performed by the global administrator, the global administrator can choose to uncheck the "Include delegated administration permissions" checkbox.
-
-## Automatic registration of existing devices
-
-If an existing device is already running a supported version of Windows 10 semi-annual channel and enrolled in an MDM service such an Intune, that MDM service can ask the device for the hardware ID (also known as a hardware hash). Once it has that, it can automatically register the device with Windows Autopilot.
-
-For instructions on how to do this with Microsoft Intune, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile) documentation describing the "Convert all targeted devices to Autopilot" setting.
-
-Also note that when using the [Windows Autopilot for existing devices](https://docs.microsoft.com/windows/deployment/windows-autopilot/existing-devices) scenario, it is not necessary to pre-register the devices with Windows Autopilot. Instead, a configuration file (AutopilotConfigurationFile.json) containing all the Windows Autopilot profile settings is used; the device can be registered with Windows Autopilot after the fact using the same "Convert all targeted devices to Autopilot" setting.
-
-## Manual registration
-
-To perform manual registration of a device, you must first capture its hardware ID (also known as a hardware hash). Once this process has completed, the resulting hardware ID can be uploaded to the Windows Autopilot service. Because this process requires booting the device into Windows 10 in order to obtain the hardware ID, this is intended primarily for testing and evaluation scenarios.
-
-## Device identification
-
-To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 installation.
-
-The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device.
-
-Note that the hardware hash also contains details about when it was generated, so it will change each time it is generated. When the Windows Autopilot deployment service attempts to match a device, it considers changes like that, as well as more substantial changes such as a new hard drive, and is still able to match successfully. But substantial changes to the hardware, such as a motherboard replacement, would not match, so a new hash would need to be generated and uploaded.
-
-### Collecting the hardware ID from existing devices using Microsoft Endpoint Configuration Manager
-
-Microsoft Endpoint Configuration Manager automatically collects the hardware hashes for existing Windows 10 devices. For more information, see [Gather information from Configuration Manager for Windows Autopilot](https://docs.microsoft.com/configmgr/comanage/how-to-prepare-win10#windows-autopilot). You can extract the hash information from Configuration Manager into a CSV file.
-
-> [!Note]
-> Before uploading the CSV file on Intune, please make sure that the first row contains the device serial number, Windows product ID, hardware hash, group tag, and assigned user. If there is header information on the top of CSV file, please delete that header information. See details at [Enroll Windows devices in Intune](https://docs.microsoft.com/intune/enrollment/enrollment-autopilot).
-
-### Collecting the hardware ID from existing devices using PowerShell
-
-The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running a supported version of Windows 10 semi-annual channel. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo).
-
-To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, use the following commands from an elevated Windows PowerShell prompt:
-
-```powershell
-md c:\\HWID
-Set-Location c:\\HWID
-Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
-Install-Script -Name Get-WindowsAutoPilotInfo
-Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
-```
-
-The commands can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the [Get-WindowsAutoPilotInfo](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information about running the script.
-
->[!IMPORTANT]
->Do not connect devices to the Internet prior to capturing the hardware ID and creating an Autopilot device profile. This includes collecting the hardware ID, uploading the .CSV into MSfB or Intune, assigning the profile, and confirming the profile assignment. Connecting the device to the Internet before this process is complete will result in the device downloading a blank profile that is stored on the device until it is explicity removed. In Windows 10 version 1809, you can clear the cached profile by restarting OOBE. In previous versions, the only way to clear the stored profile is to re-install the OS, reimage the PC, or run **sysprep /generalize /oobe**.
->After Intune reports the profile ready to go, only then should the device be connected to the Internet.
-
->[!NOTE]
->If OOBE is restarted too many times it can enter a recovery mode and fail to run the Autopilot configuration. You can identify this scenario if OOBE displays multiple configuration options on the same page, including language, region, and keyboard layout. The normal OOBE displays each of these on a separate page. The following value key tracks the count of OOBE retries:
->**HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UserOOBE**
->To ensure OOBE has not been restarted too many times, you can change this value to 1.
-
-## Registering devices
-
-
-
-
-Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism.
-
-- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot). This is the preferred mechanism for all customers.
-- [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). This is used by CSP partners to register devices on behalf of customers.
-- [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business.
-- [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles). You might already be using MSfB to manage your apps and settings.
-
-A summary of each platform's capabilities is provided below.
-
-
-
->1Microsoft recommended platform to use
->2Intune license required
->3Feature capabilities are limited
->4Device profile assignment will be retired from MSfB and Partner Center in the coming months
-
-
-Also see the following topics for more information about device IDs:
-- [Device identification](#device-identification)
-- [Windows Autopilot device guidelines](https://docs.microsoft.com/windows/deployment/windows-autopilot/autopilot-device-guidelines)
-- [Add devices to a customer account](https://docs.microsoft.com/partner-center/autopilot)
-
-
-## Summary
-
-When deploying new devices using Windows Autopilot, the following steps are required:
-
-1. [Register devices](#registering-devices). Ideally, this step is performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually.
-2. [Configure device profiles](profiles.md), specifying how the device should be deployed and what user experience should be presented.
-3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience.
-
-## Other configuration settings
-
-- [Bitlocker encryption settings](bitlocker.md): You can configure the BitLocker encryption settings to be applied before automatic encryption is started.
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md
deleted file mode 100644
index 7784e955ea..0000000000
--- a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Windows Autopilot device guidelines
-ms.reviewer:
-manager: laurawi
-description: Learn all about hardware, firmware, and software best practices for Windows Autopilot deployment.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot device guidelines
-
-**Applies to**
-
-- Windows 10
-
-## Hardware and firmware best practice guidelines for Windows Autopilot
-
-All devices used with Windows Autopilot should meet the [minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) for Windows 10.
-
-The following additional best practices ensure that devices can easily be provisioned by organizations as part of the Windows Autopilot deployment process:
-- Ensure that the TPM 2.0 is enabled and in a good state (not in Reduced Functionality Mode) by default on devices intended for Windows Autopilot self-deploying mode.
-- The OEM provisions unique tuple info (SmbiosSystemManufacturer, SmbiosSystemProductName, SmbiosSystemSerialNumber) or PKID + SmbiosSystemSerialNumber into the [SMBIOS fields](https://docs.microsoft.com/windows-hardware/drivers/bringup/smbios) per Microsoft specification (Manufacturer, Product Name and Serial Number stored in SMBIOS Type 1 04h, Type 1 05h and Type 1 07h).
-- The OEM uploads 4K Hardware Hashes obtained using OA3 Tool RS3+ run in Audit mode on full OS to Microsoft via CBR report prior to shipping devices to an Autopilot customer or channel partner.
-- As a best practice, Microsoft requires that OEM shipping drivers are published to Windows Update within 30 days of the CBR being submitted, and system firmware and driver updates are published to Windows Update within 14 days
-- The OEM ensures that the PKID provisioned in the SMBIOS is passed on to the channel.
-
-## Software best practice guidelines for Windows Autopilot
-
-- The Windows Autopilot device should be preinstalled with only a Windows 10 base image plus drivers.
-- You can preinstall your licensed version of Office, such as [Microsoft 365 Apps for enterprise](https://docs.microsoft.com/deployoffice/about-office-365-proplus-in-the-enterprise).
-- Unless explicitly requested by the customer, no other preinstalled software should be included.
- - Per OEM Policy, Windows 10 features, including built-in apps, should not be disabled or removed.
-
-## Related topics
-
-[Windows Autopilot customer consent](registration-auth.md)
-[Motherboard replacement scenario guidance](autopilot-mbr.md)
diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md
deleted file mode 100644
index 1cbfeeb11b..0000000000
--- a/windows/deployment/windows-autopilot/autopilot-faq.md
+++ /dev/null
@@ -1,165 +0,0 @@
----
-title: Windows Autopilot FAQ
-ms.reviewer: This topic provides OEMs, partners, administrators, and end users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot.
-manager: laurawi
-description: Support information for Windows Autopilot
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: low
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot FAQ
-
-**Applies to: Windows 10**
-
-This article provides OEMs, partners, administrators, and end users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot.
-
-A [glossary](#glossary) of abbreviations used in this article is provided at the end.
-
-
-## Microsoft Partner Center
-
-| Question | Answer |
-| --- | --- |
-| In the Partner Center, does the Tenant ID need to be provided with every device file upload? Is it needed to allow the business customer to access their devices in Microsoft Store for Business (MSfB)? | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be reused with future device uploads. |
-| How does the customer or tenant know that their devices are ready to be claimed in MSfB? | After the device file upload is completed in the Partner Center, the tenant can see the devices available for Windows Autopilot setup in MSfB. The OEM needs to advise the tenant to access MSfB. Autonotification from MSfB to the tenant is being developed. |
-| How does a customer authorize an OEM or Channel Partner to register Autopilot devices on the customer’s behalf? | Before an OEM or Channel Partner can register a device for Autopilot on behalf of a customer, the customer must first give them consent. The consent process begins with the OEM or Channel Partner sending a link to the customer that directs the customer to a consent page in MSfB. For more information, see [Registration](registration-auth.md). |
-| Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a Cloud Solution Provider (CSP) using the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. |
-| Does Windows Autopilot support removing the option to enable a local administrator account? | Windows Autopilot doesn’t support removing the local admin account. However, it does support restricting the user performing Azure Active Directory (Azure AD) domain join in OOBE to a standard account (versus an administrator account by default).|
-| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account that has access to devices for testing the file. This can be done today in the Partner Center.
For more information, see [Create user accounts and set permissions](https://msdn.microsoft.com/partner-center/create-user-accounts-and-set-permissions). |
-| Must I become a CSP to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. |
-| Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority and access:
1. Direct CSP: Gets direct authorization from the customer to register devices.
2. Indirect CSP Provider: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.
3. Indirect CSP Reseller: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which means that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. |
-
-
-## Manufacturing
-
-| Question | Answer |
-| --- | --- |
-| What changes need to be made in the factory OS image for customer configuration settings? |No changes are required on the factory floor to enable Windows Autopilot deployment. |
-| What version of the OA3 tool meets Windows Autopilot deployment requirements? | Windows Autopilot can work with any version of the OA3 tool. We recommend using a supported version of Windows 10 semi-annual channel to generate the 4K hardware hash. |
-| At the time of placing an order, do customers need to be state whether they want it with or without Windows Autopilot options? | Yes, if they want Windows Autopilot, they will want a supported version of Windows 10 semi-annual channel. Also, they will want to receive the CSV file or have the file upload (that is, registration) completed on their behalf. |
-| Does the OEM need to manage or collect any custom imaging files from customers and perform any image uploads to Microsoft? | No change, OEMs just send the CBRs as usual to Microsoft. No images are sent to Microsoft to enable Windows Autopilot. Windows Autopilot only customizes OOBE and allows policy configurations (disables admin account, for example). |
-| Are there any customer impacts to upgrading from Windows 8 to Windows 10? | The devices must be running a supported version of Windows 10 semi-annual channel to enroll in Windows Autopilot deployment. Otherwise, there are no impacts. |
-| Will there be any change to the existing CBR with 4K hardware hash? | No. |
-| What new information needs to be sent from the OEM to Microsoft? | Nothing, unless the OEM opts to register the device on the customer’s behalf, in which case they would upload the device ID using a CSV file into Microsoft Partner Center, or use the OEM Direct API. |
-| Is there a contract or amendment for an OEM to participate in Windows Autopilot Deployment? | No. |
-
-## CSV schema
-
-| Question | Answer |
-| --- | --- |
-| Can a comma be used in the CSV file? | No. |
-| What error messages can a user expect to see in the Partner Center or MSfB when uploading a file? | See the In Microsoft Store for Business section of this guide. |
-| Is there a limit to the number of devices that can be listed in the CSV file? | Yes, the CSV file can only contain 1,000 devices to apply to a single profile. If more than 1,000 devices need to be applied to a profile, the devices need to be uploaded through multiple CSV files. |
-| Does Microsoft have any recommendations on how an OEM should provide the CSV file to their customers? | We recommend encrypting the CSV file when sending to the business customer to self-register their Windows Autopilot devices (either through MPC, MSfB, or Intune). |
-
-
-## Hardware hash
-
-| Question | Answer |
-| --- | --- |
-| Must every hardware hash submitted by the OEM contain the SMBIOS UUID (universally unique identifier), MAC (media access control) address, and unique disk serial number (if using Windows 10 OEM Activation 3.0 tool)? | Yes. Since Windows Autopilot is based on the ability to uniquely identify devices applying for cloud configuration, it is critical to submit hardware hashes that meet the outlined requirement. |
-| What is the reason for needing the SMBIOS UUID, MAC Address, and Disk Serial Number in the hardware hash details? | For creating the hardware hash, these are the fields that are needed to identify a device, as parts of the device are added or removed. Since we don’t have a unique identifier for Windows devices, this is the best logic to identify a device. |
-| What is difference between OA3 hardware hash, 4K hardware hash, and Windows Autopilot hardware hash? | None. They’re different names for the same thing. The OA3 tool output is called the OA3 Hash, which is 4K in size, which is usable for the Windows Autopilot deployment scenario. Note: When using an older, unsupported Windows version OA3Tool, you get a different sized Hash, which may not be used for Windows Autopilot deployment. |
-| What is the thought around parts replacement and repair for the NIC (network interface controller) and Disk? Will the hardware hash become invalid? | Yes. If you replace parts, you need to gather the new hardware hash, though it depends on what is replaced, and the characteristics of the parts. For example, if you replace the TPM or motherboard, it’s a new device and you must have new hardware hash. If you replace one network card, it’s probably not a new device, and the device will function with the old hardware hash. However, as a best practice, you should assume the old hardware hash is invalid and get a new hardware hash after any hardware changes. This is recommended anytime you replace parts. |
-
-## Motherboard replacement
-
-| Question | Answer |
-| --- | --- |
-| How does Autopilot handle motherboard replacement scenarios? | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image, as is the case today.
To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K hardware hash (or device ID).
**Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K hardware hash information using a CSV file to customer, and let customer reregister the device using MSfB or Intune.|
-
-## SMBIOS
-
-| Question | Answer |
-| --- | --- |
-| Any specific requirement to SMBIOS UUID? | It must be unique as specified in the Windows 10 hardware requirements. |
-| What is the requirement on the SMBIOS table to meet the Windows Autopilot hardware hash need? | It must meet all the Windows 10 hardware requirements. Additional details may be found [here](https://msdn.microsoft.com/library/jj128256(v=vs.85).aspx). |
-| If the SMBIOS supports UUID and Serial Number, is it enough for the OA3 tool to generate the hardware hash? | No. At a minimum, the following SMBIOS fields need to be populated with unique values: ProductKeyID SmbiosSystemManufacturer SmbiosSystemProductName SmbiosSystemSerialNumber SmbiosSkuNumber SmbiosSystemFamily MacAddress SmbiosUuid DiskSerialNumber TPM EkPub |
-
-## Technical interface
-
-| Question | Answer |
-| --- | --- |
-| What is the interface to get the MAC Address and Disk Serial Number? How does the OA tool get MAC and Disk Serial #? | Disk serial number is found from IOCTL_STORAGE_QUERY_PROPERTY with StorageDeviceProperty/PropertyStandardQuery. Network MAC address is IOCTL_NDIS_QUERY_GLOBAL_STATS from OID_802_3_PERMANENT_ADDRESS. However the method for performing this operation varies depending on the scenario. |
-| Follow up clarification: If we have 2-3 MACs on the system, how does OA Tool choose which MAC Address and Disk Serial Number are on the system since there are multiple instances of each? If a platform has LAN And WLAN, which MAC is chosen? | In short, all available values are used. In detail, there may be specific usage rules. The system disk serial number is more important than the other disks available. Network interfaces that are removable should not be used if detected as they are removable. LAN vs WLAN should not matter, as both will be used. |
-
-## The end-user experience
-
-|Question|Answer|
-|----|-----|
-|How do I know that I received Autopilot?|You can tell that you received Windows Autopilot (as in the device received a configuration but has not yet applied it) when you skip the selection page (as seen below), and are immediately taken to a generic or customized sign-in page.|
-|Windows Autopilot didn’t work, what do I do now?| Questions and actions to assist in troubleshooting: Did a screen not get skipped? Did a user end up as an admin when configured not to? Remember that Azure AD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin Collection information: run licensingdiag.exe and send the .cab (Cabinet) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from Windows Performance Recorder (WPR). Often in these cases, users are not signing into the right Azure AD tenant, or are creating local user accounts. For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). |
-| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? |No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is reimaged or reset, the new profile settings will take effect the next time the device goes through OOBE.|
-|What is the experience if a device isn’t registered or if an IT Admin doesn’t configure Windows Autopilot prior to an end user attempting to self-deploy? |If the device isn’t registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will not be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience. The IT Admin would then have to manually enroll that device into the MDM, after which the next time that device is reset, it will go through the Windows Autopilot OOBE experience.|
-|Why didn't I receive a customized sign-in screen during Autopilot? |Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience.|
-|What happens if a device is registered with Azure AD but does not have a Windows Autopilot profile assigned? |The regular Azure AD OOBE will occur since no Windows Autopilot profile was assigned to the device.|
-|How can I collect logs on Autopilot?|The best way to collect logs on Windows Autopilot performance is to collect a WPR trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request.|
-
-## MDM
-
-| Question | Answer |
-| --- | --- |
-| Must we use Intune for our MDM? | No, any MDM will work with Autopilot, but others probably won’t have the same full suite of Windows Autopilot features as Intune. You’ll get the best experience from Intune. |
-| Can Intune support Win32 app preinstalls? | Yes. Starting with the Windows 10 October Update (version 1809), Intune supports Win32 apps using .msi (and .msix) wrappers. |
-| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premises configuration tool like Microsoft Endpoint Configuration Manager. You only need to use the Configuration Manager if Intune can’t support what you want to do with your profile. If you choose to co-manage using Intune + Configuration Manager, you do it by including a Configuration Manager agent in your Intune profile. When that profile is pushed to the device, the device will see the Configuration Manager agent and go out to the Configuration Manager to pull down any additional profile settings. |
-| Must we use Microsoft Endpoint Configuration Manager for Windows Autopilot | No. Co-management (described above) is optional. |
-
-
-## Features
-
-| Question | Answer |
-| --- | --- |
-| Self-deploying mode | A new version of Windows Autopilot where the user only turns on the device, and nothing else. It’s useful for scenarios where a standard user account isn’t needed (for example, shared devices, or KIOSK devices). |
-| Hybrid Azure Active Directory join | Allows Windows Autopilot devices to connect to an on-premises Active Directory domain controller (in addition to being Azure AD joined). |
-| Windows Autopilot reset | Removes user apps and settings from a device, but maintains Azure AD domain join and MDM enrollment. Useful for when transferring a device from one user to another. |
-| Personalization | Adds the following to the OOBE experience: A personalized welcome message can be created. A username hint can be added Sign-in page text can be personalized. The company’s logo can be included |
-| [Autopilot for existing devices](existing-devices.md) | Offers an upgrade path to Windows Autopilot for all existing Windows 7- and Windows 8-based devices. |
-
-
-
-## General
-
-|Question|Answer
-|------------------|-----------------|
-|If I wipe the machine and restart, will I still receive Windows Autopilot?|Yes, if the device is still registered for Windows Autopilot and is running a supported version of Windows 10 semi-annual channel, it will receive the Windows Autopilot experience.|
-|Can I harvest the device fingerprint on existing machines?|Yes, if the device is running a supported version of Windows 10 semi-annual channel, you can harvest device fingerprints for registration. There are no plans to backport the functionality to legacy releases and no way to harvest them on devices running unsupported versions of Windows.|
-|Is Windows Autopilot supported on other SKUs, for example, Surface Hub, HoloLens, Windows Mobile.|No, Windows Autopilot isn’t supported on other SKUs.|
-|Does Windows Autopilot work after MBR or image reinstallation?|Yes.|
-| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. |There are limits to the number of devices a particular Azure AD user can enroll in Azure AD, as well as the number of devices that are supported per user in Intune. (These are configurable but not infinite.) You’ll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots.|
-|What happens if a device is registered to a malicious agent? |By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile using the Azure AD sign-in process. What occurs is illustrated below. If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through Azure AD to the proper Azure AD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular Azure AD OOBE will occur.|
-|Where is the Windows Autopilot data stored? |Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the Azure AD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot.|
-|Why is Windows Autopilot data stored in the US and not in a sovereign cloud?|It is not customer data that we store, but business data that enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service at any time, and, in that event, the business data is removed by Microsoft.|
-|How many ways are there to register a device for Windows Autopilot|There are six ways to register a device, depending on who is doing the registering:
1. OEM Direct API (only available to TVOs) 2. MPC using the MPC API (must be a CSP) 3. MPC using manual upload of CSV file in the UI (must be a CSP) 4. MSfB using CSV file upload 5. Intune using CSV file upload 6. Microsoft 365 Business portal using CSV file upload|
-|How many ways are there to create a Windows Autopilot profile?|There are four ways to create and assign a Windows Autopilot profile:
1. Through MPC (must be a CSP) 2. Through MSfB 3. Through Intune (or another MDM) 4. Microsoft 365 Business portal
Microsoft recommends creation and assignment of profiles through Intune. |
-| What are some common causes of registration failures? |1. Bad or missing hardware hash entries can lead to faulty registration attempts 2. Hidden special characters in CSV files.
To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.|
-| Is Autopilot supported on IoT devices? | Autopilot is not supported on IoT Core devices, and there are currently no plans to add this support. Autopilot is supported on Windows 10 IoT Enterprise SAC devices. Autopilot is supported on Windows 10 Enterprise LTSC 2019 and above; it is not supported on earlier versions of LTSC.|
-| Is Autopilot supported in all regions/countries? | Autopilot only supports customers using global Azure. Global Azure does not include the three entities listed below: - Azure Germany - Azure China 21Vianet - Azure Government So, if a customer is set up in global Azure, there are no region restrictions. For example, if Contoso uses global Azure but has employees working in China, the Contoso employees working in China would be able to use Autopilot to deploy devices. If Contoso uses Azure China 21Vianet, the Contoso employees would not be able to use Autopilot.|
-| I need to register a device that's been previously registered to another organisation. | Partners registering devices through partner center can also deregister the device if it's moving between different customer tenants. If this isn't possible, as a last resort you can raise a ticket through the Intune "Help and Support" node and our support teams will assist you. |
-
-## Glossary
-
-| Term | Meaning |
-| --- | --- |
-| CSV | Comma Separated Values (File type similar to Excel spreadsheet) |
-| MPC | Microsoft Partner Center |
-| MDM | Mobile Device Management |
-| OEM | Original Equipment Manufacturer |
-| CSP | Cloud Solution Provider |
-| MSfB | Microsoft Store for Business |
-| Azure AD | Azure Active Directory |
-| 4K HH | 4K hardware hash |
-| CBR | Computer Build Report |
-| EC | Enterprise Commerce |
-| DDS | Device Directory Service |
-| OOBE | Out of the Box Experience |
-| UUID | Universally Unique Identifier |
diff --git a/windows/deployment/windows-autopilot/autopilot-mbr.md b/windows/deployment/windows-autopilot/autopilot-mbr.md
deleted file mode 100644
index 28c376ab92..0000000000
--- a/windows/deployment/windows-autopilot/autopilot-mbr.md
+++ /dev/null
@@ -1,421 +0,0 @@
----
-title: Windows Autopilot motherboard replacement
-ms.reviewer:
-manager: laurawi
-description: Windows Autopilot deployment MBR scenarios
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot motherboard replacement scenario guidance
-
-**Applies to**
-
-- Windows 10
-
-This document offers guidance for Windows Autopilot device repair scenarios that Microsoft partners can use in Motherboard Replacement (MBR) situations, and other servicing scenarios.
-
-Repairing Autopilot enrolled devices is complex, as it tries to balance OEM requirements with Windows Autopilot requirements. Specifically, OEM’s require strict uniqueness across motherboards, MAC addresses, etc., while Windows Autopilot requires strict uniqueness at the Hardware ID level for each device to enable successful registration. The Hardware ID does not always accommodate all the OEM hardware component requirements, thus these requirements are sometimes at odds, causing issues with some repair scenarios.
-
-**Motherboard Replacement (MBR)**
-
-If a motherboard replacement is needed on a Windows Autopilot device, the following process is recommended:
-
-1. [Deregister the device](#deregister-the-autopilot-device-from-the-autopilot-program) from Windows Autopilot
-2. [Replace the motherboard](#replace-the-motherboard)
-3. [Capture a new device ID (4K HH)](#capture-a-new-autopilot-device-id-4k-hh-from-the-device)
-4. [Reregister the device](#reregister-the-repaired-device-using-the-new-device-id) with Windows Autopilot
-5. [Reset the device](#reset-the-device)
-6. [Return the device](#return-the-repaired-device-to-the-customer)
-
-Each of these steps is described below.
-
-## Deregister the Autopilot device from the Autopilot program
-
-Before the device arrives at the repair facility, it must be deregistered by the entity that registered it. Only the entity that registered the device can deregister it. This might be the customer IT Admin, the OEM, or the CSP partner. If the IT Admin registered the device, they likely did so via Intune (or possibly the Microsoft Store for Business). In that case, they should deregister the device from Intune (or MSfB). This is necessary because devices registered in Intune will not show up in MPC. However, if the OEM or CSP partner registered the device, they likely did so via the Microsoft Partner Center (MPC). In that case, they should deregister the device from MPC, which will also remove it from the customer IT Admin’s Intune account. Below, we describe the steps an IT Admin would go through to deregister a device from Intune, and the steps an OEM or CSP would go through to deregister a device from MPC.
-
-**NOTE**: When possible, an OEM or CSP should register Autopilot devices, rather than having the customer do it. This will avoid problems where OEMs or CSPs may not be able to deregister a device if, for example, a customer leasing a device goes out of business before deregistering it themselves.
-
-**EXCEPTION**: If a customer grants an OEM permission to register devices on their behalf via the automated consent process, then an OEM can use the API to deregister devices they didn’t register themselves (instead, the customer registered the devices). But keep in mind that this would only remove those devices from the Autopilot program, it would not disenroll them from Intune or disjoin them from AAD. The customer must do those steps, if desired, through Intune.
-
-### Deregister from Intune
-
-To deregister an Autopilot device from Intune, an IT Admin would:
-
-1. Sign in to their Intune account
-2. Navigate to Intune > Groups > All groups
-3. Remove the desired device from its group
-4. Navigate to Intune > Devices > All devices
-5. Select the checkbox next to the device you want to delete, then click the Delete button on the top menu
-6. Navigate to Intune > Devices > Azure AD devices
-7. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu
-8. Navigate to Intune > Device enrollment > Windows enrollment > Devices
-9. Select the checkbox next to the device you want to deregister
-10. Click the extended menu icon (“…”) on the far right end of the line containing the device you want to deregister in order to expose an additional menu with the option to “unassign user”
-11. Click “Unassign user” if the device was previously assigned to a user; if not, this option will be grayed-out and can be ignored
-12. With the unassigned device still selected, click the Delete button along the top menu to remove this device
-
-**NOTE**: These steps deregister the device from Autopilot, but also unenroll the device from Intune, and disjoin the device from AAD. While it may appear that only deregistering the device from Autopilot is needed, there are certain barriers in place within Intune that necessitate all the steps above be done, which is best practice anyway in case the device gets lost or becomes unrecoverable, to eliminate the possibility of orphaned devices existing in the Autopilot database, or Intune, or AAD. If a device gets into an unrecoverable state, you can contact the appropriate [Microsoft support alias](autopilot-support.md) for assistance.
-
-The deregistration process will take about 15 minutes. You can accelerate the process by clicking the “Sync” button, then “Refresh” the display until the device is no longer present.
-
-More details on deregistering devices from Intune can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group).
-
-### Deregister from MPC
-
-To deregister an Autopilot device from the Microsoft Partner Center (MPC), a CSP would:
-
-1. Log into MPC
-2. Navigate to Customer > Devices
-3. Select the device to be deregistered and click the “Delete device” button
-
-
-
-**NOTE**: Deregistering a device from Autopilot in MPC does only that; it does not also unenroll the device from the MDM (Intune), nor does it disjoin the device from AAD. Therefore, if possible, the OEM/CSP ideally should work with the customer IT Admin to have the device fully removed per the Intune steps in the previous section.
-
-Alternatively, an OEM partner that has integrated the OEM Direct APIs can deregister a device by calling the AutopilotDeviceRegistration API with the TenantID and TenantDomain fields left blank in the request call.
-
-Because the repair facility will not have access to the user’s login credentials, the repair facility will have to reimage the device as part of the repair process. This means that the customer should do three things before sending the device off for repair:
-1. Copy all important data off the device.
-2. Let the repair facility know which version of Windows they should reinstall after the repair.
-3. If applicable, let the repair facility know which version of Office they should reinstall after the repair.
-
-## Replace the motherboard
-
-Technicians replace the motherboard (or other hardware) on the broken device. A replacement DPK is injected.
-
-Repair and key replacement processes vary between facilities. Sometimes repair facilities receive motherboard spare parts from OEMs that have replacement DPKs already injected, but sometimes not. Sometimes repair facilities receive fully-functional BIOS tools from OEMs, but sometimes not. This means that the quality of the data in the BIOS after an MBR varies. To ensure the repaired device will still be Autopilot-capable following its repair, the new (post-repair) BIOS should be able to successfully gather and populate the following information at a minimum:
-
-- DiskSerialNumber
-- SmbiosSystemSerialNumber
-- SmbiosSystemManufacturer
-- SmbiosSystemProductName
-- SmbiosUuid
-- TPM EKPub
-- MacAddress
-- ProductKeyID
-- OSType
-
-**NOTE**: For simplicity, and because processes vary between repair facilities, we have excluded many of the additional steps often used in an MBR, such as:
-- Verify that the device is still functional
-- Disable BitLocker*
-- Repair the Boot Configuration Data (BCD)
-- Repair and verify the network driver operation
-
-*BitLocker can be suspended rather than disabled if the technician has the ability to resume it after the repair.
-
-## Capture a new Autopilot device ID (4K HH) from the device
-
-Repair technicians must sign in to the repaired device to capture the new device ID. Assuming the repair technician does NOT have access to the customer’s login credentials, they will have to reimage the device in order to gain access, per the following steps:
-
-1. The repair technician creates a [WinPE bootable USB drive](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#create-a-bootable-windows-pe-winpe-partition).
-2. The repair technician boots the device to WinPE.
-3. The repair technician [applies a new Windows image to the device](https://docs.microsoft.com/windows-hardware/manufacture/desktop/work-with-windows-images).
-
- **NOTE**: Ideally, the same version of Windows should be reimaged onto the device that was originally on the device, so some coordination will be required between the repair facility and customer to capture this information at the time the device arrives for repair. This might include the customer sending the repair facility a customized image (.ppk file) via a USB stick, for example.
-
-4. The repair technician boots the device into the new Windows image.
-5. Once on the desktop, the repair technician captures the new device ID (4K HH) off the device using either the OA3 Tool or the PowerShell script, as described below.
-
-Those repair facilities with access to the OA3 Tool (which is part of the ADK) can use the tool to capture the 4K Hardware Hash (4K HH).
-
-Alternatively, the [WindowsAutoPilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) can be used to capture the 4K HH by following these steps:
-
-1. Install the script from the [PowerShell Gallery](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) or from the command line (command line installation is shown below).
-2. Navigate to the script directory and run it on the device when the device is either in Full OS or Audit Mode. See the following example.
-
- ```powershell
- md c:\HWID
- Set-Location c:\HWID
- Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
- Install-Script -Name Get-WindowsAutopilotInfo -Force
- Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
- ```
-
->If you are prompted to install the NuGet package, choose **Yes**.
->If, after installing the script you get an error that Get-WindowsAutopilotInfo.ps1 is not found, verify that C:\Program Files\WindowsPowerShell\Scripts is present in your PATH variable.
->If the Install-Script cmdlet fails, verify that you have the default PowerShell repository registered (**Get-PSRepository**) or register the default repository with **Register-PSRepository -Default -Verbose**.
-
-The script creates a .csv file that contains the device information, including the complete 4K HH. Save this file so that you can access it later. The service facility will use this 4K HH to reregister device as described below. Be sure to use the -OutputFile parameter when saving the file, which ensures that file formatting is correct. Do not attempt to pipe the command output to a file manually.
-
-**NOTE**: If the repair facility does not have the ability to run the OA3 tool or PowerShell script to capture the new 4K HH, then the CSP (or OEM) partners must do this for them. Without some entity capturing the new 4K HH, there is no way to reregister this device as an Autopilot device.
-
-
-## Reregister the repaired device using the new device ID
-
-If an OEM is not able to reregister the device, then the repair facility or CSP should reregister the device using MPC, or the customer IT Admin should be advised to reregister the device via Intune (or MSfB). Both ways of reregistering a device are shown below.
-
-### Reregister from Intune
-
-To reregister an Autopilot device from Intune, an IT Admin would:
-1. Sign in to Intune.
-2. Navigate to Device enrollment > Windows enrollment > Devices > Import.
-3. Click the **Import** button to upload a csv file containing the device ID of the device to be reregistered (the device ID was the 4K HH captured by the PowerShell script or OA3 tool described previously in this document).
-
-The following video provides a good overview of how to (re)register devices via MSfB.
-
-> [!VIDEO https://www.youtube.com/embed/IpLIZU_j7Z0]
-
-### Reregister from MPC
-
-To reregister an Autopilot device from MPC, an OEM or CSP would:
-
-1. Sign in to MPC.
-2. Navigate to the Customer > Devices page and click the **Add devices** button to upload the csv file.
-
-
-
-
-In the case of reregistering a repaired device through MPC, the uploaded csv file must contain the 4K HH for the device, and not just the PKID or Tuple (SerialNumber + OEMName + ModelName). If only the PKID or Tuple was used, the Autopilot service would be unable to find a match in the Autopilot database, since no 4K HH info was ever previously submitted for this essentially “new” device, and the upload will fail, likely returning a ZtdDeviceNotFound error. So, again, only upload the 4K HH, not the Tuple or PKID.
-
-**NOTE**: When including the 4K HH in the csv file, you do NOT also need to include the PKID or Tuple. Those columns may be left blank, as shown below:
-
-
-
-## Reset the device
-
-Since the device was required to be in Full OS or Audit Mode to capture the 4K HH, the repair facility must reset the image back to a pre-OOBE state before returning it to the customer. One way this can be accomplished is by using the built-in reset feature in Windows, as follows:
-
-On the device, go to Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Finally, click on Reset.
-
-
-
-However, it’s likely the repair facility won’t have access to Windows because they lack the user credentials to sign in, in which case they need to use other means to reimage the device, such as the [Deployment Image Servicing and Management tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#use-a-deployment-script-to-apply-your-image).
-
-## Return the repaired device to the customer
-
-After completing the previous steps, the repaired device can now be returned to the customer, and will be auto-enrolled into the Autopilot program on first boot-up during OOBE.
-
-**NOTE**: If the repair facility did NOT reimage the device, they could be sending it back in a potentially broken state (e.g., there’s no way to log into the device because it’s been dissociated from the only known user account), in which case they should tell the organization that they need to fix the registration and OS themselves.
-
-**IMPORTANT**: A device can be “registered” for Autopilot prior to being powered-on, but the device isn’t actually “deployed” to Autopilot (i.e., enabled as an Autopilot device) until it goes through OOBE, which is why resetting the device back to a pre-OOBE state is a required step.
-
-## Specific repair scenarios
-
-This section covers the most common repair scenarios, and their impact on Autopilot enablement.
-
-NOTES ON TEST RESULTS:
-
-- Scenarios below were tested using Intune only (no other MDMs were tested).
-- In most test scenarios below, the repaired and reregistered device needed to go through OOBE again for Autopilot to be enabled.
-- Motherboard replacement scenarios often result in lost data, so repair centers or customers should be reminded to back up data (if possible) prior to repair.
-- In the cases where a repair facility does not have the ability to write device info into the BIOS of the repaired device, new processes need to be created to successfully enable Autopilot.
-- Repaired device should have the Product Key (DPK) preinjected in the BIOS before capturing the new 4K HH (device ID)
-
-In the following table:
-- Supported = **Yes**: the device can be reenabled for Autopilot
-- Supported = **No**: the device cannot be reenabled for Autopilot
-
-
-
Scenario
Supported
Microsoft Recommendation
-
Motherboard Replacement (MBR) in general
Yes
The recommended course of action for MBR scenarios is:
-
-1. Autopilot device is deregistered from the Autopilot program
-2. The motherboard is replace
-3. The device is reimaged (with BIOS info and DPK reinjected)*
-4. A new Autopilot device ID (4K HH) is captured off the device
-5. The repaired device is reregistered for the Autopilot program using the new device ID
-6. The repaired device is reset to boot to OOBE
-7. The repaired device is shipped back to the customer
-
-*It’s not necessary to reimage the device if the repair technician has access to the customer’s login credentials. It’s technically possible to do a successful MBR and Autopilot re-enablement without keys or certain BIOS info (e.g., serial #, model name, etc.), but doing so is only recommended for testing/educational purposes.
-
-
MBR when motherboard has a TPM chip (enabled) and only one onboard network card (that also gets replaced)
Yes
-
-1. Deregister damaged device
-2. Replace motherboard
-3. Reimage device (to gain access), unless you have access to customers’ login credentials
-4. Write device info into BIOS
-5. Capture new 4K HH
-6. Reregister repaired device
-7. Reset device back to OOBE
-8. Go through Autopilot OOBE (customer)
-9. Autopilot successfully enabled
-
-
MBR when motherboard has a TPM chip (enabled) and a second network card (or network interface) that is not replaced along with the motherboard
No
This scenario is not recommended, as it breaks the Autopilot experience, because the resulting Device ID will not be stable until after TPM attestation has completed, and even then registration may give incorrect results because of ambiguity with MAC Address resolution.
-
MBR where the NIC card, HDD, and WLAN all remain the same after the repair
Yes
-
-1. Deregister damaged device
-2. Replace motherboard (with new RDPK preinjected in BIOS)
-3. Reimage device (to gain access), unless you have access to customers’ login credentials
-4. Write old device info into BIOS (same s/n, model, etc.)*
-5. Capture new 4K HH
-6. Reregister repaired device
-7. Reset device back to OOBE
-8. Go through Autopilot OOBE (customer)
-9. Autopilot successfully enabled
-
-*Note that for this and subsequent scenarios, rewriting old device info would not include the TPM 2.0 endorsement key, as the associated private key is locked to the TPM device
-
-
MBR where the NIC card remains the same, but the HDD and WLAN are replaced
Yes
-
-1. Deregister damaged device
-2. Replace motherboard (with new RDPK preinjected in BIOS)
-3. Insert new HDD and WLAN
-4. Write old device info into BIOS (same s/n, model, etc.)
-5. Capture new 4K HH
-6. Reregister repaired device
-7. Reset device back to OOBE
-8. Go through Autopilot OOBE (customer)
-9. Autopilot successfully enabled
-
-
MBR where the NIC card and WLAN remains the same, but the HDD is replaced
Yes
-
-1. Deregister damaged device
-2. Replace motherboard (with new RDPK preinjected in BIOS)
-3. Insert new HDD
-4. Write old device info into BIOS (same s/n, model, etc.)
-5. Capture new 4K HH
-6. Reregister repaired device
-7. Reset device back to OOBE
-8. Go through Autopilot OOBE (customer)
-9. Autopilot successfully enabled
-
-
MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that had NOT been Autopilot-enabled before.
Yes
-
-1. Deregister damaged device
-2. Replace motherboard (with new RDPK preinjected in BIOS)
-3. Reimage device (to gain access), unless you have access to customers’ login credentials
-4. Write old device info into BIOS (same s/n, model, etc.)
-5. Capture new 4K HH
-6. Reregister repaired device
-7. Reset device back to OOBE
-8. Go through Autopilot OOBE (customer)
-9. Autopilot successfully enabled
-
-
MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that HAD been Autopilot-enabled before.
Yes
-
-1. Deregister old device from which MB will be taken
-2. Deregister damaged device (that you want to repair)
-3. Replace motherboard in repair device with MB from other Autopilot device (with new RDPK preinjected in BIOS)
-4. Reimage device (to gain access), unless you have access to customers’ login credentials
-5. Write old device info into BIOS (same s/n, model, etc.)
-6. Capture new 4K HH
-7. Reregister repaired device
-8. Reset device back to OOBE
-9. Go through Autopilot OOBE (customer)
-10. Autopilot successfully enabled
-
-NOTE: The repaired device can also be used successfully as a normal, non-Autopilot device.
-
-
BIOS info excluded from MBR device
No
Repair facility does not have BIOS tool to write device info into BIOS after MBR.
-
-1. Deregister damaged device
-2. Replace motherboard (BIOS does NOT contain device info)
-3. Reimage and write DPK into image
-4. Capture new 4K HH
-5. Reregister repaired device
-6. Create Autopilot profile for device
-7. Go through Autopilot OOBE (customer)
-8. Autopilot FAILS to recognize repaired device
-
-
MBR when there is no TPM chip
Yes
Though we do not recommend enabling Autopilot devices without a TPM chip (which is recommended for BitLocker encryption), it is possible to enable an Autopilot device in “standard user” mode (but NOT Self-deploying mode) that does not have a TPM chip. In this case, you would:
-
-1. Deregister damaged device
-2. Replace motherboard
-3. Reimage device (to gain access), unless you have access to customers’ login credentials
-4. Write old device info into BIOS (same s/n, model, etc.)
-5. Capture new 4K HH
-6. Reregister repaired device
-7. Reset device back to OOBE
-8. Go through Autopilot OOBE (customer)
-9. Autopilot successfully enabled
-
-
New DPK written into image on repaired Autopilot device with a new MB
Yes
Repair facility replaces normal MB on damaged device. MB does not contain any DPK in the BIOS. Repair facility writes DPK into image after MBR.
-
-1. Deregister damaged device
-2. Replace motherboard – BIOS does NOT contain DPK info
-3. Reimage device (to gain access), unless you have access to customers’ login credentials
-4. Write device info into BIOS (same s/n, model, etc.)
-5. Capture new 4K HH
-6. Reset or reimage device to pre-OOBE and write DPK into image
-7. Reregister repaired device
-8. Go through Autopilot OOBE
-9. Autopilot successfully enabled
-
-
New Repair Product Key (RDPK)
Yes
Using a motherboard with a new RDPK preinjected results in a successful Autopilot refurbishment scenario.
-
-1. Deregister damaged device
-2. Replace motherboard (with new RDPK preinjected in BIOS)
-3. Reimage or rest image to pre-OOBE
-4. Write device info into BIOS
-5. Capture new 4K HH
-6. Reregister repaired device
-7. Reimage or reset image to pre-OOBE
-8. Go through Autopilot OOBE
-9. Autopilot successfully enabled
-
-
No Repair Product Key (RDPK) injected
No
This scenario violates Microsoft policy and breaks the Windows Autopilot experience.
-
Reimage damaged Autopilot device that was not deregistered prior to repair
Yes, but the device will still be associated with previous tenant ID, so should only be returned to same customer
-
-1. Reimage damaged device
-2. Write DPK into image
-3. Go through Autopilot OOBE
-4. Autopilot successfully enabled (to previous tenant ID)
-
-
Disk replacement from a non-Autopilot device to an Autopilot device
Yes
-
-1. Do not deregister damaged device prior to repair
-2. Replace HDD on damaged device
-3. Reimage or reset image back to OOBE
-4. Go through Autopilot OOBE (customer)
-5. Autopilot successfully enabled (repaired device recognized as its previous self)
-
-
Disk replacement from one Autopilot device to another Autopilot device
Maybe
If the device from which the HDD is taken was itself previously deregistered from Autopilot, then that HDD can be used in a repair device. But if the HDD was never previously deregistered from Autopilot before being used in a repaired device, the newly repaired device will not have the proper Autopilot experience.
-
-Assuming the used HDD was previously deregistered (before being used in this repair):
-
-1. Deregister damaged device
-2. Replace HDD on damaged device using a HDD from another deregistered Autopilot device
-3. Reimage or rest the repaired device back to a pre-OOBE state
-4. Go through Autopilot OOBE (customer)
-5. Autopilot successfully enabled
-
-
Non-Microsoft network card replacement
No
Whether from a non-Autopilot device to an Autopilot device, from one Autopilot device to another Autopilot device, or from an Autopilot device to a non-Autopilot device, any scenario where a 3rd party (not onboard) Network card is replaced will break the Autopilot experience, and is not recommended.
-
A device repaired more than 3 times
No
Autopilot is not supported when a device is repeatedly repaired, so that whatever parts NOT replaced become associated with too many parts that have been replaced, which would make it difficult to uniquely identify that device in the future.
-
Memory replacement
Yes
Replacing the memory on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the memory.
-
GPU replacement
Yes
Replacing the GPU(s) on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the GPU.
-
-
->When scavenging parts from another Autopilot device, we recommend unregistering the scavenged device from Autopilot, scavenging it, and then NEVER REGISTERING THE SCAVENGED DEVICE (AGAIN) FOR AUTOPILOT, because reusing parts this way may cause two active devices to end up with the same ID, with no possibility of distinguishing between the two.
-
-**NOTE**: The following parts may be replaced without compromising Autopilot enablement or requiring special additional repair steps:
-- Memory (RAM or ROM)
-- Power Supply
-- Video Card
-- Card Reader
-- Sound card
-- Expansion card
-- Microphone
-- Webcam
-- Fan
-- Heat sink
-- CMOS battery
-
-Other repair scenarios not yet tested and verified include:
-- Daughterboard replacement
-- CPU replacement
-- Wifi replacement
-- Ethernet replacement
-
-## FAQ
-
-| Question | Answer |
-| --- | --- |
-| If we have a tool that programs product information into the BIOS after the MBR, do we still need to submit a CBR report for the device to be Autopilot-capable? | No. Not if the in-house tool writes the minimum necessary information into the BIOS that the Autopilot program looks for to identify the device, as described earlier in this document. |
-| What if only some components are replaced rather than the full motherboard? | While it’s true that some limited repairs do not prevent the Autopilot algorithm from successfully matching the post-repair device with the pre-repair device, it is best to ensure 100% success by going through the MBR steps above even for devices that only needed limited repairs. |
-| How does a repair technician gain access to a broken device if they don’t have the customer’s login credentials? | The technician will have to reimage the device and use their own credentials during the repair process. |
-
-## Related topics
-
-[Device guidelines](autopilot-device-guidelines.md)
diff --git a/windows/deployment/windows-autopilot/autopilot-support.md b/windows/deployment/windows-autopilot/autopilot-support.md
deleted file mode 100644
index 762aab67e5..0000000000
--- a/windows/deployment/windows-autopilot/autopilot-support.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: Windows Autopilot support
-description: Find out who to contact for help with your Windows Autopilot installation.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: low
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.reviewer:
-manager: laurawi
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-# Windows Autopilot support information
-
-**Applies to: Windows 10**
-
-The following table displays support information for the Windows Autopilot program.
-
-Before contacting the resources listed below for Windows Autopilot-related issues, check the [Windows Autopilot FAQ](autopilot-faq.md).
-
-| Audience | Support contact |
-|------------|---------------------------------------|
-| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. |
-| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority: Low – 120 hours Normal – 72 hours High – 24 hours Immediate – 4 hours |
-| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. |
-| End-user | Contact your IT administrator. |
-| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. |
-| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. |
-| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). |
-| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. |
-| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. |
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/autopilot-update.md b/windows/deployment/windows-autopilot/autopilot-update.md
deleted file mode 100644
index db4094b8a8..0000000000
--- a/windows/deployment/windows-autopilot/autopilot-update.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Windows Autopilot update
-ms.reviewer:
-manager: laurawi
-description: Windows Autopilot update
-keywords: Autopilot, update, Windows 10
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-ms.localizationpriority: medium
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot update
-
-**Applies to**
-
-- Windows 10, version 1903
-
-Windows Autopilot update enables you to get the latest Autopilot features and critical issue fixes without the need to move to latest Windows OS version. With Autopilot update, organizations can keep their current OS version and still benefit from new Autopilot features and bug fixes.
-
-During the Autopilot deployment process, Windows Autopilot update has been added as a new node after the critical [Windows Zero Day Patch (ZDP) update](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) check. During the update process, Windows Autopilot devices reach out to Windows Update to check for a new Autopilot update. If there is an Autopilot update available, the device will download and install the update, then restart automatically. See the following example.
-
- 
- 
- 
-
-The following diagram illustrates a typical Windows Autopilot deployment orchestration during the Out of Box Experience (OOBE) with the new Windows Autopilot update node.
-
- 
-
-## Release cadence
-
-- When an Autopilot update is available, it is typically released on the 4th Tuesday of the month. The update could be released on a different week if there is an exception.
-- A knowledge base (KB) article will also be published to document the changes that are included in the update.
-
-For a list of released updates, see [Autopilot update history](windows-autopilot-whats-new.md#windows-autopilot-update-history).
-
-## See also
-
-[Windows Update during OOBE](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe)
-[What's new in Windows Autopilot](windows-autopilot-whats-new.md)
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/bitlocker.md b/windows/deployment/windows-autopilot/bitlocker.md
deleted file mode 100644
index 542243d569..0000000000
--- a/windows/deployment/windows-autopilot/bitlocker.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Setting the BitLocker encryption algorithm for Autopilot devices
-ms.reviewer:
-manager: laurawi
-description: Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices.
-keywords: Autopilot, BitLocker, encryption, 256-bit, Windows 10
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-ms.localizationpriority: medium
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Setting the BitLocker encryption algorithm for Autopilot devices
-
-**Applies to**
-
-- Windows 10
-
-With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encryption algorithm isn't applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins.
-
-The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit, or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use.
-
-To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices:
-
-1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
-2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group.
- - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
-3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
- - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
-
-An example of Microsoft Intune Windows Encryption settings is shown below.
-
- 
-
-**Note**: A device that is encrypted automatically will need to be decrypted prior to changing the encryption algorithm.
-
-The settings are available under Device Configuration -> Profiles -> Create profile -> Platform = Windows 10 and later, Profile type = Endpoint protection -> Configure -> Windows Encryption -> BitLocker base settings, Configure encryption methods = Enable.
-
-**Note**: It is also recommended to set Windows Encryption -> Windows Settings -> Encrypt = **Require**.
-
-## Requirements
-
-Windows 10, version 1809 or later.
-
-## See also
-
-[BitLocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
diff --git a/windows/deployment/windows-autopilot/deployment-process.md b/windows/deployment/windows-autopilot/deployment-process.md
deleted file mode 100644
index 6723d50e35..0000000000
--- a/windows/deployment/windows-autopilot/deployment-process.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-title: Windows 10 deployment process posters
-description: View and download Windows 10 deployment process flows for Microsoft Endpoint Configuration Manager and Windows Autopilot.
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
-author: greg-lindsay
-keywords: upgrade, in-place, configuration, deploy
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Windows Autopilot deployment process
-
-**Applies to**
-- Windows 10
-
-Windows Autopilot deployment processes are summarized in the poster below. The poster is two pages in portrait mode (11x17). Click the image below to view a PDF in your browser.
-
-[](../media/Windows10AutopilotFlowchart.pdf)
-
-**Note**: The Windows Autopilot for existing devices process is included in the [Microsoft Endpoint Configuration Manager deployment poster](../windows-10-deployment-posters.md#deploy-windows-10-with-microsoft-endpoint-configuration-manager).
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/dfci-management.md b/windows/deployment/windows-autopilot/dfci-management.md
deleted file mode 100644
index 550420a264..0000000000
--- a/windows/deployment/windows-autopilot/dfci-management.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: DFCI Management
-ms.reviewer:
-manager: laurawi
-description: With Windows Autopilot Deployment and Intune, you can manage UEFI (BIOS) settings after they're enrolled by using the Device Firmware Configuration Interface (DFCI)
-keywords: Autopilot, DFCI, UEFI, Windows 10
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-ms.localizationpriority: medium
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# DFCI Management
-
-**Applies to**
-
-- Windows 10
-
-With Windows Autopilot Deployment and Intune, you can manage Unified Extensible Firmware Interface (UEFI) settings after they're enrolled by using the Device Firmware Configuration Interface (DFCI). DFCI [enables Windows to pass management commands](https://docs.microsoft.com/windows/client-management/mdm/uefi-csp) from Intune to UEFI to Autopilot deployed devices. This allows you to limit end user's control over BIOS settings. For example, you can lock down the boot options to prevent users from booting up another OS, such as one that doesn't have the same security features.
-
-If a user reinstalls a previous Windows version, install a separate OS, or format the hard drive, they can't override DFCI management. This feature can also prevent malware from communicating with OS processes, including elevated OS processes. DFCI’s trust chain uses public key cryptography, and doesn't depend on local UEFI password security. This layer of security blocks local users from accessing managed settings from the device’s UEFI menus.
-
-For an overview of DFCI benefits, scenarios, and prerequisites, see [Device Firmware Configuration Interface (DFCI) Introduction](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Dfci_Feature/).
-
-## DFCI management lifecycle
-
-The DFCI management lifecycle can be viewed as UEFI integration, device registration, profile creation, enrollment, management, retirement, and recovery. See the following figure.
-
- 
-
-## Requirements
-
-- Windows 10, version 1809 or later and a supported UEFI is required.
-- The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or as a firmware update that you install. Work with your device vendors to determine the [manufacturers that support DFCI](#oems-that-support-dfci), or the firmware version needed to use DFCI.
-- The device must be managed with Microsoft Intune. For more information, see [Enroll Windows devices in Intune using Windows Autopilot](https://docs.microsoft.com/intune/enrollment/enrollment-autopilot).
-- The device must be registered for Windows Autopilot by a [Microsoft Cloud Solution Provider (CSP) partner](https://partner.microsoft.com/membership/cloud-solution-provider), or registered directly by the OEM.
-
->[!IMPORTANT]
->Devices manually registered for Autopilot (such as by [importing from a csv file](https://docs.microsoft.com/intune/enrollment/enrollment-autopilot#add-devices)) are not allowed to use DFCI. By design, DFCI management requires external attestation of the device’s commercial acquisition through an OEM or a Microsoft CSP partner registration to Windows Autopilot. When your device is registered, its serial number is displayed in the list of Windows Autopilot devices.
-
-## Managing DFCI profile with Windows Autopilot
-
-There are four basic steps in managing DFCI profile with Windows Autopilot:
-
-1. Create an Autopilot Profile
-2. Create an Enrollment status page profile
-3. Create a DFCI profile
-4. Assign the profiles
-
-See [Create the profiles](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows#create-the-profiles) and [Assign the profiles, and reboot](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows#assign-the-profiles-and-reboot) for details.
-
-You can also [change existing DFCI settings](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows#update-existing-dfci-settings) on devices that are in use. In your existing DFCI profile, change the settings and save your changes. Since the profile is already assigned, the new DFCI settings take effect when next time the device syncs or the device reboots.
-
-## OEMs that support DFCI
-
-- [Microsoft Surface](https://docs.microsoft.com/surface/surface-manage-dfci-guide)
-
-Additional OEMs are pending.
-
-## See also
-
-[Microsoft DFCI Scenarios](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Scenarios/DfciScenarios/)
-[Windows Autopilot and Surface devices](https://docs.microsoft.com/surface/windows-autopilot-and-surface-devices)
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md
deleted file mode 100644
index 11a393eada..0000000000
--- a/windows/deployment/windows-autopilot/enrollment-status.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: Windows Autopilot Enrollment Status Page
-ms.reviewer:
-manager: laurawi
-description: Gives an overview of the Enrollment Status Page capabilities, configuration
-keywords: Autopilot Plug and Forget, Windows 10
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-ms.localizationpriority: medium
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot Enrollment Status Page
-
-**Applies to**
-
-- Windows 10, version 1803 and later
-
-The Enrollment Status Page (ESP) displays the status of the complete device configuration process when an MDM managed user signs into a device for the very first time. The ESP will help users understand the progress of device provisioning and ensures the device has met the organizations desired state before the user can access the desktop for the first time.
-
-The ESP will track the installation of applications, security policies, certificates and network connections. Within Intune, an administrator can deploy ESP profiles to a licensed Intune user and configure specific settings within the ESP profile; a few of these settings are: force the installation of specified applications, allow users to collect troubleshooting logs, specify what a user can do if device setup fails. For more information, see how to set up the [Enrollment Status Page in Intune](https://docs.microsoft.com/intune/windows-enrollment-status).
-
- 
-
-
-## More information
-
-For more information on configuring the Enrollment Status Page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).
-For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP documentation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
-For more information about blocking for app installation:
-- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/).
-- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514).
diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
deleted file mode 100644
index 2ea6052a20..0000000000
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ /dev/null
@@ -1,324 +0,0 @@
----
-title: Windows Autopilot for existing devices
-description: Modern desktop deployment with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-# Windows Autopilot for existing devices
-
-**Applies to: Windows 10**
-
-Modern desktop deployment with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away.
-
-This topic describes how to convert Windows 7 or Windows 8.1 domain-joined computers to Windows 10 devices joined to either Azure Active Directory or Active Directory (Hybrid Azure AD Join) by using Windows Autopilot.
-
->[!NOTE]
->Windows Autopilot for existing devices only supports user-driven Azure Active Directory and Hybrid Azure AD profiles. Self-deploying profiles are not supported.
-
-## Prerequisites
-
-- A currently supported version of Microsoft Endpoint Configuration Manager current branch or technical preview branch.
-- The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later
- - For more information on Configuration Manager support, see [Support for Windows 10 ADK](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10#windows-10-adk).
-- Assigned Microsoft Intune Licenses
-- Azure Active Directory Premium
-- Windows 10 version 1809 or later imported into Configuration Manager as an Operating System Image
- - **Important**: See [Known issues](known-issues.md) if you are using Windows 10 1903 with Configuration Manager’s built-in **Windows Autopilot existing device** task sequence template. Currently, one of the steps in this task sequence must be edited to work properly with Windows 10, version 1903.
-
-## Procedures
-
-### Configure the Enrollment Status Page (optional)
-
-If desired, you can set up an [enrollment status page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) for Autopilot using Intune.
-
-To enable and configure the enrollment and status page:
-
-1. Open [Intune in the Azure portal](https://aka.ms/intuneportal).
-2. Access **Intune > Device enrollment > Windows enrollment** and [Set up an enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status).
-3. Access **Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune** and [Configure automatic MDM enrollment](https://docs.microsoft.com/configmgr/mdm/deploy-use/enroll-hybrid-windows#enable-windows-10-automatic-enrollment) and configure the MDM user scope for some or all users.
-
-See the following examples.
-
-
-
-
-### Create the JSON file
-
->[!TIP]
->To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616).
-
-1. On an Internet connected Windows PC or server, open an elevated Windows PowerShell command window
-2. Enter the following lines to install the necessary modules
-
- #### Install required modules
-
- ```powershell
- Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
- Install-Module AzureAD -Force
- Install-Module WindowsAutopilotIntune -Force
- Install-Module Microsoft.Graph.Intune -Force
- ```
-
-3. Enter the following lines and provide Intune administrative credentials
- - Be sure that the user account you specify has sufficient administrative rights.
-
- ```powershell
- Connect-MSGraph
- ```
- The user and password for your account will be requested using a standard Azure AD form. Type your username and password and then click **Sign in**.
- See the following example:
-
- 
-
- If this is the first time you’ve used the Intune Graph APIs, you’ll also be prompted to enable read and write permissions for Microsoft Intune PowerShell. To enable these permissions:
- - Select **Consent on behalf or your organization**
- - Click **Accept**
-
-4. Next, retrieve and display all the Autopilot profiles available in the specified Intune tenant in JSON format:
-
- #### Retrieve profiles in Autopilot for existing devices JSON format
-
- ```powershell
- Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
- ```
-
- See the following sample output: (use the horizontal scroll bar at the bottom to view long lines)
-
-
- Each profile is encapsulated within braces **{ }**. In the previous example, a single profile is displayed.
-
- See the following table for a description of properties used in the JSON file.
-
-
- | Property | Description |
- |------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
- | Version (number, optional) | The version number that identifies the format of the JSON file. For Windows 10 1809, the version specified must be 2049. |
- | CloudAssignedTenantId (guid, required) | The Azure Active Directory tenant ID that should be used. This is the GUID for the tenant, and can be found in properties of the tenant. The value should not include braces. |
- | CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, for example: tenant.onmicrosoft.com. |
- | CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 |
- | CloudAssignedDomainJoinMethod (number, required) | This property specifies whether the device should join Azure Active Directory or Active Directory (Hybrid Azure AD Join). Values include: Active AD Join = 0, Hybrid Azure AD Join = 1 |
- | CloudAssignedForcedEnrollment (number, required) | Specifies that the device should require AAD Join and MDM enrollment. 0 = not required, 1 = required. |
- | ZtdCorrelationId (guid, required) | A unique GUID (without braces) that will be provided to Intune as part of the registration process. ZtdCorrelationId will be included in enrollment message as “OfflineAutoPilotEnrollmentCorrelator”. This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration. |
- | CloudAssignedAadServerData (encoded JSON string, required) | An embedded JSON string used for branding. It requires AAD corp branding enabled. Example value: "CloudAssignedAadServerData": "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"tenant.onmicrosoft.com\"}}" |
- | CloudAssignedDeviceName (string, optional) | The name automatically assigned to the computer. This follows the naming pattern convention that can be configured in Intune as part of the Autopilot profile, or can specify an explicit name to use. |
-
-
-5. The Autopilot profile must be saved as a JSON file in ASCII or ANSI format. Windows PowerShell defaults to Unicode format, so if you attempt to redirect output of the commands to a file, you must also specify the file format. For example, to save the file in ASCII format using Windows PowerShell, you can create a directory (ex: c:\Autopilot) and save the profile as shown below: (use the horizontal scroll bar at the bottom if needed to view the entire command string)
-
- ```powershell
- Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII
- ```
- **IMPORTANT**: The file name must be named **AutopilotConfigurationFile.json** in addition to being encoded as ASCII/ANSI.
-
- If preferred, you can save the profile to a text file and edit in Notepad. In Notepad, when you choose **Save as** you must select Save as type: **All Files** and choose ANSI from the drop-down list next to **Encoding**. See the following example.
-
- 
-
- After saving the file, move the file to a location suitable as a Microsoft Endpoint Configuration Manager package source.
-
- >[!IMPORTANT]
- >Multiple JSON profile files can be used, but each must be named **AutopilotConfigurationFile.json** in order for OOBE to follow the Autopilot experience. The file also must be encoded as ANSI.
**Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause Windows 10 OOBE to not follow the Autopilot experience**.
-
-
-### Create a package containing the JSON file
-
-1. In Configuration Manager, navigate to **\Software Library\Overview\Application Management\Packages**
-2. On the ribbon, click **Create Package**
-3. In the **Create Package and Program Wizard** enter the following **Package** and **Program Type** details:
- - Name: **Autopilot for existing devices config**
- - Select the **This package contains source files** checkbox
- - Source folder: Click **Browse** and specify a UNC path containing the AutopilotConfigurationFile.json file.
- - Click **OK** and then click **Next**.
- - Program Type: **Do not create a program**
-4. Click **Next** twice and then click **Close**.
-
-**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Configuration Manager package.
-
-### Create a target collection
-
->[!NOTE]
->You can also choose to reuse an existing collection
-
-1. Navigate to **\Assets and Compliance\Overview\Device Collections**
-2. On the ribbon, click **Create** and then click **Create Device Collection**
-3. In the **Create Device Collection Wizard** enter the following **General** details:
- - Name: **Autopilot for existing devices collection**
- - Comment: (optional)
- - Limiting collection: Click **Browse** and select **All Systems**
-
- >[!NOTE]
- >You can optionally choose to use an alternative collection for the limiting collection. The device to be upgraded must be running the ConfigMgr agent in the collection that you select.
-
-4. Click **Next**, then enter the following **Membership Rules** details:
- - Click **Add Rule** and specify either a direct or query based collection rule to add the target test Windows 7 devices to the new collection.
- - For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next**, and then choose **PC-01** under **Resources**. See the following examples.
-
- 
- 
-
-5. Continue creating the device collection with the default settings:
- - Use incremental updates for this collection: not selected
- - Schedule a full update on this collection: default
- - Click **Next** twice and then click **Close**
-
-### Create an Autopilot for existing devices Task Sequence
-
->[!TIP]
->The next procedure requires a boot image for Windows 10 1803 or later. Review your available boot images in the Configuration Manager conole under **Software Library\Overview\Operating Systems\Boot images** and verify that the **OS Version** is 10.0.17134.1 (Windows 10 version 1803) or later.
-
-1. In the Configuration Manager console, navigate to **\Software Library\Overview\Operating Systems\Task Sequences**
-2. On the Home ribbon, click **Create Task Sequence**
-3. Select **Install an existing image package** and then click **Next**
-4. In the Create Task Sequence Wizard enter the following details:
- - Task sequence name: **Autopilot for existing devices**
- - Boot Image: Click **Browse** and select a Windows 10 boot image (1803 or later)
- - Click **Next**, and then on the Install Windows page click **Browse** and select a Windows 10 **Image package** and **Image Index**, version 1803 or later.
- - Select the **Partition and format the target computer before installing the operating system** checkbox.
- - Select or clear **Configure task sequence for use with BitLocker** checkbox. This is optional.
- - Product Key and Server licensing mode: Optionally enter a product key and server licensing mode.
- - Randomly generate the local administrator password and disable the account on all support platforms (recommended): Optional.
- - Enable the account and specify the local administrator password: Optional.
- - Click **Next**, and then on the Configure Network page choose **Join a workgroup** and specify a name (ex: workgroup) next to **Workgroup**.
-
- > [!IMPORTANT]
- > The Autopilot for existing devices task sequence will run the **Prepare Windows for capture** action which uses the System Preparation Tool (sysprep). This action will fail if the target machine is joined to a domain.
-
- >[!IMPORTANT]
- > The System Preparation Tool (sysprep) will run with the /Generalize parameter which, on Windows 10 versions 1903 and 1909, will delete the Autopilot profile file and the machine will boot into OOBE phase instead of Autopilot phase. To fix this issue, please see [Windows Autopilot - known issues](https://docs.microsoft.com/windows/deployment/windows-autopilot/known-issues).
-
-5. Click **Next**, and then click **Next** again to accept the default settings on the Install Configuration Manager page.
-6. On the State Migration page, enter the following details:
- - Clear the **Capture user settings and files** checkbox.
- - Clear the **Capture network settings** checkbox.
- - Clear the **Capture Microsoft Windows settings** checkbox.
- - Click **Next**.
-
- >[!NOTE]
- >Because the Autopilot for existing devices task sequence completes while in Windows PE, User State Migration Toolkit (USMT) data migration is not supported as there is no way to restore the user state into the new OS. Also, the User State Migration Toolkit (USMT) does not support Azure AD-joined devices.
-
-7. On the Include Updates page, choose one of the three available options. This selection is optional.
-8. On the Install applications page, add applications if desired. This is optional.
-9. Click **Next**, confirm settings, click **Next**, and then click **Close**.
-10. Right click on the Autopilot for existing devices task sequence and click **Edit**.
-11. In the Task Sequence Editor under the **Install Operating System** group, click the **Apply Windows Settings** action.
-12. Click **Add** then click **New Group**.
-13. Change the group **Name** from **New Group** to **Autopilot for existing devices config**.
-14. Click **Add**, point to **General**, then click **Run Command Line**.
-15. Verify that the **Run Command Line** step is nested under the **Autopilot for existing devices config** group.
-16. Change the **Name** to **Apply Autopilot for existing devices config file** and paste the following into the **Command line** text box, and then click **Apply**:
- ```
- cmd.exe /c xcopy AutopilotConfigurationFile.json %OSDTargetSystemDrive%\windows\provisioning\Autopilot\ /c
- ```
- - **AutopilotConfigurationFile.json** must be the name of the JSON file present in the Autopilot for existing devices package created earlier.
-
-17. In the **Apply Autopilot for existing devices config file** step, select the **Package** checkbox and then click **Browse**.
-18. Select the **Autopilot for existing devices config** package created earlier and click **OK**. An example is displayed at the end of this section.
-19. Under the **Setup Operating System** group, click the **Setup Windows and Configuration Manager** task.
-20. Click **Add** and then click **New Group**.
-21. Change **Name** from **New Group** to **Prepare Device for Autopilot**
-22. Verify that the **Prepare Device for Autopilot** group is the very last step in the task sequence. Use the **Move Down** button if necessary.
-23. With the **Prepare device for Autopilot** group selected, click **Add**, point to **Images** and then click **Prepare ConfigMgr Client for Capture**.
-24. Add a second step by clicking **Add**, pointing to **Images**, and clicking **Prepare Windows for Capture**. Use the following settings in this step:
- - Automatically build mass storage driver list: **Not selected**
- - Do not reset activation flag: **Not selected**
- - Shut down the computer after running this action: **Optional**
-
- 
-
-25. Click **OK** to close the Task Sequence Editor.
-
-> [!NOTE]
-> On Windows 10 1903 and 1909, the **AutopilotConfigurationFile.json** is deleted by the **Prepare Windows for Capture** step. See [Windows Autopilot - known issues](https://docs.microsoft.com/windows/deployment/windows-autopilot/known-issues) for more information and a workaround.
-
-### Deploy Content to Distribution Points
-
-Next, ensure that all content required for the task sequence is deployed to distribution points.
-
-1. Right click on the **Autopilot for existing devices** task sequence and click **Distribute Content**.
-2. Click **Next**, **Review the content to distribute**, and then click **Next**.
-3. On the Specify the content distribution page click **Add** to specify either a **Distribution Point** or **Distribution Point Group**.
-4. On the Add Distribution Points or Add Distribution Point Groups wizard specify content destinations that will allow the JSON file to be retrieved when the task sequence is run.
-5. When you are finished specifying content distribution, click **Next** twice then click **Close**.
-
-### Deploy the OS with Autopilot Task Sequence
-
-1. Right click on the **Autopilot for existing devices** task sequence and then click **Deploy**.
-2. In the Deploy Software Wizard enter the following **General** and **Deployment Settings** details:
- - Task Sequence: **Autopilot for existing devices**.
- - Collection: Click **Browse** and then select **Autopilot for existing devices collection** (or another collection you prefer).
- - Click **Next** to specify **Deployment Settings**.
- - Action: **Install**.
- - Purpose: **Available**. You can optionally select **Required** instead of **Available**. This is not recommended during the test owing to the potential impact of inadvertent configurations.
- - Make available to the following: **Only Configuration Manager Clients**. Note: Choose the option here that is relevant for the context of your test. If the target client does not have the Configuration Manager agent or Windows installed, you will need to select an option that includes PXE or Boot Media.
- - Click **Next** to specify **Scheduling** details.
- - Schedule when this deployment will become available: Optional
- - Schedule when this deployment will expire: Optional
- - Click **Next** to specify **User Experience** details.
- - Show Task Sequence progress: Selected.
- - Software Installation: Not selected.
- - System restart (if required to complete the installation): Not selected.
- - Commit changed at deadline or during a maintenance windows (requires restart): Optional.
- - Allow task sequence to be run for client on the Internet: Optional
- - Click **Next** to specify **Alerts** details.
- - Create a deployment alert when the threshold is higher than the following: Optional.
- - Click **Next** to specify **Distribution Points** details.
- - Deployment options: **Download content locally when needed by the running task sequence**.
- - When no local distribution point is available use a remote distribution point: Optional.
- - Allow clients to use distribution points from the default site boundary group: Optional.
- - Click **Next**, confirm settings, click **Next**, and then click **Close**.
-
-### Complete the client installation process
-
-1. Open the Software Center on the target Windows 7 or Windows 8.1 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt:
-
- ```
- C:\Windows\CCM\SCClient.exe
- ```
-
-2. In the software library, select **Autopilot for existing devices** and click **Install**. See the following example:
-
- 
- 
-
-The Task Sequence will download content, reboot, format the drives and install Windows 10. The device will then proceed to be prepared for Autopilot. Once the task sequence has completed the device will boot into OOBE and provide an Autopilot experience.
-
-
-
-
-
->[!NOTE]
->If joining devices to Active Directory (Hybrid Azure AD Join), it is necessary to create a Domain Join device configuration profile that is targeted to "All Devices" (since there is no Azure Active Directory device object for the computer to do group-based targeting). See [User-driven mode for hybrid Azure Active Directory join](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven#user-driven-mode-for-hybrid-azure-active-directory-join) for more information.
-
-### Register the device for Windows Autopilot
-
-Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. Once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset. You can enable automatic registration for an assigned group using the **Convert all targeted devices to Autopilot** setting. For more information, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile).
-
-Also see [Adding devices to Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/add-devices).
-
-## Speeding up the deployment process
-
-To remove around 20 minutes from the deployment process, see Michael Niehaus's blog with instructions for [Speeding up Windows Autopilot for existing devices](https://blogs.technet.microsoft.com/mniehaus/2018/10/25/speeding-up-windows-autopilot-for-existing-devices/).
diff --git a/windows/deployment/windows-autopilot/index.md b/windows/deployment/windows-autopilot/index.md
deleted file mode 100644
index 93abebfa65..0000000000
--- a/windows/deployment/windows-autopilot/index.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-title: Windows Autopilot deployment
-description: Discover resources for Windows Autopilot deployment with this guide.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot deployment
-
-**Applies to**
-
-- Windows 10
-
-Windows Autopilot is a zero-touch, self-service Windows deployment platform introduced with Windows 10, version 1703. The Windows Autopilot process runs immediately after powering on a new computer for the first time, enabling employees to configure new devices to be business-ready with just a few clicks.
-
-This guide is intended for use by an IT-specialist, system architect, or business decision maker. The guide provides information about how Windows Autopilot deployment works, including detailed requirements, deployment scenarios, and platform capabilities. The document highlights options that are available to you when planning a modern, cloud-joined Windows 10 deployment strategy. Links are provided to detailed step by step configuration procedures.
-
-## In this guide
-
-
Interested in trying out Autopilot? See this step-by-step walkthrough to test Windows Autopilot on a virtual machine or physical device with a free 30-day trial premium Intune account.
-
Using Windows Autopilot Reset, a device can be restored to its original settings, taking it back to a business-ready state. Both local and remote reset scenarios are discussed.
-
This topic describes how Windows Autopilot can be used to convert Windows 7 or Windows 8.1 domain-joined computers to AAD-joined computers running Windows 10.
-
Information about how to deal with Autopilot registration and device repair issues is provided.
-
-
-## Related topics
-
-[Windows Autopilot](https://www.microsoft.com/windowsforbusiness/windows-autopilot)
diff --git a/windows/deployment/windows-autopilot/index.yml b/windows/deployment/windows-autopilot/index.yml
new file mode 100644
index 0000000000..19763ed2b7
--- /dev/null
+++ b/windows/deployment/windows-autopilot/index.yml
@@ -0,0 +1,38 @@
+### YamlMime:Landing
+
+title: Windows Autopilot deployment resources and documentation # < 60 chars
+summary: 'Note: Windows Autopilot documentation has moved! A few additional resources will also be available here. See the links on this page for more information.' # < 160 chars
+
+metadata:
+ title: Windows Autopilot deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
+ services: windows-10
+ ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
+ ms.subservice: subservice
+ ms.topic: landing-page # Required
+ ms.collection: windows-10
+ author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
+ ms.author: greglin #Required; microsoft alias of author; optional team alias.
+ ms.date: 08/05/2020 #Required; mm/dd/yyyy format.
+ localization_priority: medium
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card
+ - title: Overview
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Overview of Windows Autopilot
+ url: https://docs.microsoft.com/mem/autopilot/windows-autopilot
+
+ # Card
+ - title: Tutorials
+ linkLists:
+ - linkListType: get-started
+ links:
+ - text: Demonstrate Windows Autopilot deployment
+ url: demonstrate-deployment-on-vm.md
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md
deleted file mode 100644
index 8dbec94be5..0000000000
--- a/windows/deployment/windows-autopilot/known-issues.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Windows Autopilot known issues
-ms.reviewer:
-manager: laurawi
-description: Inform yourself about known issues that may occur during Windows Autopilot deployment.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot - known issues
-
-**Applies to**
-
-- Windows 10
-
-
-
Issue
More information
-
-
Blocking apps specified in a user-targeted Enrollment Status Profile are ignored during device ESP.
-
The services responsible for determining the list of apps that should be blocking during device ESP are not able to determine the correct ESP profile containing the list of apps because they do not know the user identity. As a workaround, enable the default ESP profile (which targets all users and devices) and place the blocking app list there. In the future, it will be possible to instead target the ESP profile to device groups to avoid this issue.
-
-
That username looks like it belongs to another organization. Try signing in again or start over with a different account.
-
Confirm that all of your information is correct at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot. See Troubleshooting Windows Auto Pilot for more details.
-
-
Windows Autopilot user-driven Hybrid Azure AD deployments do not grant users Administrator rights even when specified in the Windows Autopilot profile.
-
This will occur when there is another user on the device that already has Administrator rights. For example, a PowerShell script or policy could create an additional local account that is a member of the Administrators group. To ensure this works properly, do not create an additional account until after the Windows Autopilot process has completed.
-
-
Windows Autopilot device provisioning can fail with TPM attestation errors or ESP timeouts on devices where the real-time clock is off by a significant amount of time (e.g. several minutes or more).
-
To fix this issue:
Boot the device to the start of the out-of-box experience (OOBE).
-
Establish a network connection (wired or wireless).
-
Run the command w32tm /resync /force to sync the time with the default time server (time.windows.com).
-
-
-
Windows Autopilot for existing devices does not work for Windows 10, version 1903 or 1909; you see screens that you've disabled in your Windows Autopilot profile, such as the Windows 10 License Agreement screen.
-
-This happens because Windows 10, version 1903 and 1909 deletes the AutopilotConfigurationFile.json file.
-
To fix this issue:
Edit the Configuration Manager task sequence and disable the Prepare Windows for Capture step.
-
Add a new Run command line step that runs c:\windows\system32\sysprep\sysprep.exe /oobe /reboot.
TPM attestation fails on Windows 10 1903 due to missing AKI extension in EK certificate. (An additional validation added in Windows 10 1903 to check that the TPM EK certs had the proper attributes according to the TCG specifications uncovered that a number of them don’t, so that validation will be removed).
-
The following known issues are resolved by installing the August 30, 2019 KB4512941 update (OS Build 18362.329):
-
-- Windows Autopilot for existing devices feature does not properly suppress “Activities” page during OOBE. (Because of this, you’ll see that extra page during OOBE).
-- TPM attestation state is not cleared by sysprep /generalize, causing TPM attestation failure during later OOBE flow. (This isn’t a particularly common issue, but you could run into it while testing if you are running sysprep /generalize and then rebooting or reimaging the device to go back through an Autopilot white glove or self-deploying scenario).
-- TPM attestation may fail if the device has a valid AIK cert but no EK cert. (This is related to the previous item).
-- If TPM attestation fails during the Windows Autopilot white glove process, the landing page appears to be hung. (Basically, the white glove landing page, where you click “Provision” to start the white glove process, isn’t reporting errors properly).
-- TPM attestation fails on newer Infineon TPMs (firmware version > 7.69). (Prior to this fix, only a specific list of firmware versions was accepted).
-- Device naming templates may truncate the computer name at 14 characters instead of 15.
-- Assigned Access policies cause a reboot which can interfere with the configuration of single-app kiosk devices.
-
See the section: How to get this update for information on specific release channels you can use to obtain the update.
-
The following known issues are resolved by installing the July 26, 2019 KB4505903 update (OS Build 18362.267):
-
-- Windows Autopilot white glove does not work for a non-English OS and you see a red screen that says "Success."
-- Windows Autopilot reports an AUTOPILOTUPDATE error during OOBE after sysprep, reset or other variations. This typically happens if you reset the OS or used a custom sysprepped image.
-- BitLocker encryption is not correctly configured. Ex: BitLocker didn’t get an expected notification after policies were applied to begin encryption.
-- You are unable to install UWP apps from the Microsoft Store, causing failures during Windows Autopilot. If you are deploying Company Portal as a blocking app during Windows Autopilot ESP, you’ve probably seen this error.
-- A user is not granted administrator rights in the Windows Autopilot user-driven Hybrid Azure AD join scenario. This is another non-English OS issue.
-
This is a general error indicating a timeout. A common cause of this error in self-deploying mode is that the device is not TPM 2.0 capable (ex: a virtual machine). Devices that are not TPM 2.0 capable cannot be used with self-deploying mode.
-
0x801c03ea
This error indicates that TPM attestation failed, causing a failure to join Azure Active Directory with a device token.
-
White glove gives a red screen and the Microsoft-Windows-User Device Registration/Admin event log displays HResult error code 0x801C03F3
This can happen if Azure AD can’t find an AAD device object for the device that you are trying to deploy. This will occur if you manually delete the object. To fix it, remove the device from AAD, Intune, and Autopilot, then re-register it with Autopilot, which will recreate the AAD device object.
- To obtain troubleshooting logs use: Mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\autopilot.cab
-
White glove gives a red screen
White glove is not supported on a VM.
-
Error importing Windows Autopilot devices from a .csv file
Ensure that you have not edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid.
-
Windows Autopilot for existing devices does not follow the Autopilot OOBE experience.
Ensure that the JSON profile file is saved in ANSI/ASCII format, not Unicode or UTF-8.
-
Something went wrong is displayed page during OOBE.
The client is likely unable to access all the required AAD/MSA-related URLs. For more information, see Networking requirements.
-
Using a provisioning package in combination with Windows Autopilot can cause issues, especially if the PPKG contains join, enrollment, or device name information.
Using PPKGs in combination with Windows Autopilot is not recommended.
-
-
-## Related topics
-
-[Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10)
-[Troubleshooting Windows Autopilot](troubleshooting.md)
diff --git a/windows/deployment/windows-autopilot/policy-conflicts.md b/windows/deployment/windows-autopilot/policy-conflicts.md
deleted file mode 100644
index f4abf3e78c..0000000000
--- a/windows/deployment/windows-autopilot/policy-conflicts.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: Windows Autopilot policy conflicts
-ms.reviewer:
-manager: laurawi
-description: Inform yourself about known issues that may occur during Windows Autopilot deployment.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: mtniehaus
-ms.author: mniehaus
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot - Policy Conflicts
-
-**Applies to**
-
-- Windows 10
-
-There are a significant number of policy settings available for Windows 10, both as native MDM policies and group policy (ADMX-backed) settings. Some of these can cause issues in certain Windows Autopilot scenarios as a result of how they change the behavior of Windows 10. If you encounter any of these issues, remove the policy in question to resolve the issue.
-
-
When certain DeviceLock policies, such as minimum password length and password complexity, or any similar group policy settings (including any that disable autologon) are applied to a device, and that device reboots during the device Enrollment Status Page (ESP), the out-of-box experience (OOBE) or user desktop autologon can fail unexpectantly. This is especially true for kiosk scenarios where passwords are automatically generated.
When modifying user account control (UAC) settings during the OOBE using the device Enrollment Status Page (ESP), additional UAC prompts may result, especially if the device reboots after these policies are applied, enabling them to take effect. To work around this issue, the policies can be targeted to users instead of devices so that they apply later in the process.
-
-
-
-## Related topics
-
-[Troubleshooting Windows Autopilot](troubleshooting.md)
diff --git a/windows/deployment/windows-autopilot/profiles.md b/windows/deployment/windows-autopilot/profiles.md
deleted file mode 100644
index 5cb74ed199..0000000000
--- a/windows/deployment/windows-autopilot/profiles.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Configure Autopilot profiles
-description: Learn how to configure device profiles while performing a Windows Autopilot deployment.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Configure Autopilot profiles
-
-**Applies to**
-
-- Windows 10
-
-For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that specifies the exact behavior of that device when it is deployed. For detailed procedures on how to configure profile settings and register devices, see [Registering devices](add-devices.md#registering-devices).
-
-## Profile settings
-
-The following profile settings are available:
-
-- **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process.
-
-- **Automatically setup for work or school**. All devices registered with Autopilot will automatically be considered work or school devices, so this question will not be asked during the OOBE process.
-
-- **Sign in experience with company branding**. Instead of presenting a generic Azure Active Directory sign-in page, all devices registered with Autopilot will automatically present a customized sign-in page with the organization’s name, logon, and additional help text, as configured in Azure Active Directory. See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory) to customize these settings.
-
-- **Skip privacy settings**. This optional Autopilot profile setting enables organizations to not ask about privacy settings during the OOBE process. This is typically desirable so that the organization can configure these settings via Intune or other management tool.
-
-- **Disable local admin account creation on the device**. Organizations can decide whether the user setting up the device should have administrator access once the process is complete.
-
-- **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users.
-
-- **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details.
-
-## Related topics
-
-[Profile download](troubleshooting.md#profile-download)
-[Registering devices](add-devices.md)
diff --git a/windows/deployment/windows-autopilot/registration-auth.md b/windows/deployment/windows-autopilot/registration-auth.md
deleted file mode 100644
index 547b2f07ea..0000000000
--- a/windows/deployment/windows-autopilot/registration-auth.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: Windows Autopilot customer consent
-description: Learn how a cloud service provider (CSP) partner or an OEM can get customer authorization to register Windows Autopilot devices on the customer’s behalf.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot customer consent
-
-**Applies to: Windows 10**
-
-This article describes how a cloud service provider (CSP) partner (direct bill, indirect provider, or indirect reseller) or an OEM can get customer authorization to register Windows Autopilot devices on the customer’s behalf.
-
-## CSP authorization
-
-CSP partners can get customer authorization to register Windows Autopilot devices on the customer’s behalf per the following restrictions:
-
-
-
Direct CSP
Gets direct authorization from the customer to register devices.
-
Indirect CSP Provider
Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.
-
Indirect CSP Reseller
Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs.
-
-
-### Steps
-
-For a CSP to register Windows Autopilot devices on behalf of a customer, the customer must first grant that CSP partner permission using the following process:
-
-1. CSP sends link to customer requesting authorization/consent to register/manage devices on their behalf. To do so:
- - CSP logs into Microsoft Partner Center
- - Click **Dashboard** on the top menu
- - Click **Customer** on the side menu
- - Click the **Request a reseller relationship** link:
- 
- - Select the checkbox indicating whether or not you want delegated admin rights:
- 
- - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Admin Center or the Office 365 admin portal: https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges
- - Send the template above to the customer via email.
-2. Customer with global administrator privileges in Microsoft Admin Center clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following Microsoft 365 admin center page:
-
- 
-
- The image above is what the customer will see if they requested delegated admin rights (DAP). Note that the page says what Admin roles are being requested. If the customer did not request delegated admin rights they would see the following page:
-
- 
-
- > [!NOTE]
- > A user without global admin privileges who clicks the link will see a message similar to the following:
-
- 
-
-3. Customer selects the **Yes** checkbox, followed by the **Accept** button. Authorization happens instantaneously.
-4. The CSP will know that this consent/authorization request has been completed because the customer will show up in the CSP’s MPC account under their **customers** list, for example:
-
-
-
-## OEM authorization
-
-Each OEM has a unique link to provide to their respective customers, which the OEM can request from Microsoft via msoemops@microsoft.com.
-
-1. OEM emails link to their customer.
-2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link once they receive it from the OEM, which takes them directly to the following MSfB page:
-
- 
-
- > [!NOTE]
- > A user without global admin privileges who clicks the link will see a message similar to the following:
-
- 
-3. Customer selects the **Yes** checkbox, followed by the **Accept** button, and they’re done. Authorization happens instantaneously.
-
- > [!NOTE]
- > Once this process has completed, it is not currently possible for an administrator to remove an OEM. To remove an OEM or revoke
- their permissions, send a request to msoemops@microsoft.com
-
-4. The OEM can use the Validate Device Submission Data API to verify the consent has completed. This API is discussed in the latest version of the API Whitepaper, p. 14ff [https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx](https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx). **Note**: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, it’s a best practice recommendation for OEM partners to run the API check to confirm they’ve received customer consent before attempting to register devices, thus avoiding errors in the registration process.
-
- > [!NOTE]
- > During the OEM authorization registration process, no delegated admin permissions are granted to the OEM.
-
-## Summary
-
-At this stage of the process, Microsoft is no longer involved; the consent exchange happens directly between the OEM and the customer. And, it all happens instantaneously - as quickly as buttons are clicked.
diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md
deleted file mode 100644
index 4bdb15131d..0000000000
--- a/windows/deployment/windows-autopilot/self-deploying.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Windows Autopilot Self-Deploying mode
-description: Self-deploying mode allows a device to be deployed with little to no user interaction. This mode mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-# Windows Autopilot Self-Deploying mode
-
-**Applies to: Windows 10, version 1903 or later**
-
-Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection).
-
-Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned.
-
->[!NOTE]
->Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory.
-
-Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details.
-
->[!NOTE]
->Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. For more information see [Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) and [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md).
-
-
-
-## Requirements
-
-Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. The devices must also support TPM device attestation. (All newly-manufactured Windows devices should meet these requirements.)
-
->[!IMPORTANT]
->If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported). Also note that Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. Since Windows 10 Enterprise 2019 LTSC is based on Windows 10 version 1809, self-deploying mode is also not supported on Windows 10 Enterprise 2019 LTSC. See [Windows Autopilot known issues](known-issues.md) to review other known errors and solutions.
-
-In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details.
-
-## Step by step
-
-In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed:
-
-- Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.)
-- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. Ensure that the profile has been assigned to the device before attempting to deploy that device.
-- Boot the device, connecting it to Wi-fi if required, then wait for the provisioning process to complete.
-
-## Validation
-
-When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed:
-
-- Once connected to a network, the Autopilot profile will be downloaded.
-- If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available. Otherwise, manual steps are required:
- - If multiple languages are preinstalled in Windows 10, the user must pick a language.
- - The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
-- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
-- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
-- The device will join Azure Active Directory.
-- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
-- The [enrollment status page](enrollment-status.md) will be displayed.
-- Depending on the device settings deployed, the device will either:
- - Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials.
- - Automatically sign in as a local account, for devices configured as a kiosk or digital signage.
-
->[!NOTE]
->Deploying EAS policies using self-deploying mode for kiosk deployments will cause auto-logon functionality to fail.
-
-In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.
diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md
deleted file mode 100644
index ff194c99ab..0000000000
--- a/windows/deployment/windows-autopilot/troubleshooting.md
+++ /dev/null
@@ -1,164 +0,0 @@
----
-title: Troubleshooting Windows Autopilot
-description: Learn how to handle issues as they arise during the Windows Autopilot deployment process.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Troubleshooting Windows Autopilot
-
-**Applies to: Windows 10**
-
-Windows Autopilot is designed to simplify all parts of the Windows device lifecycle, but there are always situations where issues may arise, either due to configuration or other issues. To assist with troubleshooting efforts, review the following information.
-
-## Troubleshooting process
-
-Whether you are performing user-driven or self-deploying device deployments, the troubleshooting process is about the same. It is always useful to understand the flow for a specific device:
-
-- A network connection is established. This can be a wireless (Wi-fi) or wired (Ethernet) connection.
-- The Windows Autopilot profile is downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place.
-- User authentication occurs. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated.
-- Azure Active Directory join occurs. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials.
-- Automatic MDM enrollment occurs. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (for example, Microsoft Intune).
-- Settings are applied. If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in.
-
-For troubleshooting, key activities to perform are:
-
-- Configuration: Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements.md)?
-- Network connectivity: Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements.md)?
-- Autopilot OOBE behavior: Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected?
-- Azure AD join issues: Was the device able to join Azure Active Directory?
-- MDM enrollment issues: Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)?
-
-## Troubleshooting Autopilot Device Import
-
-### Clicking Import after selecting CSV does nothing, '400' error appears in network trace with error body **"Cannot convert the literal '[DEVICEHASH]' to the expected type 'Edm.Binary'"**
-
-This error points to the device hash being incorrectly formatted. This could be caused by anything that corrupts the collected hash, but one possibility is that the hash itself (even if it is completely valid) fails to be decoded.
-
-The device hash is Base64. At the device level, it's encoded as unpadded Base64, but Autopilot expects padded Base64. In most cases, it seems the payload lines up to not require padding, so the process works, but sometimes it doesn't line up cleanly and padding is necessary. This is when you get the error above. PowerShell's Base64 decoder also expects padded Base64, so we can use that to validate that the hash is properly padded.
-
-The "A" characters at the end of the hash are effectively empty data - Each character in Base64 is 6 bits, A in Base64 is 6 bits equal to 0. Deleting or adding **A**'s at the end doesn't change the actual payload data.
-
-To fix this, we'll need to modify the hash, then test the new value, until PowerShell succeeds in decoding the hash. The result is mostly illegible, this is fine - we're just looking for it to not throw the error "Invalid length for a Base-64 char array or string".
-
-To test the base64, you can use the following:
-```powershell
-[System.Text.Encoding]::ascii.getstring( [System.Convert]::FromBase64String("DEVICE HASH"))
-```
-
-So, as an example (this is not a device hash, but it's misaligned unpadded Base64 so it's good for testing):
-```powershell
-[System.Text.Encoding]::ascii.getstring( [System.Convert]::FromBase64String("Q29udG9zbwAAA"))
-```
-
-Now for the padding rules. The padding character is "=". The padding character can only be at the end of the hash, and there can only be a maximum of 2 padding characters. Here's the basic logic.
-
-- Does decoding the hash fail?
- - Yes: Are the last two characters "="?
- - Yes: Replace both "=" with a single "A" character, then try again
- - No: Add another "=" character at the end, then try again
- - No: That hash is valid
-
-Looping the logic above on the previous example hash, we get the following permutations:
-- Q29udG9zbwAAA
-- Q29udG9zbwAAA=
-- Q29udG9zbwAAA==
-- Q29udG9zbwAAAA
-- Q29udG9zbwAAAA=
-- **Q29udG9zbwAAAA==** (This one has valid padding)
-
-Replace the collected hash with this new padded hash then try to import again.
-
-## Troubleshooting Autopilot OOBE issues
-
-If the expected Autopilot behavior does not occur during the out-of-box experience (OOBE), it is useful to see whether the device received an Autopilot profile and what settings that profile contained. Depending on the Windows 10 release, there are different mechanisms available to do that.
-
-### Windows 10 version 1803 and above
-
-To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> Autopilot** for versions before 1903, or **Application and Services Logs –> Microsoft –> Windows –> ModernDeployment-Diagnostics-Provider –> Autopilot** for 1903 and above. The following events may be recorded, depending on the scenario and profile configuration.
-
-| Event ID | Type | Description |
-|----------|------|-------------|
-| 100 | Warning | “Autopilot policy [name] not found.” This is typically a temporary problem, while the device is waiting for an Autopilot profile to be downloaded. |
-| 101 | Info | “AutopilotGetPolicyDwordByName succeeded: policy name = [setting name]; policy value [value].” This shows Autopilot retrieving and processing numeric OOBE settings. |
-| 103 | Info | “AutopilotGetPolicyStringByName succeeded: policy name = [name]; value = [value].” This shows Autopilot retrieving and processing OOBE setting strings such as the Azure AD tenant name. |
-| 109 | Info | “AutopilotGetOobeSettingsOverride succeeded: OOBE setting [setting name]; state = [state].” This shows Autopilot retrieving and processing state-related OOBE settings. |
-| 111 | Info | “AutopilotRetrieveSettings succeeded.” This means that the settings stored in the Autopilot profile that control the OOBE behavior have been retrieved successfully. |
-| 153 | Info | “AutopilotManager reported the state changed from [original state] to [new state].” Typically this should say “ProfileState_Unknown” to “ProfileState_Available” to show that a profile was available for the device and downloaded, so the device is ready to be deployed using Autopilot. |
-| 160 | Info | “AutopilotRetrieveSettings beginning acquisition.” This shows that Autopilot is getting ready to download the needed Autopilot profile settings. |
-| 161 | Info | “AutopilotManager retrieve settings succeeded.” The Autopilot profile was successfully downloaded. |
-| 163 | Info | “AutopilotManager determined download is not required and the device is already provisioned. Clean or reset the device to change this.” This message indicates that an Autopilot profile is resident on the device; it typically would only be removed by the **Sysprep /Generalize** process. |
-| 164 | Info | “AutopilotManager determined Internet is available to attempt policy download.” |
-| 171 | Error | “AutopilotManager failed to set TPM identity confirmed. HRESULT=[error code].” This indicates an issue performing TPM attestation, needed to complete the self-deploying mode process. |
-| 172 | Error | “AutopilotManager failed to set Autopilot profile as available. HRESULT=[error code].” This is typically related to event ID 171. |
-
-In addition to the event log entries, the registry and ETW trace options described below also work with Windows 10 version 1803 and above.
-
-### Windows 10 version 1709 and above
-
-On Windows 10 version 1709 and above, information about the Autopilot profile settings are stored in the registry on the device after they are received from the Autopilot deployment service. These can be found at **HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\Autopilot**. Available registry entries include:
-
-| Value | Description |
-|-------|-------------|
-| AadTenantId | The GUID of the Azure AD tenant the user signed into. This should match the tenant that the device was registered with; if it does not match the user will receive an error. |
-| CloudAssignedTenantDomain | The Azure AD tenant the device has been registered with, for example, “contosomn.onmicrosoft.com.” If the device is not registered with Autopilot, this value will be blank. |
-| CloudAssignedTenantId | The GUID of the Azure AD tenant the device has been registered with (the GUID corresponds to the tenant domain from the CloudAssignedTenantDomain registry value). If the device isn’t registered with Autopilot, this value will be blank.|
-| IsAutopilotDisabled | If set to 1, this indicates that the device is not registered with Autopilot. This could also indicate that the Autopilot profile could not be downloaded due to network connectivity or firewall issues, or network timeouts. |
-| TenantMatched | This will be set to 1 if the tenant ID of the user matches the tenant ID that the device was registered with. If this is 0, the user would be shown an error and forced to start over. |
-| CloudAssignedOobeConfig | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 |
-
-### Windows 10 semi-annual channel supported versions
-
-On devices running a [supported version](https://docs.microsoft.com/windows/release-information/) of Windows 10 semi-annual channel, ETW tracing can be used to capture detailed information from Autopilot and related components. The resulting ETW trace files can then be viewed using the Windows Performance Analyzer or similar tools. See [the advanced troubleshooting blog](https://blogs.technet.microsoft.com/mniehaus/2017/12/13/troubleshooting-windows-autopilot-level-300400/) for more information.
-
-## Troubleshooting Azure AD Join issues
-
-The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure [the correct configuration is in place](windows-autopilot-requirements.md) to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD.
-
-An Azure AD device is created upon import - it's important that this object is not deleted. It acts as Autopilot's anchor in AAD for group membership and targeting (including the profile) and can lead to join errors if it's deleted. Once this object has been deleted, to fix the issue, deleting and reimporting this autopilot hash will be necessary so it can recreate the associated object.
-
-Error code 801C0003 will typically be reported on an error page titled "Something went wrong". This error means that the Azure AD join failed.
-
-## Troubleshooting Intune enrollment issues
-
-See [this knowledge base article](https://support.microsoft.com/help/4089533/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for assistance with Intune enrollment issues. Common issues include incorrect or missing licenses assigned to the user or too many devices enrolled for the user.
-
-Error code 80180018 will typically be reported on an error page titled "Something went wrong". This error means that the MDM enrollment failed.
-
-If Autopilot Reset fails immediately with an error **Ran into trouble. Please sign in with an administrator account to see why and reset manually**, see [Troubleshoot Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset#troubleshoot-autopilot-reset) for more help.
-
-## Profile download
-
-When an Internet-connected Windows 10 device boots up, it will attempt to connect to the Autopilot service and download an Autopilot profile. Note: It is important that a profile exists at this stage so that a blank profile is not cached locally on the PC. To remove the currently cached local profile in Windows 10 version 1803 and earlier, it is necessary to re-generalize the OS using **sysprep /generalize /oobe**, reinstall the OS, or re-image the PC. In Windows 10 version 1809 and later, you can retrieve a new profile by rebooting the PC.
-
-When a profile is downloaded depends upon the version of Windows 10 that is running on the PC. See the following table.
-
-| Windows 10 version | Profile download behavior |
-| --- | --- |
-| 1709 | The profile is downloaded after the OOBE network connection page. This page is not displayed when using a wired connection. In this case, the profile is downloaded just prior to the EULA screen. |
-| 1803 | The profile is downloaded as soon as possible. If wired, it is downloaded at the start of OOBE. If wireless, it is downloaded after the network connection page. |
-| 1809 | The profile is downloaded as soon as possible (same as 1803), and again after each reboot. |
-
-If you need to reboot a computer during OOBE:
-- Press Shift-F10 to open a command prompt.
-- Enter **shutdown /r /t 0** to restart immediately, or **shutdown /s /t 0** to shutdown immediately.
-
-For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options).
-
-## Related topics
-
-[Windows Autopilot - known issues](known-issues.md)
-[Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10)
diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md
deleted file mode 100644
index 7786be9c94..0000000000
--- a/windows/deployment/windows-autopilot/user-driven.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-title: Windows Autopilot User-Driven Mode
-description: Windows Autopilot user-driven mode allows devices to be deployed to a ready-to-use state without requiring help from IT personnel.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot user-driven mode
-
-Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions:
-
-- Unbox the device, plug it in, and turn it on.
-- Choose a language (only required when multiple languages are installed), locale and keyboard.
-- Connect it to a wireless or wired network with internet access. If using wireless, the user must establish the Wi-Fi link.
-- Specify your e-mail address and password for your organization account.
-
-After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be suppressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available.
-
-Windows Autopilot user-driven mode supports Azure Active Directory and Hybrid Azure Active Directory joined devices. See [What is a device identity](https://docs.microsoft.com/azure/active-directory/devices/overview) for more information about these two join options.
-
-From a process flow perspective, the tasks performed during the user-driven process are as follows:
-
-- Once connected to a network, the device will download a Windows Autopilot profile specifying the settings that should be used (e.g. the prompts during OOBE that should be suppressed).
-- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
-- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text.
-- The device will join Azure Active Directory or Active Directory, based on the Windows Autopilot profile settings.
-- The device will enroll in Intune (or other configured MDM services). (This occurs as part of the Azure Active Directory join process via MDM auto-enrollment, or before the Active Directory join process, as needed.)
-- If configured, the [enrollment status page](enrollment-status.md) (ESP) will be displayed.
-- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided. (Note that if the device reboots during the device ESP process, the user will need to re-enter their credentials as these are not persisted across reboots.)
-- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks.
-
-If any issues are encountered during this process, see the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.
-
-For more information on the available join options, see the following sections:
-
-- [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain.
-- [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain.
-- [Hybrid Azure Active Directory join with VPN support](#user-driven-mode-for-hybrid-azure-active-directory-join-with-vpn-support) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain, but are not connected to the corporate network and must use VPN connectivity.
-
-## User-driven mode for Azure Active Directory join
-
-In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed:
-
-- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information.
-- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected.
-- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
-
-For each device that will be deployed using user-driven deployment, these additional steps are needed:
-
-- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information.
-- Ensure an Autopilot profile has been assigned to the device:
- - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically.
- - If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
- - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
-
-
-## User-driven mode for hybrid Azure Active Directory join
-
-Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid-joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan).
-
-### Requirements
-
-To perform a user-driven hybrid Azure AD joined deployment using Windows Autopilot:
-
-- A Windows Autopilot profile for user-driven mode must be created and
- - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile.
-- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group.
-- The device must be running Windows 10, version 1809 or later.
-- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user).
-- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements.md).
-- The Intune Connector for Active Directory must be installed.
- - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf.
-- If using Proxy, WPAD Proxy settings option must be enabled and configured.
-
-The hybrid Azure AD join process uses the system context to register the device to Azure AD, therefore it is not affected by user based Azure AD join permission settings.
-
-## User-driven mode for hybrid Azure Active Directory join with VPN support
-
-Devices that are joined to Active Directory require connectivity to an Active Directory domain controller for a variety of activities, such as user sign-in (validating the user's credentials) and Group Policy application. As a result, the Windows Autopilot user-driven Hybrid Azure AD Join process would validate that the device is able to contact an Active Directory domain controller by pinging that domain controller.
-
-With the additional of VPN support for this scenario, it is now possible for you to specify to skip that connectivity check during the Hybrid Azure AD Join. This does not eliminate the need for communicating with an Active Directory domain controller, but rather enables the device to be first prepared with a needed VPN configuration delivered via Intune prior to the user attempting to sign into Windows, allowing connectivity to the organization's network.
-
-### Requirements
-
-The following additional requirements apply for Hybrid Azure AD Join with VPN support:
-
-- A supported version of Windows 10:
- - Windows 10 1903 + December 10th Cumulative update (KB4530684, OS build 18362.535) or higher
- - Windows 10 1909 + December 10th Cumulative update (KB4530684, OS build 18363.535) or higher
- - Windows 10 2004 or later
-- Enable the new “Skip domain connectivity check” toggle in the Hybrid Azure AD Join Autopilot profile.
-- A VPN configuration that can be deployed via Intune that enables the user to manualy establish a VPN connection from the Windows logon screen, or one that automatically establishes a VPN connection as needed.
-
-The specific VPN configuration required depends on the VPN software and authentication being used. For third-party (non-Microsoft) VPN solutions, this typically would involve deploying a Win32 app (containing the VPN client software itself as well as any specific connection information, e.g. VPN endpoint host names) via Intune Management Extensions. Consult your VPN provider's documentation for configuration details specific to that provider.
-
-> [!NOTE]
-> The VPN requirements are not specific to Windows Autopilot. For example, if you have already implemented a VPN configuration to enable remote password resets, where a user needs to log on to Windows with a new password when not on the organization's network, that same configuration can be used with Windows Autopilot. Once the user has signed in to cache their credentials, subsequent log-on attempts do not need connectivity since the cached credentials can be used.
-
-In cases where certificate authentication is required by the VPN software, the needed machine certificate should also be deployed via Intune. This can be done using the Intune certificate enrollment capabilities, targeting the certificate profiles to the device.
-
-Note that user certificates are not supported because these certificates cannot be deployed until the user logs in. Also, third-party UWP VPN plug-ins delivered from the Windows Store are also not supported because these are not installed until after the user signs in.
-
-### Validation
-
-Before attempting a hybrid Azure AD Join using VPN, it is important to first confirm that a user-driven Hybrid Azure AD Join process can be performed on the organization's network, before adding in the additional requirements described below. This simplifies troubleshooting by making sure the core process works fine before adding the additional VPN configuration required.
-
-Next, validate that the VPN configuration (Win32 app, certs, and any other requirements) can be deployed via Intune to an existing device that has already been hybrid Azure AD joined. For example, some VPN clients create a per-machine VPN connection as part of the installation process, so you can validate the configuration using steps such as these:
-
-- From PowerShell, verify that at least one per-machine VPN connection has been created using the "Get-VpnConnection -AllUserConnection" command.
-- Attempt to manually start the VPN connection using the command: RASDIAL.EXE "ConnectionName"
-- Log out and verify that the "VPN connection" icon can be seen on the Windows logon page.
-- Move the device off the corporate network and attempt to establish the connection using the icon on the Windows logon page, signing into an account that does not have cached credentials.
-
-For VPN configurations that automatically connect, the validation steps may be different.
-
-> [!NOTE]
-> Always On VPN can be used for this scenario. See the [Deploy Always On VPN](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment) documentation for more information. Note that Intune cannot yet deploy the needed per-machine VPN profile.
-
-To validate the end-to-end process, ensure the needed Windows 10 cumulative update has been installed on Windows 10 1903 or Windows 10 1909. This can be done manually during OOBE by first downloading the latest cumulative from https://catalog.update.microsoft.com and then manually installing it:
-
-- Press Shift-F10 to open a command prompt.
-- Insert a USB key containing the donwloaded update.
-- Install the update using the command (substituting the real file name): WUSA.EXE .msu /quiet
-- Reboot the computer using the command: shutdown.exe /r /t 0
-
-Alternatively, you can invoke Windows Update to install the latest updates through this process:
-
-- Press Shift-F10 to open a command prompt.
-- Run the command "start ms-settings:"
-- Navigate to the "Update & Security" node and check for updates.
-- Reboot after the updates are installed.
-
-## Step by step instructions
-
-See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid).
-
diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md
deleted file mode 100644
index ca7078273f..0000000000
--- a/windows/deployment/windows-autopilot/white-glove.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-title: Windows Autopilot for white glove deployment
-description: Windows Autopilot for white glove deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, pre-provisioning
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: low
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itproF
-author: greg-lindsay
-manager: laurawi
-ms.audience: itpro
-author: greg-lindsay
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-# Windows Autopilot for white glove deployment
-
-**Applies to: Windows 10, version 1903**
-
-Windows Autopilot enables organizations to easily provision new devices - leveraging the preinstalled OEM image and drivers with a simple process that can be performed by the end user to help get their device business-ready.
-
- 
-
-Windows Autopilot can also provide a white glove service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.
-
-With **Windows Autopilot for white glove deployment**, the provisioning process is split. The time-consuming portions are performed by IT, partners, or OEMs. The end user simply completes a few necessary settings and polices and then they can begin using their device.
-
- 
-
-Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven mode for Azure Active Directory Join, and user-driven mode for Hybrid Azure Active Directory join scenarios.
-
-## Prerequisites
-
-In addition to [Windows Autopilot requirements](windows-autopilot-requirements.md), Windows Autopilot for white glove deployment adds the following:
-
-- Windows 10, version 1903 or later is required.
-- An Intune subscription.
-- Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported. The white glove provisioning process leverages Windows Autopilot self-deploying capabilities, hence the TPM 2.0 requirements.
-- Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device.
-
->[!IMPORTANT]
->Because the OEM or vendor performs the white glove process, this doesn’t require access to an end-user's on-prem domain infrastructure. This is unlike a typical hybrid Azure AD-joined scenario because rebooting the device is postponed. The device is resealed prior to the time when connectivity to a domain controller is expected, and the domain network is contacted when the device is unboxed on-prem by the end-user.
-
-## Preparation
-
-Devices slated for white glove provisioning are registered for Autopilot via the normal registration process.
-
-To be ready to try out Windows Autopilot for white glove deployment, ensure that you can first successfully use existing Windows Autopilot user-driven scenarios:
-
-- User-driven Azure AD join. Devices can be deployed using Windows Autopilot and joined to an Azure Active Directory tenant.
-- User-driven with Hybrid Azure AD join. Devices can be deployed using Windows Autopilot and joined to an on-premises Active Directory domain, then registered with Azure Active Directory to enable the Hybrid Azure AD join features.
-
-If these scenarios cannot be completed, Windows Autopilot for white glove deployment will also not succeed since it builds on top of these scenarios.
-
-To enable white glove deployment, an additional Autopilot profile setting must be configured by the customer or IT Admin via their Intune account, prior to beginning the white glove process in the provisioning service facility:
-
- 
-
-The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. Please make sure not to target both win32 and LOB apps to the same device.
-
-> [!NOTE]
-> The white glove technician phase will install all device-targeted apps as well as any user-targeted, device-context apps that are targeted to the assigned user. If there is no assigned user, then it will only install the device-targeted apps. Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
-
-## Scenarios
-
-Windows Autopilot for white glove deployment supports two distinct scenarios:
-- User-driven deployments with Azure AD Join. The device will be joined to an Azure AD tenant.
-- User-driven deployments with Hybrid Azure AD Join. The device will be joined to an on-premises Active Directory domain, and separately registered with Azure AD.
-Each of these scenarios consists of two parts, a technician flow and a user flow. At a high level, these parts are the same for Azure AD Join and Hybrid Azure AD join; differences are primarily seen by the end user in the authentication steps.
-
-### Technician flow
-
-After the customer or IT Admin has targeted all the apps and settings they want for their devices through Intune, the white glove technician can begin the white glove process. The technician could be a member of the IT staff, a services partner, or an OEM – each organization can decide who should perform these activities. Regardless of the scenario, the process to be performed by the technician is the same:
-- Boot the device (running Windows 10 Pro, Enterprise, or Education SKUs, version 1903 or later).
-- From the first OOBE screen (which could be a language selection or locale selection screen), do not click **Next**. Instead, press the Windows key five times to view an additional options dialog. From that screen, choose the **Windows Autopilot provisioning** option and then click **Continue**.
-
- 
-
-- On the **Windows Autopilot Configuration** screen, information will be displayed about the device:
- - The Autopilot profile assigned to the device.
- - The organization name for the device.
- - The user assigned to the device (if there is one).
- - A QR code containing a unique identifier for the device, useful to look up the device in Intune to make any configuration changes needed (e.g. assigning a user, adding the device to any additional groups needed for app or policy targeting).
- - **Note**: The QR codes can be scanned using a companion app, which will also configure the device to specify who it belongs to. An [open-source sample of the companion app](https://github.com/Microsoft/WindowsAutopilotCompanion) that integrates with Intune via the Graph API has been published to GitHub by the Autopilot team.
-- Validate the information displayed. If any changes are needed, make these and then click **Refresh** to re-download the updated Autopilot profile details.
-
- 
-
-- Click **Provision** to begin the provisioning process.
-
-If the pre-provisioning process completes successfully:
-- A green status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
- 
-- Click **Reseal** to shut the device down. At that point, the device can be shipped to the end user.
-
->[!NOTE]
->Technician Flow inherits behavior from [Self-Deploying Mode](self-deploying.md). Per the Self-Deploying Mode documentation, it leverages the Enrollment Status Page to hold the device in a provisioning state and prevent the user from proceeding to the desktop after enrollment but before software and configuration is done applying. As such, if Enrollment Status Page is disabled, the reseal button may appear before software and configuration is done applying letting you proceed to the user flow before technician flow provisioning is complete. The green screen validates that enrollment was successful, not that the technician flow is necessarily complete.
-
-If the pre-provisioning process fails:
-- A red status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
-- Diagnostic logs can be gathered from the device, and then it can be reset to start the process over again.
-
-### User flow
-
-If the pre-provisioning process completed successfully and the device was resealed, it can be delivered to the end user to complete the normal Windows Autopilot user-driven process. They will perform a standard set of steps:
-
-- Power on the device.
-- Select the appropriate language, locale, and keyboard layout.
-- Connect to a network (if using Wi-Fi). Internet access is always required. If using Hybrid Azure AD Join, there must also be connectivity to a domain controller.
-- On the branded sign-on screen, enter the user’s Azure Active Directory credentials.
-- If using Hybrid Azure AD Join, the device will reboot; after the reboot, enter the user’s Active Directory credentials.
-- Additional policies and apps will be delivered to the device, as tracked by the Enrollment Status Page (ESP). Once complete, the user will be able to access the desktop.
-
-## Related topics
-
-[White glove video](https://youtu.be/nE5XSOBV0rI)
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
deleted file mode 100644
index c8f3eba453..0000000000
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ /dev/null
@@ -1,146 +0,0 @@
----
-title: Windows Autopilot requirements
-ms.reviewer:
-manager: laurawi
-description: See the requirements you need to run Windows Autopilot in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, Autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
-ms.custom:
-- CI 116757
-- CSSTroubleshooting
----
-
-
-# Windows Autopilot requirements
-
-**Applies to: Windows 10**
-
-Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met.
-
-> [!NOTE]
-> For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsAutopilot).
-
-## Software requirements
-
-- A [supported version](https://docs.microsoft.com/windows/release-information/) of Windows 10 Semi-Annual Channel is required. Windows 10 Enterprise 2019 long-term servicing channel (LTSC) is also supported.
-- The following editions are supported:
- - Windows 10 Pro
- - Windows 10 Pro Education
- - Windows 10 Pro for Workstations
- - Windows 10 Enterprise
- - Windows 10 Education
- - Windows 10 Enterprise 2019 LTSC
-
->[!NOTE]
->Procedures for deploying Windows Autopilot might refer to specific products and versions. The inclusion of these products in this content doesn't imply an extension of support for a version that is beyond its support lifecycle. Windows Autopilot does not support products that are beyond their support lifecycle. For more information, see [Microsoft Lifecycle Policy](https://go.microsoft.com/fwlink/p/?LinkId=208270).
-
-## Networking requirements
-
-Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
-
-- Ensure DNS name resolution for internet DNS names.
-- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP).
-
-In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to allow access to the required services.
-
-> [!NOTE]
-> Smart card and certificate based authentication are not supported during OOBE. For more information, see [Smartcards and certificate-based authentication](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan#smartcards-and-certificate-based-authentication).
-
-For additional details about each of these services and their specific requirements, review the following details:
-
-
Service
Information
-
Windows Autopilot Deployment Service
After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 version 1903 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com.
-
-
User credentials are validated by Azure Active Directory, and the device can also be joined to Azure Active Directory. See Office 365 IP Address and URL Web service for more information.
-
Intune
Once authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: Intune network configuration requirements and bandwidth.
-
Windows Update
During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see How to solve connection problems concerning Windows Update or Microsoft Update.
-
-If Windows Update is inaccessible, the Autopilot process will still continue but critical updates will not be available.
-
-
Delivery Optimization
When downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
-
-If the Delivery Optimization Service is inaccessible, the Autopilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer).
-
-
Network Time Protocol (NTP) Sync
When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible.
-
Domain Name Services (DNS)
To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP. This DNS server must be able to resolve internet names.
-
Diagnostics data
Starting in Windows 10, 1903, diagnostic data collection will be enabled by default. To disable Windows Analytics and related diagnostics capabilities, see Manage enterprise diagnostic data level.
-
-If diagnostic data cannot be sent, the Autopilot process will still continue, but services that depend on diagnostic data, such as Windows Analytics, will not work.
-
This service is used to enable Windows to receive notifications from apps and services. See Microsoft Store for more information.
-
-If the WNS services are not available, the Autopilot process will still continue without notifications.
-
Microsoft Store, Microsoft Store for Business
Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM). App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
-
-If the Microsoft Store is not accessible, the Autopilot process will still continue without Microsoft Store apps.
-
-
Office 365
As part of the Intune device configuration, installation of Microsoft 365 Apps for enterprise may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above).
-
The device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode
-
Autopilot Self-Deploying mode and Autopilot White Glove
Firmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See TPM recommendations for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested:
-
- Intel- https://ekop.intel.com/ekcertservice
- Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
- AMD- https://ftpm.amd.com/pki/aia
- Infineon- https://pki.infineon.com
-
-
-## Licensing requirements
-
-Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs.
-
-To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required:
-- [Microsoft 365 Business Premium subscription](https://www.microsoft.com/microsoft-365/business).
-- [Microsoft 365 F1 or F3 subscription](https://www.microsoft.com/microsoft-365/enterprise/firstline).
-- [Microsoft 365 Academic A1, A3, or A5 subscription](https://www.microsoft.com/education/buy-license/microsoft365/default.aspx).
-- [Microsoft 365 Enterprise E3 or E5 subscription](https://www.microsoft.com/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
-- [Enterprise Mobility + Security E3 or E5 subscription](https://www.microsoft.com/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features.
-- [Intune for Education subscription](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
-- [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/cloud-platform/microsoft-intune) (or an alternative MDM service).
-
-> [!NOTE]
-> Even when using Microsoft 365 subscriptions, you still need to [assign Intune licenses to the users](https://docs.microsoft.com/intune/fundamentals/licenses-assign).
-
-Additionally, the following are also recommended (but not required):
-- [Microsoft 365 Apps for enterprise](https://www.microsoft.com/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services).
-- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise.
-
-## Configuration requirements
-
-Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios.
-
-- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services.
-- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties).
-- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise.
-
-Specific scenarios will then have additional requirements. Generally, there are two specific tasks:
-
-- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details.
-- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-Autopilot#create-an-Autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-Autopilot#assign-an-Autopilot-deployment-profile-to-a-device-group) for more information.
-
-See [Windows Autopilot Scenarios](windows-Autopilot-scenarios.md) for additional details.
-
-For a walkthrough for some of these and related steps, see this video:
-
-
-
-
-
-There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications).
-
-## Related topics
-
-[Configure Autopilot deployment](https://docs.microsoft.com/windows/deployment/windows-Autopilot/)
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
deleted file mode 100644
index 8510d7574e..0000000000
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md
+++ /dev/null
@@ -1,138 +0,0 @@
----
-title: Windows Autopilot Reset
-description: Windows Autopilot Reset takes the device back to a business-ready state, allowing the next user to sign in and get productive quickly and easily.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot Reset
-
-- Applies to: Windows 10, version 1709 and later (local reset)
-- Applies to: Windows 10, version 1809 and later (remote reset)
-
-Windows Autopilot Reset removes personal files, apps, and settings and reapplies a device’s original settings, maintaining its identity connection to Azure AD and its management connection to Intune so that the device is once again ready for use. Windows Autopilot Reset takes the device back to a business-ready state, allowing the next user to sign in and get productive quickly and simply.
-
-The Windows Autopilot Reset process automatically retains information from the existing device:
-
-- Set the region, language, and keyboard to the originally-configured values.
-- Wi-Fi connection details.
-- Provisioning packages previously applied to the device, as well as a provisioning package present on a USB drive when the reset process is initiated.
-- Azure Active Directory device membership and MDM enrollment information.
-
-Windows Autopilot Reset will block the user from accessing the desktop until this information is restored, including re-applying any provisioning packages. For devices enrolled in an MDM service, Windows Autopilot Reset will also block until an MDM sync is completed.
-When Autopilot reset is used on a device, the device's primary user will be removed. The next user who signs in after the reset will be set as the primary user.
-
-
->[!NOTE]
->The Autopilot Reset does not support Hybrid Azure AD joined devices.
-
-## Scenarios
-
-Windows Autopilot Reset supports two scenarios:
-
-- [Local reset](#reset-devices-with-local-windows-autopilot-reset) initiated by IT personnel or other administrators from the organization.
-- [Remote reset](#reset-devices-with-remote-windows-autopilot-reset) initiated remotely by IT personnel via an MDM service such as Microsoft Intune.
-
-Additional requirements and configuration details apply with each scenario; see the detailed links above for more information.
-
-## Reset devices with local Windows Autopilot Reset
-
-**Applies to: Windows 10, version 1709 and above**
-
-The Intune Service Administrator role is required to perform this task. For more information, see [Add users and grant administrative permission to Intune](https://docs.microsoft.com/intune/users-add).
-
-IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
-
-To enable local Autopilot Reset in Windows 10:
-
-1. [Enable the policy for the feature](#enable-local-windows-autopilot-reset)
-2. [Trigger a reset for each device](#trigger-local-windows-autopilot-reset)
-
-### Enable local Windows Autopilot Reset
-
-To enable a local Windows Autopilot Reset, the **DisableAutomaticReDeploymentCredentials** policy must be configured. This policy is documented in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, local Windows Autopilot is disabled. This ensures that a local Autopilot Reset is not triggered by accident.
-
-You can set the policy using one of these methods:
-
-- MDM provider
-
- - When using Intune, you can create a new device configuration profile, specifying "Windows 10 or later" for the platform, "Device restrictions" for the profile type, and "General" for the settings category. The **Automatic Redeployment** setting should be set to **Allow**. Deploy this setting to all devices where a local reset should be permitted.
- - If you're using an MDM provider other than Intune, check your MDM provider documentation on how to set this policy.
-
-- Windows Configuration Designer
-
- You can [use Windows Configuration Designer](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting to 0 and then create a provisioning package.
-
-- Set up School PCs app
-
- The latest release of the Set up School PCs app supports enabling local Windows Autopilot Reset.
-
-### Trigger local Windows Autopilot Reset
-
-Performing a local Windows Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it is done, the device is again ready for use.
-
-**To trigger a local Autopilot Reset**
-
-1. From the Windows device lock screen, enter the keystroke: **CTRL +  + R**.
-
- 
-
- This will open up a custom login screen for the local Autopilot Reset. The screen serves two purposes:
- 1. Confirm/verify that the end user has the right to trigger Local Autopilot Reset
- 2. Notify the user in case a provisioning package, created using Windows Configuration Designer, will be used as part of the process.
-
- 
-
-2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger the local Autopilot Reset.
-
- Once the local Autopilot Reset is triggered, the reset process starts. Once provisioning is complete, the device is again ready for use.
-
-## Reset devices with remote Windows Autopilot Reset
-
-**Applies to: Windows 10, version 1809 or later**
-
-When performing a remote Windows Autopilot Reset, an MDM service such an Microsoft Intune can be used to initiate the reset process, avoiding the need for IT staff or other administrators to visit each machine to initiate the process.
-
-To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed and joined to Azure AD. This feature is not supported on devices that were enrolled using [Autopilot self deploying mode](self-deploying.md).
-
-### Triggering a remote Windows Autopilot Reset
-
-To trigger a remote Windows Autopilot Reset via Intune, follow these steps:
-
-- Navigate to **Devices** tab in the Intune console.
-- In the **All devices** view, select the targeted reset devices and then click **More** to view device actions.
-- Select **Autopilot Reset** to kick-off the reset task.
-
->[!NOTE]
->The Autopilot Reset option will only be enabled in Microsoft Intune for devices running Windows 10 build 17672 or higher.
-
->[!IMPORTANT]
->The feature for Autopilot Reset will stay grayed out, **unless** you reset the device using Autopilot (either using Fresh Reset or manually sysprep the device).
-
-Once the reset is complete, the device is again ready for use.
-
-
-
-## Troubleshooting
-
-Windows Autopilot Reset requires that the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is correctly configured and enabled on the device. If it is not configured and enabled, an error such as `Error code: ERROR_NOT_SUPPORTED (0x80070032)` will be reported.
-
-To make sure WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
-
-```
-reagentc /enable
-```
-
-If Windows Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance.
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
deleted file mode 100644
index ab95bacbee..0000000000
--- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Windows Autopilot scenarios and capabilities
-description: Follow along with several typical Windows Autopilot deployment scenarios, such as re-deploying a device in a business-ready state.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot scenarios and capabilities
-
-**Applies to: Windows 10**
-
-## Scenarios
-
-Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management).
-
-The following Windows Autopilot scenarios are described in this guide:
-
-| Scenario | More information |
-| --- | --- |
-| Deploy devices that will be set up by a member of the organization and configured for that person | [Windows Autopilot user-driven mode](user-driven.md) |
-| Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.| [Windows Autopilot self-deploying mode](self-deploying.md) |
-| Re-deploy a device in a business-ready state.| [Windows Autopilot Reset](windows-autopilot-reset.md) |
-| Pre-provision a device with up-to-date applications, policies and settings.| [White glove](white-glove.md) |
-| Deploy Windows 10 on an existing Windows 7 or 8.1 device | [Windows Autopilot for existing devices](existing-devices.md) |
-
-## Windows Autopilot capabilities
-
-### Windows Autopilot is self-updating during OOBE
-
-Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly. Windows will alert the user that the device is checking for, downloading and installing the updates.
-
-See [Windows Autopilot update](autopilot-update.md) for more information.
-
-### Cortana voiceover and speech recognition during OOBE
-
-In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs.
-
-If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default.
-
-HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions
-
-The key value is a DWORD with **0** = disabled and **1** = enabled.
-
-| Value | Description |
-| --- | --- |
-| 0 | Cortana voiceover is disabled |
-| 1 | Cortana voiceover is enabled |
-| No value | Device will fall back to default behavior of the edition |
-
-To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce).
-
-### Bitlocker encryption
-
-With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md)
-
-## Related topics
-
-[Windows Autopilot: What's new](windows-autopilot-whats-new.md)
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
deleted file mode 100644
index 8d69cc5d75..0000000000
--- a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: Windows Autopilot what's new
-ms.reviewer:
-manager: laurawi
-description: Read news and resources about the latest updates and past versions of Windows Autopilot.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot: What's new
-
-**Applies to**
-
-- Windows 10
-
-## Windows Autopilot update history
-
-The following [Windows Autopilot updates](autopilot-update.md) are available. **Note**: Updates are automatically downloaded and applied during the Windows Autopilot deployment process.
-
-No updates are available yet. Check back here later for more information.
-
-## New in Windows 10, version 2004
-
-With this release, you can configure Windows Autopilot [user-driven](user-driven.md) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
-
-If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles.
-
-## New in Windows 10, version 1903
-
-[Windows Autopilot for white glove deployment](white-glove.md) is new in Windows 10, version 1903. See the following video:
-
-
-
-> [!VIDEO https://www.youtube.com/embed/nE5XSOBV0rI]
-
-Also new in this version of Windows:
-- The Intune enrollment status page (ESP) now tracks Intune Management Extensions.
-- [Cortana voiceover and speech recognition during OOBE](windows-autopilot-scenarios.md#cortana-voiceover-and-speech-recognition-during-oobe) is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- [Windows Autopilot is self-updating during OOBE](windows-autopilot-scenarios.md#windows-autopilot-is-self-updating-during-oobe). Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the diagnostics data level to Full on Windows 10 version 1903 and later during OOBE.
-
-## New in Windows 10, version 1809
-
-Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured by Windows Autopilot. This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process.
-
-You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
-
->[!NOTE]
->Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.
-
-## Related topics
-
-[What's new in Microsoft Intune](https://docs.microsoft.com/intune/whats-new)
-[What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/)
diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md
deleted file mode 100644
index a24ff772a4..0000000000
--- a/windows/deployment/windows-autopilot/windows-autopilot.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Overview of Windows Autopilot
-description: Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Overview of Windows Autopilot
-
-**Applies to**
-
-- Windows 10
-
-Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices. This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
-
-Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. See the following diagram:
-
- 
-
-When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images and drivers for every model of device being used. Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features.
-
-Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, Microsoft Endpoint Configuration Manager, and other similar tools. Windows Autopilot can also be used to re-purpose a device by leveraging Windows Autopilot Reset to quickly prepare a device for a new user, or in break/fix scenarios to enable a device to quickly be brought back to a business-ready state.
-
-Windows Autopilot enables you to:
-* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
-* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription for configuration*](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Windows-10-Azure-AD-and-Microsoft-Intune-Automatic-MDM/ba-p/244067)).
-* Restrict the Administrator account creation.
-* Create and auto-assign devices to configuration groups based on a device's profile.
-* Customize OOBE content specific to the organization.
-
-## Windows Autopilot walkthrough
-
-The following video shows the process of setting up Windows Autopilot:
-
-
-
-
-
-## Benefits of Windows Autopilot
-
-Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach.
-
-From the user's perspective, it only takes a few simple operations to make their device ready to use.
-
-From the IT pro's perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything beyond that is automated.
-
-## Requirements
-
-A [supported version](https://docs.microsoft.com/windows/release-information/) of Windows 10 semi-annual channel is required to use Windows Autopilot. Windows 10 Enterprise LTSC 2019 is also supported. See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on software, configuration, network, and licensing requirements.
-
-## Related topics
-
-[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot)
-[Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md)
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index a9089d86bc..91aaa460e8 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -5,13 +5,13 @@ ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/hub/windows-10.yml b/windows/hub/windows-10.yml
index c4bba2a64d..822259efbd 100644
--- a/windows/hub/windows-10.yml
+++ b/windows/hub/windows-10.yml
@@ -3,7 +3,6 @@
documentType: LandingData
title: Windows 10
metadata:
- document_id:
title: Windows 10
description: Find tools, step-by-step guides, and other resources to help you deploy and support Windows 10 in your organization.
keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md
deleted file mode 100644
index fe73e90c9e..0000000000
--- a/windows/privacy/TOC.md
+++ /dev/null
@@ -1,35 +0,0 @@
-# [Privacy](index.yml)
-## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
-## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md)
-## [Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals](Windows-10-and-privacy-compliance.md)
-## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md)
-## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
-## Diagnostic Data Viewer
-### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
-### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md)
-## Basic level Windows diagnostic data events and fields
-### [Windows 10, version 2004 required Windows diagnostic data events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
-### [Windows 10, version 1903 and Windows 10, version 1909 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
-### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
-### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
-### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
-### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
-## Enhanced level Windows diagnostic data events and fields
-### [Windows 10 diagnostic data events and fields collected through the limit enhanced diagnostic data policy](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
-## Full level categories
-### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md)
-### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
-## Manage Windows 10 connection endpoints
-### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-### [Manage connections from Windows operating system components to Microsoft services using MDM](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md)
-### [Connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
-### [Connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
-### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
-### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
-### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
-### [Connection endpoints for non-Enterprise editions of Windows 10, version 2004](windows-endpoints-2004-non-enterprise-editions.md)
-### [Connection endpoints for non-Enterprise editions of Windows 10, version 1903](windows-endpoints-1903-non-enterprise-editions.md)
-### [Connection endpoints for non-Enterprise editions of Windows 10, version 1809](windows-endpoints-1809-non-enterprise-editions.md)
-### [Connection endpoints for non-Enterprise editions of Windows 10, version 1803](windows-endpoints-1803-non-enterprise-editions.md)
-### [Connection endpoints for non-Enterprise editions of Windows 10, version 1709](windows-endpoints-1709-non-enterprise-editions.md)
-
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
new file mode 100644
index 0000000000..61f9a5cf61
--- /dev/null
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -0,0 +1,91 @@
+---
+title: Changes to Windows diagnostic data collection
+description: This article provides information on changes to Windows diagnostic data collection Windows 10.
+keywords: privacy, diagnostic data
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+audience: ITPro
+ms.author: daniha
+author: DaniHalfin
+manager: dansimp
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 07/21/2020
+---
+
+# Changes to Windows diagnostic data collection
+
+**Applies to**
+- Windows 10, version 1903 and newer
+- The next version of Windows Server
+
+Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we are moving our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this will provide our customers with a simpler experience – information should be easier to find, easier to understand, and easier to act upon through the tools we provide.
+
+This topic is meant for IT administrators and explains the changes Windows is making to align to the new data collection taxonomy. These changes are focused in two areas:
+
+- [Taxonomy changes](#taxonomy-changes)
+- [Behavioral changes](#behaviorial-changes)
+
+> [!NOTE]
+> You can test the behavioral changes now in Windows 10 Insider Preview build 19577 and later.
+
+## Summary of changes
+
+In Windows 10, version 1903 and newer, you will see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes.
+
+Additionally, in an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. We’re also clarifying the Security diagnostic data level to more accurately reflect its behavior by changing it to **Diagnostic data off**. All of these changes are explained in the section named **Behavioral changes**.
+
+## Taxonomy changes
+
+Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience** (OOBE) and the **Diagnostics & feedback** privacy setting pages will reflect the following changes:
+
+- The **Basic** diagnostic data level is being labeled as **Required**.
+- The **Full** diagnostic data level is being labeled as **Optional**.
+
+> [!IMPORTANT]
+> No action is required for the taxonomy changes, and your existing settings will be maintained as part of this update.
+
+## Behaviorial changes
+
+In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be migrated to the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see the section named, **Services that rely on Enhanced diagnostic data**, later in this topic. Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see the section named **Configure a Windows 10 device to limit crash dumps and logs**. For more information on services that rely on Enhanced diagnostic data, see **Services that rely on Enhanced diagnostic data**.
+
+Additionally, you will see the following policy changes in an upcoming release of Windows 10:
+
+| Policy type | Current policy | Renamed policy |
+| --- | --- | --- |
+| Group Policy | Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow Telemetry**
**0 - Security**
**1 - Basic**
**2 - Enhanced**
**3 - Full**
| Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow Diagnostic Data**
**Diagnostic data off (not recommended)**
**Send required diagnostic data**
**Send optional diagnostic data**
|
+| Group Policy |Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Configure telemetry opt-in settings user interface**| Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Configure diagnostic data opt-in settings user interface** |
+| Group Policy |Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Configure telemetry opt-in change notifications**| Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Configure diagnostic data opt-in change notifications** |
+
+A final set of changes includes two new policies that can help you fine-tune diagnostic data collection within your organization. These policies let you limit the amount of optional diagnostic data that’s sent back to Microsoft.
+
+- The **Limit dump collection** policy is a new policy that can be used to limit the types of [crash dumps](https://docs.microsoft.com/windows/win32/dxtecharts/crash-dump-analysis) that can be sent back to Microsoft. If this policy is enabled, Windows Error Reporting will send only kernel mini dumps and user mode triage dumps.
+ - Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Dump Collection**
+ - MDM policy: System/ LimitDiagnosticLogCollection
+- The **Limit diagnostic log collection** policy is another new policy that limits the number of diagnostic logs that are sent back to Microsoft. If this policy is enabled, diagnostic logs are not sent back to Microsoft.
+ - Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Diagnostic Log Collection**
+ - MDM policy: System/LimitDumpCollection
+
+>[!Important]
+>All of the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier.
+
+## Configure a Windows 10 device to limit crash dumps and logs
+
+With the Enhanced diagnostic data level being split out into new policies, we're providing additional controls to manage what types of crash dumps are collected and whether to send additional diagnostic logs. Here are some steps on how to configure them:
+
+1. Choose to send optional diagnostic data by setting one of the following policies:
+ - Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow Diagnostic Data**. Set the policy value to **Send optional diagnostic data**.
+ - MDM: System/AllowTelemetry. Set the policy value to **3**.
+2. Enable the following Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Dump Collection**
+3. Enable the following Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Diagnostic Log Collection**
+
+## Services that rely on Enhanced diagnostic data
+
+Customers who use services that depend on Windows diagnostic data, such as Microsoft Managed Desktop or Desktop Analytics, may be impacted by the behavioral changes when they are released. These services will be updated to address these changes and guidance will be published on how to configure them properly.
+
+The following provides information on the current configurations:
+- [Microsoft Managed Desktop](https://aka.ms/mmd-diagnostic-data-level)
+- [Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview)
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 518fe19374..332e9f1796 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -13,433 +13,203 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 04/29/2019
+ms.date: 07/21/2020
---
# Configure Windows diagnostic data in your organization
**Applies to**
-- Windows 10 Enterprise
-- Windows 10 Mobile
-- Windows Server
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows Server 2016 and newer
-This article applies to Windows and Windows Server diagnostic data only. It describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
+This article applies to Windows 10, Windows Server, Surface Hub, and Hololens diagnostic data only. It describes the types of diagnostic data that’s sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers.
-Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. Microsoft uses diagnostic data to keep Windows secure and up to date, troubleshoot problems, and make product improvements.
+>[!IMPORTANT]
+>Microsoft is [increasing transparency](https://blogs.microsoft.com/on-the-issues/2019/04/30/increasing-transparency-and-customer-control-over-data/) by categorizing the data we collect as required or optional. Windows 10 is in the process of updating devices to reflect this new categorization, and during this transition Basic diagnostic data will be recategorized as Required diagnostic data and Full diagnostic data will be recategorized as Optional diagnostic data. For more information, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md).
-We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
+## Overview
-## Overview of Windows diagnostic data
+Microsoft collects Windows diagnostic data to solve problems and to keep Windows up to date, secure, and operating properly. It also helps us improve Windows and related Microsoft products and services and, for customers who have turned on the **Tailored experiences** setting, to provide more relevant tips and recommendations to enhance Microsoft and third-party products and services for the customer’s needs.
-At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how.
-
-To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways:
-
-- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
-- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
-- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection.
-- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
-- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting.
-- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
-
-In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM.
-
-For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
-
-## Understanding Windows diagnostic data
-
-Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
-
-The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts.
-
-### What is Windows diagnostic data?
-
-Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
-
-- Keep Windows up to date
-- Keep Windows secure, reliable, and performant
-- Improve Windows – through the aggregate analysis of the use of Windows
-- Personalize Windows engagement surfaces
-
-Here are some specific examples of Windows diagnostic data:
-
-- Type of hardware being used
-- Applications installed and usage details
-- Reliability information on device drivers
-
-### What is NOT diagnostic data?
-
-Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request.
-
-There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash).
-On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
-
-If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services/).
-
-The following are specific examples of functional data:
-
-- Current location for weather
-- Bing searches
-- Wallpaper and desktop settings synced across multiple devices
+For more information about how Windows diagnostic data is used, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
### Diagnostic data gives users a voice
-Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
+Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behaves in the real world, focus on user priorities, and make informed decisions that benefit both consumer and enterprise customers. The following sections offer real examples of these benefits.
-### Improve app and driver quality
+### _Improve app and driver quality_
-Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
+Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers used on Windows. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
-#### Real-world example of how Windows diagnostic data helps
+For example, in an earlier version of Windows 10 there was a version of a video driver that was crashing on some devices, causing the device to restart. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
-There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
+### _Improve end-user productivity_
-### Improve end-user productivity
-
-Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are:
+Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.
- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time.
- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
-- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
-
-**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
-
-### Insights into your own organization
-
-Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better. Microsoft provides a set of solutions that leverage information shared by customers to provide insights customized for your internal use. The first of these was [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), followed by [Desktop Analytics](https://aka.ms/DADocs). Both help organizations with [Windows as a Service](/windows/deployment/update/wass-overview) adoption and potential compatibility challenges. For E5 customers, [Microsoft Defender Advanced Threat Protection](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
+- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between apps. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
## How Microsoft handles diagnostic data
-The diagnostic data is categorized into four levels:
-
-- [**Security**](#security-level). Information that’s required to help keep Windows and Windows Server secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
-
-- [**Basic**](#basic-level). Basic device info, including: quality-related data, app compatibility, and data from the **Security** level.
-
-- [**Enhanced**](#enhanced-level). Additional insights, including: how Windows, Windows Server, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
-
-- [**Full**](#full-level). Includes information about the websites you browse, how you use apps and features, plus additional information about device health, device activity (sometimes referred to as usage), and enhanced error reporting. At Full, Microsoft also collects the memory state of your device when a system or app crash occurs. It includes data from the **Security**, **Basic**, and **Enhanced** levels.
-
-Diagnostic data levels are cumulative, meaning each subsequent level includes data collected through lower levels. For more information see the [Diagnostic data levels](#diagnostic-data-levels) section.
+Use the following sections to learn more about how Microsoft handles diagnostic data.
### Data collection
-Windows 10 and Windows Server includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
+Depending on the diagnostic data settings on the device, diagnostic data can be collected via the following methods:
+ - Small payloads of structured information referred to as diagnostic data events, managed by the Connected User Experiences and Telemetry component.
+ - Diagnostic logs for additional troubleshooting, also managed by the Connected User Experience and Telemetry component.
+ - Crash reporting and crash dumps, managed by [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting).
-1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
-1. Events are gathered using public operating system event logging and tracing APIs.
-1. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings.
-1. The Connected User Experiences and Telemetry component transmits the diagnostic data.
-
-Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
+Later in this document we provide further details about how to control what’s collected and what data can be included in these different types of diagnostic data.
### Data transmission
-All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
-
-The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day.
+All diagnostic data is encrypted using TLS and uses certificate pinning during transfer from the device to the Microsoft data management services.
### Endpoints
-The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
+The following table lists the endpoints related to how you can manage the collection and control of diagnostic data. For more information around the endpoints that are used to send data back to Microsoft, see [Manage connection endpoints for Windows 10 Enterprise, version 1903](manage-windows-1903-endpoints.md).
-Solutions like Desktop Analytics or Microsoft Defender Advanced Threat Protection need Windows devices to reach diagnostics endpoints which enable organizations to leverage solutions based on diagnostics data. These solutions leverage Windows components like the Connected User Experiences and Telemetry service, Windows Defender Advanced Threat Protection service, Windows Error Reporting, and Online Crash Analysis.
-
-For a complete list of diagnostics endpoints leveraged by Desktop Analytics, see [Enable data sharing for Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/enable-data-sharing).
-For a complete list of diagnostics endpoints leveraged by Microsoft Defender Advanced Threat Protection, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
-
-The following table defines the endpoints for Connected User Experiences and Telemetry component:
-
-| Windows release | Endpoint |
+| Windows service | Endpoint |
| - | - |
-| Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed | **Diagnostics data:** v10c.vortex-win.data.microsoft.com**Functional:** v20.vortex-win.data.microsoft.com**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country,for example: **de**.vortex-win.data.microsoft.com**Settings:** settings-win.data.microsoft.com |
-| Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | **Diagnostics data:** v10.events.data.microsoft.com**Functional:** v20.vortex-win.data.microsoft.com**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country,for example: **de**.vortex-win.data.microsoft.com**Settings:** settings-win.data.microsoft.com |
-| Windows 10, version 1709 or earlier | **Diagnostics data:** v10.vortex-win.data.microsoft.com**Functional:** v20.vortex-win.data.microsoft.com**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country,for example: **de**.vortex-win.data.microsoft.com**Settings:** settings-win.data.microsoft.com |
+|Connected User Experiences and Telemetry | v10.events.data.microsoft.com v10c.events.data.microsoft.com v10.vortex-win.data.microsoft.com |
+| [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com watson.microsoft.com umwatsonc.telemetry.microsoft.com umwatsonc.events.data.microsoft.com *-umwatsonc.events.data.microsoft.com ceuswatcab01.blob.core.windows.net ceuswatcab02.blob.core.windows.net eaus2watcab01.blob.core.windows.net eaus2watcab02.blob.core.windows.net weus2watcab01.blob.core.windows.net weus2watcab02.blob.core.windows.net |
+|Authentication | login.live.com
IMPORTANT: This endpoint is used for device authentication. We do not recommend disabling this endpoint.|
+| [Online Crash Analysis](https://docs.microsoft.com/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com oca.microsoft.com kmwatsonc.telemetry.microsoft.com *-kmwatsonc.telemetry.microsoft.com |
+|Settings | settings-win.data.microsoft.com
IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data |
-The following table defines **additional diagnostics endpoints** not covered by services in the links above:
+### Data access
-| Service | Endpoint |
-| - | - |
-| OneDrive app for Windows 10 | |
-
-The following table defines the endpoints for other diagnostic data services:
-
-| Service | Endpoint |
-| - | - |
-| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
-| | ceuswatcab01.blob.core.windows.net |
-| | ceuswatcab02.blob.core.windows.net |
-| | eaus2watcab01.blob.core.windows.net |
-| | eaus2watcab02.blob.core.windows.net |
-| | weus2watcab01.blob.core.windows.net |
-| | weus2watcab02.blob.core.windows.net |
-| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
-| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
-| Microsoft Defender Advanced Threat Protection | |
-
-### Data use and access
-
-The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
+The principle of least privileged access guides access to Windows diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement). Microsoft may share business reports with hardware manufacturers and third-party partners that include aggregated and deidentified diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
### Retention
-Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history.
+Microsoft believes in and practices data minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. For more information on how long data is retained, see the section named **Our retention of personal data** in the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement).
-## Manage enterprise diagnostic data level
+## Diagnostic data settings
-### Enterprise management
+There are four diagnostic data collection settings. Each setting is described in more detail in the sections that follow.
-Sharing diagnostic data with Microsoft is enabled by default on Windows 10, 1903 and later. Sharing this data provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option.
+- Diagnostic data off (Security)
+- Required diagnostic data (Basic)
+- Enhanced
+- Optional diagnostic data (Full)
-Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, in **Privacy** > **Diagnostics & feedback**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available.
+Here’s a summary of the types of data that is included with each setting:
-IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this article describes how to use group policy to configure levels and settings interface.
+| | **Diagnostic data off (Security)** | **Required (Basic)** | **Enhanced** |**Optional (Full)**|
+| --- | --- | --- | --- | --- |
+| **Diagnostic data events** | No Windows diagnostic data sent. | Minimum data required to keep the device secure, up to date, and performing as expected. | Additional data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. | Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.|
+| **Crash Metadata** | N/A | Yes | Yes | Yes |
+| **Crash Dumps** | N/A | No | Triage dumps only For more information about crash dumps, see [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting). | Full memory dumps For more information about crash dumps, see [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting). |
+| **Diagnostic logs** | N/A | No | No | Yes |
+| **Data collection** | N/A | 100% | Sampling applies | Sampling applies |
-#### Manage your diagnostic data settings
-Use the steps in this article to set and/or adjust the diagnostic data settings for Windows and Windows Server in your organization.
+### Diagnostic data off
-> [!IMPORTANT]
-> These diagnostic data levels only apply to Windows and Windows Server components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Microsoft 365 Apps for enterprise](/deployoffice/privacy/overview-privacy-controls).
+This setting was previously labeled as **Security**. When you configure this setting, no Windows diagnostic data is sent from your device. This is only available on Windows Server, Windows 10 Enterprise, and Windows 10 Education. If you choose this setting, devices in your organization will still be secure.
-The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server is **Enhanced**.
+>[!NOTE]
+> If your organization relies on Windows Update, the minimum recommended setting is **Required diagnostic data**. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
-### Configure the diagnostic data level
+### Required diagnostic data
-You can configure your device's diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device.
+Required diagnostic data, previously labeled as **Basic**, gathers a limited set of data that’s critical for understanding the device and its configuration. This data helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version.
+
+This is the default setting for Windows 10 Education editions, as well as all desktop editions starting with Windows 10, version 1903.
+
+Required diagnostic data includes:
+
+- Basic device data that helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Servers in the ecosystem. Examples include:
+
+ - Device attributes, such as camera resolution and display type
+ - Battery attributes, such as capacity and type
+ - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
+ - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
+ - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
+ - Operating system attributes, such as Windows edition and virtualization state
+ - Storage attributes, such as number of drives, type, and size
+
+- Quality metrics that helps provide an understanding about how the Connected User Experiences and diagnostic data component is functioning, including % of uploaded events, dropped events, blocked events, and the last upload time.
+
+- Quality-related information that helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and app state change details, such as how much processor time and memory were used, and the total uptime for an app.
+
+- Compatibility data that helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
+
+- System data that helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
+
+- A list of accessory device data, such as printers or external storage devices, that are connected to Windows devices and whether these devices will function after upgrading to a new version of the operating system.
+
+- Driver data that includes specific driver activity that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
+
+- Information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses.
+
+### Enhanced diagnostic data
+
+>[!NOTE]
+>We’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. making changes to the enhanced diagnostic data level. For more info about this change, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md).
+
+Enhanced diagnostic data includes data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. When you choose to send enhanced diagnostic data, required diagnostic data will always be included, and we collect the following additional information:
+ - Operating system events that help to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
+ - Operating system app events resulting from Microsoft apps and management tools that were downloaded from the Microsoft Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
+ - Device-specific events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
+ - All crash dump types, except for heap dumps and full dumps. For more information about crash dumps, see [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting).
+
+ ### Optional diagnostic data
+
+Optional diagnostic data, previously labeled as **Full**, includes more detailed information about your device and its settings, capabilities, and device health. Optional diagnostic data also includes data about the websites you browse, device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. When you choose to send optional diagnostic data, required diagnostic data will always be included, and we collect the following additional information:
+
+ - Additional data about the device, connectivity, and configuration, beyond that collected under required diagnostic data.
+ - Status and logging information about the health of operating system and other system components beyond what is collected under required diagnostic data.
+ - App activity, such as which programs are launched on a device, how long they run, and how quickly they respond to input.
+ - Browser activity, including browsing history and search terms, in Microsoft browsers (Microsoft Edge or Internet Explorer).
+ - Enhanced error reporting, including the memory state of the device when a system or app crash occurs (which may unintentionally contain user content, such as parts of a file you were using when the problem occurred). Crash data is never used for Tailored experiences.
+
+>[!Note]
+>Crash dumps collected in optional diagnostic data may unintentionally contain personal data, such as portions of memory from a document and a web page. For more information about crash dumps, see [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting).
+
+## Manage enterprise diagnostic data
+
+Use the steps in this section to configure the diagnostic data settings for Windows and Windows Server in your organization.
+
+>[!IMPORTANT]
+>These diagnostic data settings only apply to components, features, and apps that are considered a part of the Windows operating system. Third-party apps and other Microsoft apps, such as Microsoft Office, that customers install may also collect and send diagnostic data using their own controls. You should work with your app vendors to understand their diagnostic data policy, and how you can opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Microsoft 365 Apps for enterprise](https://docs.microsoft.com/deployoffice/privacy/overview-privacy-controls). If you would like to control Windows data collection that is not Windows diagnostic data, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+
+You can configure your device's diagnostic data settings using the management tools you’re already using, such as Group Policy or MDM.
Use the appropriate value in the table below when you configure the management policy.
-| Level | Value |
+| Category | Value |
| - | - |
-| Security | **0** |
-| Basic | **1** |
-| Enhanced | **2** |
-| Full | **3** |
+|Diagnostic data off (Security) | 0 |
+| Required (Basic) | 1 |
+| Enhanced | 2 |
+|Optional (Full) | 3 |
- > [!NOTE]
- > When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
+>[!Note]
+>When both the Computer Configuration policy and User Configuration policies are set, the more restrictive policy is used.
-### Use Group Policy to set the diagnostic data level
+### Use Group Policy to manage diagnostic data collection
-Use a Group Policy object to set your organization’s diagnostic data level.
+You can use Group Policy to set your organization’s diagnostic data setting:
-1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
+ 1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
+ 2. Double-click **Allow Telemetry**.
-1. Double-click **Allow Telemetry**.
+>[!NOTE]
+> If devices in your organization are running Windows 10, 1803 and newer, the user can still use Settings to set the diagnostic data setting to a more restrictive value, unless the **Configure diagnostic data opt-in settings user interface** policy is set.
-1. In the **Options** box, select the level that you want to configure, and then click **OK**.
+ 3. In the **Options** box, choose the setting that you want to configure, and then click **OK**.
-### Use MDM to set the diagnostic data level
+### Use MDM to manage diagnostic data collection
-Use the [Policy Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) to apply the System/AllowTelemetry MDM policy.
+Use [Policy Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) to apply the System/AllowTelemetry MDM policy.
-### Use Registry Editor to set the diagnostic data level
+## Limit optional diagnostic data for Desktop Analytics
-Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
-
-1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**.
-
-1. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
-
-1. Type **AllowTelemetry**, and then press ENTER.
-
-1. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
-
-1. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
-
-### Additional diagnostic data controls
-
-There are a few more settings that you can turn off that may send diagnostic data information:
-
-- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/index/).
-
-- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
-
-- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
-
-- Turn off **Improve inking and typing** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
-
- > [!NOTE]
- > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
-
-## Diagnostic data levels
-
-These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server.
-
-### Security level
-
-The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
-
-> [!NOTE]
-> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
-
-Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered.
-
-The data gathered at this level includes:
-
-- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
-
-- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
-
- > [!NOTE]
- > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
-
-- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
-
- > [!NOTE]
- > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).
-
- Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, Microsoft Endpoint Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
-
-For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
-
-No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
-
-### Basic level
-
-The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent.
-
-This is the default level for Windows 10 Education editions, as well as all desktop editions starting with Windows 10, version 1903.
-
-The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device.
-
-The data gathered at this level includes:
-
-- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Servers in the ecosystem. Examples include:
-
- - Device attributes, such as camera resolution and display type
- - Internet Explorer version
- - Battery attributes, such as capacity and type
- - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
- - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
- - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
- - Operating system attributes, such as Windows edition and virtualization state
- - Storage attributes, such as number of drives, type, and size
-
-- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
-
-- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
-
-- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
-
- - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
-
- - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
-
- - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
-
- - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
-
- - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
-
-- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses.
-
-### Enhanced level
-
-The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
-
-This level is needed to quickly identify and address Windows and Windows Server quality issues.
-
-The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device.
-
-The data gathered at this level includes:
-
-- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
-
-- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
-
-- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
-
-- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
-
-If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue.
-
-### Full level
-
-The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the Basic, Enhanced, and Security levels.
-
-Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
-
-If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem.
-
-However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
-
-- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
-
-- Ability to get registry keys.
-
-- All crash dump types, including heap dumps and full dumps.
-
-> [!NOTE]
-> Crash dumps collected at this diagnostic data level may unintentionally contain personal data, such as portions of memory from a documents, a web page, etc.
-
-## Limit Enhanced diagnostic data to the minimum required by Desktop Analytics
-
-> [!IMPORTANT]
-> The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](/windows/deployment/update/update-compliance-get-started) will continue to be supported.
-> For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-Desktop Analytics reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events.
-
-In Windows 10, version 1709, we introduced the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data.
-
-- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10 diagnostic data events and fields collected through the limit enhanced diagnostic data policy](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic.
-
-- **Some crash dump types.** Triage dumps for user mode and mini dumps for kernel mode.
-
-> [!NOTE]
-> Triage dumps are a type of [minidumps](https://docs.microsoft.com/windows/desktop/debug/minidump-files) that go through a process of user-sensitive information scrubbing. Some user-sensitive information may be missed in the process, and will therefore be sent with the dump.
-
-With the retirement of Windows Analytics, this policy will continue to be supported by Desktop Analytics, but will not include Office related diagnostic data.
-
-### Enable limiting enhanced diagnostic data to the minimum required by Desktop Analytics
-
-1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM.
-
- a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**.
-
- -OR-
-
- b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**.
-
- -AND-
-
-1. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM.
-
- a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**.
-
- -OR-
-
- b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**.
-
-## Additional resources
-
-FAQs
-
-- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy)
-- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
-- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy)
-- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy)
-- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
-- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq)
-- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
-- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
-- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization)
-
-Blogs
-
-- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
-
-Privacy Statement
-
-- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
-
-TechNet
-
-- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-
-Web Pages
-
-- [Privacy at Microsoft](https://privacy.microsoft.com)
+For more information about how to limit the diagnostic data to the minimum required by Desktop Analytics, see [Enable data sharing for Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/enable-data-sharing).
diff --git a/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md b/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md
new file mode 100644
index 0000000000..11aacc5fb8
--- /dev/null
+++ b/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md
@@ -0,0 +1,324 @@
+---
+title: Data processor service for Windows Enterprise public preview terms
+description: Use this article to understand Windows public preview terms of service.
+keywords: privacy, GDPR
+ms.localizationpriority: high
+ROBOTS: NOINDEX, NOFOLLOW
+ms.prod: w10
+ms.topic: article
+f1.keywords:
+- NOCSH
+ms.author: daniha
+author: DaniHalfin
+manager: dansimp
+audience: itpro
+ms.collection:
+- GDPR
+- M365-security-compliance
+---
+
+# Data processor service for Windows Enterprise public preview terms
+
+**These terms (“Terms”) must be read and accepted by a tenant admin with appropriate access rights and authority. By participating in this public preview, you: (a) agree to the following Terms, and (b) represent and warrant that you have such rights and authority.**
+
+These Terms govern your use of the preview described below (“**Preview**”). In order to access the Preview, you must be a current Microsoft Windows customer with an Azure Active Directory (“**AAD**”) subscription. The Preview consists of features and services that are in preview, beta, or other pre-release form for use with Windows and AAD.
+
+ 1. **Definitions**. The following terms have the following meanings:
+
+ 1. "**Customer Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through your use of Windows or AAD.
+
+ 2. "**Feedback**" means, collectively, suggestions, comments, feedback, ideas, or know-how, in any form, that you or your users provide to Microsoft about Microsoft’s business, products, or services.
+
+ 3. "**Personal Data**" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
+
+ 4. "**Preview Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through use of the Services.
+
+ 5. "**Subprocessor**" means other processors used by Microsoft to process Personal Data.
+
+2. **Scope of Services**. The Preview is for a service that enables organizations to become controllers of Windows diagnostic data on supported versions of Windows, with Microsoft operating as processor of the data (collectively, the “**_Services_**”). You will collaborate with Microsoft in order to provide Microsoft the ability to enable the Services for you. To access the Services, you will need to configure participating Windows devices; Microsoft will assist you in such configuration via documentation or other communications.
+
+3. **Intellectual Property**.
+
+ 1. **License Grant**. During the term of this Preview (“**Term**”), Microsoft grants you and authorized users in your tenant for Windows a non-exclusive, non-transferable, non-sublicensable right and license to access and use the Services in accordance with these Terms.
+
+ 2. **Use Terms**. These Terms supersede any Microsoft terms and conditions or other agreement. You acknowledge that (i) the Services may not work correctly or in the manner that a commercial service may function; Microsoft may change the Services for the final, commercial version or choose not to release a commercial version; (ii) Microsoft may not provide support for the Services; (iii) the Online Services Terms (OST), including any obligations Microsoft may have regarding Customer Data, do not apply to the Services or Preview Data; (iv) Microsoft has no obligation to hold, export, or return Preview Data, except as described in these Terms; (v) Microsoft has no liability for the deletion of Preview Data, except as described in these Terms; and (vi) you may lose access to the Services and Preview Data after the Term.
+
+ 3. **Acceptable Use**. Neither you, nor those that access the Services through you, may: (a) use the Services: (i) in a way prohibited by law, regulation, governmental order or decree; (ii) to violate the rights of others; (iii) to try to gain unauthorized access to or disrupt any service, device, data, account or network; (iv) to spam or distribute malware; or (v) in a way that could harm the Services or impair anyone else’s use of it; or (b) reverse engineer, decompile, disassemble, or work around any technical limitations in the Services, or use the Services to create a competing product. You are responsible for responding to any third-party request regarding your use of the Services or Preview Data, such as a request to take down Preview Data under the U.S. Digital Millennium Copyright Act or other applicable laws.
+
+ 4. **Data Collection, Use and Location**. The Microsoft Privacy Statement https://privacy.microsoft.com/privacystatement applies to the collection, use and location of Preview Data. In the event of a conflict between Privacy Statement and the terms of these Terms, the terms of these Terms will control.
+
+4. **Confidentiality**. The following confidentiality terms apply to the Preview:
+
+ 1. During the Term plus 5 years, the parties will hold in strictest confidence and not use or disclose to any third party any Confidential Information of the other party. “Confidential Information” means all non-public information a party designates in writing or orally as being confidential, or which under the circumstances of disclosure ought to be treated as confidential. Confidential Information includes information relating to:
+ 1. a party’s released or unreleased software or hardware products;
+ 2. a party’s source code;
+ 3. a party’s product marketing or promotion;
+ 4. a party’s business policies or practices;
+ 5. a party’s customers or suppliers;
+ 6. information received from others that a party must treat as confidential; and
+ 7. information provided, obtained, or created by a party under these Terms, including:
+ * information in reports;
+ * the parties’ electronic or written correspondence, customer lists and customer information, regardless of source;
+ * Personal Data; and
+ * Transactional, sales, and marketing information.
+
+ 2. A party will consult with the other if it questions what comprises Confidential Information. Confidential Information excludes information (i) known to a party before the disclosing party’s disclosure to the receiving party, (ii) information publicly available through no fault of the receiving party, (iii) received from a third party without breach of an obligation owed to the disclosing party, or (iv) independently developed by a party without reference to or use of the disclosing party’s Confidential Information.
+
+ 3. Each party will employ security procedures to prevent disclosure of the other party’s Confidential Information to unauthorized third parties. The receiving party’s security procedures must include risk assessment and controls for:
+ 1. system access;
+ 2. system and application development and maintenance;
+ 3. change management;
+ 4. asset classification and control;
+ 5. incident response, physical and environmental security;
+ 6. disaster recovery/business continuity; and
+ 7. employee training.
+
+5. **Data Protection.**
+
+ **Generally**. To the extent Microsoft is a processor of Personal Data, the General Data Protection Regulation (GDPR) Terms in Attachment 1 govern that processing and the parties also agree to the following terms:
+
+ 1. Processing Details: The parties agree that:
+ * The subject-matter of the processing is limited to Personal Data within the scope of the GDPR;
+ * The duration of the processing shall be for the duration of your right to use the Services and until all Personal Data is deleted or returned in accordance with your instructions or these Terms;
+ * The nature and purpose of the processing shall be to provide the Services pursuant to these Terms;
+ * The types of Personal Data processed by the Services include those expressly identified in Article 4 of the GDPR to the extent included by Preview Data; and
+ * The categories of data subjects are your representatives and end users, such as employees, contractors, collaborators, and customers.
+
+ 2. Data Transfers:
+ * Preview Data and Personal Data that Microsoft processes on your behalf may be transferred to, and stored and processed in, the United States or any other country in which Microsoft or its Subprocessors operate. You appoint Microsoft to perform any such transfer of Preview Data and Personal Data to any such country and to store and process Preview Data and Personal Data to provide the Services.
+ * All transfers of Preview Data and Personal Data out of the European Union, European Economic Area, United Kingdom, and Switzerland to provide the Online Services shall be governed by the Standard Contractual Clauses in Attachment 2.
+ * Microsoft will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area and Switzerland. All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.
+ * In addition, Microsoft is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments they entail. Microsoft agrees to notify you in the event that it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles.
+
+6. **No Support or Incident Response.** Microsoft will have no obligation under these Terms to correct any bugs, defects or errors in the Services or AAD, provide any updates, upgrades or new releases, or otherwise provide any technical support or maintenance for any Services or AAD. You will make reasonable efforts to promptly report to Microsoft any defects you find in the Services, as an aid to creating improved revisions of the Services. Microsoft will have no obligation under these Terms to provide you with incident response as part of the Services.
+
+7. **Term and Termination.** The term of the Preview begins when you accept these Terms and continues until: (a) either party terminates this Preview by providing the other party: (i) 2 days’ notice for any reason (or no reason), or (ii) notice of such party’s breach of these Terms and such party fails to cure within 15 days, or (b) upon the general availability of the Services. When the Term ends, you will no longer have access to the Services, and Microsoft will no longer have the rights to access Customer Data granted herein. Each party will, on request, return or destroy the other’s Confidential Information provided under the Preview.
+
+8. **Feedback.** Providing Feedback is voluntary. Microsoft is under no obligation to post or use any Feedback. By providing Feedback to Microsoft, you (and anyone providing Feedback through your use of the Preview) irrevocably and perpetually grant to Microsoft and its affiliates, under all of its (and their) owned or controlled intellectual property rights, a worldwide, non-exclusive, fully paid-up, royalty-free, transferable, sub-licensable right and license to make, use, reproduce, prepare derivative works based upon, distribute, publicly perform, publicly display, transmit, and otherwise commercialize the Feedback (including by combining or interfacing products, services or technologies that depend on or incorporate Feedback with other products, services or technologies of Microsoft or others), without attribution in any way and for any purpose. You warrant that (a) you will not provide Feedback that is subject to a license requiring Microsoft to license anything to third parties because Microsoft exercises any of the above rights in your Feedback; and (b) you own or otherwise control all of the rights to such Feedback and that no such Feedback is subject to any third-party rights (including any personality or publicity rights).
+
+9. **Representations and Warranties; Limitation of Liability.**
+
+ 1. **By the Parties.** Each party represents and warrants to the other party that (a) it has all necessary rights, title, and authority to enter into and perform under these Terms; (b) its performance under these Terms will not breach any agreement with a third party; and (c) it will comply with any and all laws, rules, and regulations that are applicable to its performance under these Terms.
+
+ 2. **Disclaimer.** EXCEPT AS OTHERWISE PROVIDED IN THESE TERMS AND TO THE EXTENT APPLICABLE LAW PERMITS, MICROSOFT (a) PROVIDES THE SERVICES AS-IS; (b) PROVIDES NO WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE; AND (c) DOES NOT GUARANTEE THAT THE SERVICES WILL BE AVAILABLE, UNINTERRUPTED, OR ERROR-FREE, OR THAT LOSS OF PREVIEW DATA WILL NOT OCCUR.
+
+ 3. **Limitation of Liability.** Except as otherwise described in this Section 9, the only remedy either party has for claims relating to these Terms or participation in the Preview is to terminate these Terms or your participation in the Preview. NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY DAMAGES, INCLUDING DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, OR DAMAGES FOR LOST REVENUE, LOST PROFIT, LOST BUSINESS INFORMATION, OR BUSINESS INTERRUPTION, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES. The limitations in this Section 9 do not apply to claims arising from any breach of confidentiality obligations under Section 4.
+
+10. **General.**
+
+ 1. **Non-Exclusivity.** These Terms are nonexclusive. These Terms do not restrict either party from entering into the same or similar arrangement with any third party.
+
+ 2. **Jurisdiction and Governing Law.** The laws of the State of Washington, excluding conflicts of law provisions, govern these Terms. If federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the federal courts in King County, Washington. If no federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the Superior Court of King County, Washington.
+
+ 3. **Force Majeure.** A party will not be liable for failure to perform an obligation under these Terms to the extent that failure is due to a cause beyond that party’s reasonable control, including natural disaster, war, civil disturbance, or governmental action.
+
+ 4. **Attorneys’ fees.** If a party employs attorneys to enforce any rights arising out of or relating to these Terms, the prevailing party will be entitled to recover its reasonable attorneys’ fees, costs, and other expenses.
+
+ 5. **Assignment**. You may not assign these Terms or delegate any of your rights or obligations under these Terms to a third party without Microsoft’s prior written consent.
+
+ 6. **Entire Agreement.** These Terms are the entire agreement between the parties regarding its subject matter and replaces all prior agreements, communications, and representations between the parties regarding its subject matter.
+
+ 7. **Survival.** Sections 3.b, 4, 7 (with respect to post-termination obligations), and 8-10 will survive these Terms’ expiration or termination.
+
+
+ Attachment 1: GDPR Terms
+
+For purposes of these GDPR Terms, you and Microsoft agree that you are the controller of Personal Data and Microsoft is the processor of such data, except when you act as a processor of Personal Data, in which case Microsoft is a subprocessor. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by Microsoft on your behalf. These GDPR Terms do not limit or reduce any data protection commitments Microsoft makes to you in other agreement between Microsoft and you. These GDPR Terms do not apply where Microsoft is a controller of Personal Data.
+
+**Relevant GDPR Obligations: Articles 28, 32, and 33**
+
+1. Microsoft shall not engage another processor without prior specific or your general written authorization. In the case of general written authorization, Microsoft shall inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes. (Article 28(2))
+2. Processing by Microsoft shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on Microsoft with regard to you. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and your obligations and rights are set forth in the Terms above, including these GDPR Terms. In particular, Microsoft shall:
+
+ 1. process the Personal Data only on your documented instructions, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Microsoft is subject; in such a case, Microsoft shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
+
+ 2. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
+
+ 3. take all measures required pursuant to Article 32 of the GDPR;
+
+ 4. respect the conditions referred to in paragraphs 1 and 3 for engaging another processor;
+
+ 5. taking into account the nature of the processing, assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;
+
+ 6. assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Microsoft;
+
+ 7. at your choice, delete or return all the Personal Data to you after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
+
+ 8. make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.
+
+ 9. immediately inform you if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. (Article 28(3))
+
+3. Where Microsoft engages another processor for carrying out specific processing activities on your behalf, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, Microsoft shall remain fully liable to you for the performance of that other processor's obligations. (Article 28(4))
+
+4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, you and Microsoft shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
+
+ 1. the pseudonymisation and encryption of Personal Data;
+
+ 2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
+
+ 3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
+
+ 4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (Article 32(1))
+
+5. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2))
+
+6. You and Microsoft shall take steps to ensure that any natural person acting under your authority or Microsoft’s who has access to Personal Data does not process them except on instructions from you, unless he or she is required to do so by Union or Member State law. (Article 32(4))
+
+7. Microsoft shall notify you without undue delay after becoming aware of a personal data breach. (Article 33(2)). Such notification will include that information a processor must provide to a controller under Article 33(3) to the extent such information is reasonably available to Microsoft.
+
+
+ Attachment 2 – The Standard Contractual Clauses (Processors)
+
+In countries where regulatory approval is required for use of the Standard Contractual Clauses, the Standard Contractual Clauses cannot be relied upon under European Commission 2010/87/EU (of February 2010) to legitimize export of data from the country, unless Customer has the required regulatory approval.
+Beginning May 25, 2018 and thereafter, references to various Articles from the Directive 95/46/EC in the Standard Contractual Clauses below will be treated as references to the relevant and appropriate Articles in the GDPR.
+For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, Customer (as data exporter) and Microsoft Corporation (as data importer, whose signature appears below), each a “party,” together “the parties,” have agreed on the following Contractual Clauses (the “Clauses” or “Standard Contractual Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
+
+**Clause 1: Definitions**
+
+1. 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
+1. 'the data exporter' means the controller who transfers the personal data;
+1. 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
+1. 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
+1. 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
+1. 'technical and organizational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
+
+**Clause 2: Details of the transfer**
+
+The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 below which forms an integral part of the Clauses.
+
+**Clause 3: Third-party beneficiary clause**
+
+1. The data subject can enforce against the data exporter this Clause, Clause 4(2) to (9), Clause 5(1) to (5), and (7) to (10), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
+2.1.exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
+1. The data subject can enforce against the subprocessor this Clause, Clause 5(1) to (5) and (7), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
+1. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
+
+**Clause 4: Obligations of the data exporter**
+
+The data exporter agrees and warrants:
+
+1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
+1. that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
+1. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 below;
+1. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
+1. that it will ensure compliance with the security measures;
+1. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
+1. to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(2) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
+1. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
+1. that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
+1. that it will ensure compliance with Clause 4(1) to (9).
+
+**Clause 5: Obligations of the data importer**
+
+The data importer agrees and warrants:
+
+1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
+1. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
+1. that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
+1. that it will promptly notify the data exporter about:
+ 1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
+ 1. any accidental or unauthorised access, and
+ 1. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
+1. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
+1. at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
+1. to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
+1. that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
+1. that the processing services by the subprocessor will be carried out in accordance with Clause 11; and
+1. to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
+
+**Clause 6: Liability**
+
+1. The parties agree that any data subject who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
+1. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
+The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
+1. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
+
+**Clause 7: Mediation and jurisdiction**
+
+1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
+ 1. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
+ 1. to refer the dispute to the courts in the Member State in which the data exporter is established.
+1. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
+
+**Clause 8: Cooperation with supervisory authorities**
+
+1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
+1. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
+1. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (2).
+
+**Clause 9: Governing Law**
+
+The Clauses shall be governed by the law of the Member State in which the data exporter is established.
+
+**Clause 10: Variation of the contract**
+
+The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
+
+**Clause 11: Subprocessing**
+
+1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
+1. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
+1. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
+1. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
+
+**Clause 12: Obligation after the termination of personal data processing services**
+
+1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
+1. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
+
+**Appendix 1 to the Standard Contractual Clauses**
+
+**Data exporter**: Customer is the data exporter. The data exporter is a user of the Services.
+
+**Data importer**: The data importer is MICROSOFT CORPORATION, a global producer of software and services.
+
+**Data subjects**: Data subjects include the data exporter’s representatives and end-users including employees, contractors, collaborators, and customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the services provided by data importer. Microsoft acknowledges that, depending on Customer’s use of the Services, Customer may elect to include personal data from any of the following types of data subjects in the personal data:
+
+* Employees, contractors and temporary workers (current, former, prospective) of data exporter;
+* Dependents of the above;
+* Data exporter's collaborators/contact persons (natural persons) or employees, contractors or temporary workers of legal entity collaborators/contact persons (current, prospective, former);
+* Users (e.g., customers, clients, patients, visitors, etc.) and other data subjects that are users of data exporter's services;
+* Partners, stakeholders or individuals who actively collaborate, communicate or otherwise interact with employees of the data exporter and/or use communication tools such as apps and websites provided by the data exporter;
+* Stakeholders or individuals who passively interact with data exporter (e.g., because they are the subject of an investigation, research or mentioned in documents or correspondence from or to the data exporter);
+* Minors; or
+* Professionals with professional privilege (e.g., doctors, lawyers, notaries, religious workers, etc.).
+
+**Categories of data**: The personal data transferred that is included in data processed by the Services. Microsoft acknowledges that, depending on Customer’s use of the Services, Customer may elect to include personal data from any of the following categories in the personal data:
+
+* Basic personal data (for example place of birth, street name and house number (address), postal code, city of residence, country of residence, mobile phone number, first name, last name, initials, email address, gender, date of birth), including basic personal data about family members and children;
+* Authentication data (for example user name, password or PIN code, security question, audit trail);
+* Contact information (for example addresses, email, phone numbers, social media identifiers; emergency contact details);
+* Unique identification numbers and signatures (for example Social Security number, bank account number, passport and ID card number, driver's license number and vehicle registration data, IP addresses, employee number, student number, patient number, signature, unique identifier in tracking cookies or similar technology);
+* Pseudonymous identifiers;
+* Financial and insurance information (for example insurance number, bank account name and number, credit card name and number, invoice number, income, type of assurance, payment behavior, creditworthiness);
+* Commercial Information (for example history of purchases, special offers, subscription information, payment history);
+* Biometric Information (for example DNA, fingerprints and iris scans);
+* Location data (for example, Cell ID, geo-location network data, location by start call/end of the call. Location data derived from use of wifi access points);
+* Photos, video and audio;
+* Internet activity (for example browsing history, search history, reading, television viewing, radio listening activities);
+* Device identification (for example IMEI-number, SIM card number, MAC address);
+* Profiling (for example based on observed criminal or anti-social behavior or pseudonymous profiles based on visited URLs, click streams, browsing logs, IP-addresses, domains, apps installed, or profiles based on marketing preferences);
+* HR and recruitment data (for example declaration of employment status, recruitment information (such as curriculum vitae, employment history, education history details), job and position data, including worked hours, assessments and salary, work permit details, availability, terms of employment, tax details, payment details, insurance details and location and organizations);
+* Education data (for example education history, current education, grades and results, highest degree achieved, learning disability);
+* Citizenship and residency information (for example citizenship, naturalization status, marital status, nationality, immigration status, passport data, details of residency or work permit);
+* Information processed for the performance of a task carried out in the public interest or in the exercise of an official authority;
+* Special categories of data (for example racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions or offences); or
+* Any other personal data identified in Article 4 of the GDPR.
+
+**Processing operations**: The personal data transferred will be subject to the following basic processing activities:
+
+1. **Duration and Object of Data Processing**. The duration of data processing shall be for the term of the Preview. The objective of the data processing is the performance of the Services.
+1. **Scope and Purpose of Data Processing**. The scope and purpose of processing personal data is described in Section 5 of this agreement. The data importer operates a global network of data centers and management/support facilities, and processing may take place in any jurisdiction where data importer or its sub-processors operate such facilities.
+1. **Customer Data and Personal Data Access**. For the term designated under the applicable volume licensing agreement data importer will at its election and as necessary under applicable law implementing Article 12(b) of the EU Data Protection Directive, either: (1) provide data exporter with the ability to correct, delete, or block Customer Data and personal data, or (2) make such corrections, deletions, or blockages on its behalf.
+1. **Data Exporter’s Instructions**. For Online Services and Professional Services, data importer will only act upon data exporter’s instructions as conveyed by Microsoft.
+1. **Preview Data and Personal Data Deletion or Return**. Upon expiration or termination of data exporter’s use of the Services, it may extract Customer Data and personal data and data importer will delete Customer Data and personal data, each in accordance with the terms of this agreement.
+
+**Subcontractors**: In accordance with the DPA, the data importer may hire other companies to provide limited services on data importer’s behalf, such as providing customer support. Any such subcontractors will be permitted to obtain Customer Data and personal data only to deliver the services the data importer has retained them to provide, and they are prohibited from using Customer Data and personal data for any other purpose.
+
+**Appendix 2 to the Standard Contractual Clauses**
+
+Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(4) and 5(3):
+
+1. **Personnel**. Data importer’s personnel will not process Preview Data or personal data without authorization. Personnel are obligated to maintain the confidentiality of any such Preview Data and personal data and this obligation continues even after their engagement ends.
+2. **Data Privacy Contact**. The data privacy officer of the data importer can be reached at the following address: Microsoft Corporation Attn: Chief Privacy Officer1 Microsoft WayRedmond, WA 98052 USA
+3. **Technical and Organization Measures**. The data importer has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect Preview Data and personal data, as defined in Attachment 1 of this agreement, against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows: The technical and organizational measures, internal controls, and information security routines set forth in Attachment 1 of this agreement are hereby incorporated into this Appendix 2 by this reference and are binding on the data importer as if they were set forth in this Appendix 2 in their entirety.
diff --git a/windows/privacy/data-processor-service-for-windows-public-preview-terms.md b/windows/privacy/data-processor-service-for-windows-public-preview-terms.md
deleted file mode 100644
index 190bf05309..0000000000
--- a/windows/privacy/data-processor-service-for-windows-public-preview-terms.md
+++ /dev/null
@@ -1,170 +0,0 @@
----
-title: Data processor service for Windows public preview terms
-description: Use this article to understand Windows public preview terms of service.
-keywords: privacy, GDPR
-ms.localizationpriority: high
-ROBOTS: NOINDEX, NOFOLLOW
-ms.prod: w10
-ms.topic: article
-f1.keywords:
-- NOCSH
-ms.author: daniha
-author: DaniHalfin
-manager: dansimp
-audience: itpro
-ms.collection:
-- GDPR
-- M365-security-compliance
----
-
-# Data processor service for Windows public preview terms
-
-**These terms (“Terms”) must be read and accepted by a tenant admin with appropriate access rights and authority. By participating in this public preview, you: (a) agree to the following Terms, and (b) represent and warrant that you have such rights and authority.**
-
-These Terms govern your use of the preview described below (“**Preview**”). In order to access the Preview, you must be a current Microsoft Windows customer with an Azure Active Directory (“**AAD**”) subscription. The Preview consists of features and services that are in preview, beta, or other pre-release form for use with Windows and AAD.
-
- 1. **Definitions**. The following terms have the following meanings:
-
- 1. "**Customer Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through your use of Windows or AAD.
-
- 2. "**Feedback**" means, collectively, suggestions, comments, feedback, ideas, or know-how, in any form, that you or your users provide to Microsoft about Microsoft’s business, products, or services.
-
- 3. "**Personal Data**" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
-
- 4. "**Preview Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through use of the Services.
-
- 5. "**Subprocessor**" means other processors used by Microsoft to process Personal Data.
-
-2. **Scope of Services**. The Preview is for a service that enables organizations to become controllers of Windows diagnostic data on supported versions of Windows, with Microsoft operating as processor of the data (collectively, the “**_Services_**”). You will collaborate with Microsoft in order to provide Microsoft the ability to enable the Services for you. To access the Services, you will need to configure participating Windows devices; Microsoft will assist you in such configuration via documentation or other communications.
-
-3. **Intellectual Property**.
-
- 1. **License Grant**. During the term of this Preview (“**Term**”), Microsoft grants you and authorized users in your tenant for Windows a non-exclusive, non-transferable, non-sublicensable right and license to access and use the Services in accordance with these Terms.
-
- 2. **Use Terms**. These Terms supersede any Microsoft terms and conditions or other agreement. You acknowledge that (i) the Services may not work correctly or in the manner that a commercial service may function; Microsoft may change the Services for the final, commercial version or choose not to release a commercial version; (ii) Microsoft may not provide support for the Services; (iii) the Online Services Terms (OST), including any obligations Microsoft may have regarding Customer Data, do not apply to the Services or Preview Data; (iv) Microsoft has no obligation to hold, export, or return Preview Data, except as described in these Terms; (v) Microsoft has no liability for the deletion of Preview Data, except as described in these Terms; and (vi) you may lose access to the Services and Preview Data after the Term.
-
- 3. **Acceptable Use**. Neither you, nor those that access the Services through you, may: (a) use the Services: (i) in a way prohibited by law, regulation, governmental order or decree; (ii) to violate the rights of others; (iii) to try to gain unauthorized access to or disrupt any service, device, data, account or network; (iv) to spam or distribute malware; or (v) in a way that could harm the Services or impair anyone else’s use of it; or (b) reverse engineer, decompile, disassemble, or work around any technical limitations in the Services, or use the Services to create a competing product. You are responsible for responding to any third-party request regarding your use of the Services or Preview Data, such as a request to take down Preview Data under the U.S. Digital Millennium Copyright Act or other applicable laws.
-
- 4. **Data Collection, Use and Location**. The Microsoft Privacy Statement https://privacy.microsoft.com/privacystatement applies to the collection, use and location of Preview Data. In the event of a conflict between Privacy Statement and the terms of these Terms, the terms of these Terms will control.
-
-4. **Confidentiality**. The following confidentiality terms apply to the Preview:
-
- 1. During the Term plus 5 years, the parties will hold in strictest confidence and not use or disclose to any third party any Confidential Information of the other party. “Confidential Information” means all non-public information a party designates in writing or orally as being confidential, or which under the circumstances of disclosure ought to be treated as confidential. Confidential Information includes information relating to:
- 1. a party’s released or unreleased software or hardware products;
- 2. a party’s source code;
- 3. a party’s product marketing or promotion;
- 4. a party’s business policies or practices;
- 5. a party’s customers or suppliers;
- 6. information received from others that a party must treat as confidential; and
- 7. information provided, obtained, or created by a party under these Terms, including:
- * information in reports;
- * the parties’ electronic or written correspondence, customer lists and customer information, regardless of source;
- * Personal Data; and
- * Transactional, sales, and marketing information.
-
- 2. A party will consult with the other if it questions what comprises Confidential Information. Confidential Information excludes information (i) known to a party before the disclosing party’s disclosure to the receiving party, (ii) information publicly available through no fault of the receiving party, (iii) received from a third party without breach of an obligation owed to the disclosing party, or (iv) independently developed by a party without reference to or use of the disclosing party’s Confidential Information.
-
- 3. Each party will employ security procedures to prevent disclosure of the other party’s Confidential Information to unauthorized third parties. The receiving party’s security procedures must include risk assessment and controls for:
- 1. system access;
- 2. system and application development and maintenance;
- 3. change management;
- 4. asset classification and control;
- 5. incident response, physical and environmental security;
- 6. disaster recovery/business continuity; and
- 7. employee training.
-
-5. **Data Protection.**
-
- **Generally**. To the extent Microsoft is a processor of Personal Data, the General Data Protection Regulation (GDPR) Terms in Appendix 1 govern that processing and the parties also agree to the following terms:
-
- 1. Processing Details: The parties agree that:
- * The subject-matter of the processing is limited to Personal Data within the scope of the GDPR;
- * The duration of the processing shall be for the duration of your right to use the Services and until all Personal Data is deleted or returned in accordance with your instructions or these Terms;
- * The nature and purpose of the processing shall be to provide the Services pursuant to these Terms;
- * The types of Personal Data processed by the Services include those expressly identified in Article 4 of the GDPR to the extent included by Preview Data; and
- * The categories of data subjects are your representatives and end users, such as employees, contractors, collaborators, and customers.
-
- 2. Data Transfers:
- * Preview Data and Personal Data that Microsoft processes on your behalf may be transferred to, and stored and processed in, the United States or any other country in which Microsoft or its Subprocessors operate. You appoint Microsoft to perform any such transfer of Preview Data and Personal Data to any such country and to store and process Preview Data and Personal Data to provide the Services.
- * Microsoft will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area and Switzerland. All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.
- * In addition, Microsoft is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments they entail. Microsoft agrees to notify you in the event that it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles.
-
-6. **No Support or Incident Response.** Microsoft will have no obligation under these Terms to correct any bugs, defects or errors in the Services or AAD, provide any updates, upgrades or new releases, or otherwise provide any technical support or maintenance for any Services or AAD. You will make reasonable efforts to promptly report to Microsoft any defects you find in the Services, as an aid to creating improved revisions of the Services. Microsoft will have no obligation under these Terms to provide you with incident response as part of the Services.
-
-7. **Term and Termination.** The term of the Preview begins when you accept these Terms and continues until: (a) either party terminates this Preview by providing the other party: (i) 2 days’ notice for any reason (or no reason), or (ii) notice of such party’s breach of these Terms and such party fails to cure within 15 days, or (b) upon the general availability of the Services. When the Term ends, you will no longer have access to the Services, and Microsoft will no longer have the rights to access Customer Data granted herein. Each party will, on request, return or destroy the other’s Confidential Information provided under the Preview.
-
-8. **Feedback.** Providing Feedback is voluntary. Microsoft is under no obligation to post or use any Feedback. By providing Feedback to Microsoft, you (and anyone providing Feedback through your use of the Preview) irrevocably and perpetually grant to Microsoft and its affiliates, under all of its (and their) owned or controlled intellectual property rights, a worldwide, non-exclusive, fully paid-up, royalty-free, transferable, sub-licensable right and license to make, use, reproduce, prepare derivative works based upon, distribute, publicly perform, publicly display, transmit, and otherwise commercialize the Feedback (including by combining or interfacing products, services or technologies that depend on or incorporate Feedback with other products, services or technologies of Microsoft or others), without attribution in any way and for any purpose. You warrant that (a) you will not provide Feedback that is subject to a license requiring Microsoft to license anything to third parties because Microsoft exercises any of the above rights in your Feedback; and (b) you own or otherwise control all of the rights to such Feedback and that no such Feedback is subject to any third-party rights (including any personality or publicity rights).
-
-9. **Representations and Warranties; Limitation of Liability.**
-
- 1. **By the Parties.** Each party represents and warrants to the other party that (a) it has all necessary rights, title, and authority to enter into and perform under these Terms; (b) its performance under these Terms will not breach any agreement with a third party; and (c) it will comply with any and all laws, rules, and regulations that are applicable to its performance under these Terms.
-
- 2. **Disclaimer.** EXCEPT AS OTHERWISE PROVIDED IN THESE TERMS AND TO THE EXTENT APPLICABLE LAW PERMITS, MICROSOFT (a) PROVIDES THE SERVICES AS-IS; (b) PROVIDES NO WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE; AND (c) DOES NOT GUARANTEE THAT THE SERVICES WILL BE AVAILABLE, UNINTERRUPTED, OR ERROR-FREE, OR THAT LOSS OF PREVIEW DATA WILL NOT OCCUR.
-
- 3. **Limitation of Liability.** Except as otherwise described in this Section 9, the only remedy either party has for claims relating to these Terms or participation in the Preview is to terminate these Terms or your participation in the Preview. NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY DAMAGES, INCLUDING DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, OR DAMAGES FOR LOST REVENUE, LOST PROFIT, LOST BUSINESS INFORMATION, OR BUSINESS INTERRUPTION, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES. The limitations in this Section 9 do not apply to claims arising from any breach of confidentiality obligations under Section 4.
-
-10. **General.**
-
- 1. **Non-Exclusivity.** These Terms are nonexclusive. These Terms do not restrict either party from entering into the same or similar arrangement with any third party.
-
- 2. **Jurisdiction and Governing Law.** The laws of the State of Washington, excluding conflicts of law provisions, govern these Terms. If federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the federal courts in King County, Washington. If no federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the Superior Court of King County, Washington.
-
- 3. **Force Majeure.** A party will not be liable for failure to perform an obligation under these Terms to the extent that failure is due to a cause beyond that party’s reasonable control, including natural disaster, war, civil disturbance, or governmental action.
-
- 4. **Attorneys’ fees.** If a party employs attorneys to enforce any rights arising out of or relating to these Terms, the prevailing party will be entitled to recover its reasonable attorneys’ fees, costs, and other expenses.
-
- 5. **Assignment**. You may not assign these Terms or delegate any of your rights or obligations under these Terms to a third party without Microsoft’s prior written consent.
-
- 6. **Entire Agreement.** These Terms are the entire agreement between the parties regarding its subject matter and replaces all prior agreements, communications, and representations between the parties regarding its subject matter.
-
- 7. **Survival.** Sections 3.b, 4, 7 (with respect to post-termination obligations), and 8-10 will survive these Terms’ expiration or termination.
-
-
Microsoft uses diagnostic data to: keep Windows secure and up to date, troubleshoot problems, and make product improvements as described in more detail below. Regardless of level selected, the device will be just as secure and will operate normally. This data is collected by Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device, and understand the device's service issues and use patterns.
Diagnostic data is categorized into four levels:
**Security** Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
**Basic** Basic device info, including: quality-related data, app compatibility, and data from the Security level.
**Enhanced** Additional insights, including: how Windows, Windows Server, System Center, and apps are used; how they perform; advanced reliability data; and data from both the Basic and the Security levels.
**Full** Information about the websites you browse, how you use apps and features; plus additional information about device health, device activity, enhanced error reporting, and data from Enhanced, Basic and the Security levels. At Full, Microsoft also collects the memory state of your device when a system or app crash occurs (which may unintentionally include parts of a file you were using when a problem occurred).
[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
-| Inking and typing diagnostics | Microsoft collects inking and typing data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
-| Speech | Use your voice for dictation and to talk to Cortana and other apps that use Windows cloud-based speech recognition. Microsoft collects voice data to help improve speech services. | [Learn more](https://support.microsoft.com/help/4468250/speech-inking-typing-and-privacy-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainspeechinkingtypingmodule) |
-| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
+| Diagnostic Data |
Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns.
Diagnostic data is categorized into the following:
**Required diagnostic data** Previously known as basic diagnostic data, required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](https://docs.microsoft.com/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004).
**Optional diagnostic data** Previously known as full diagnostic data, optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data).
[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
+| Inking and typing diagnostics | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
+| Speech | Use your voice for dictation and to talk to Cortana and other apps that use Windows cloud-based speech recognition. Microsoft collects voice data to help improve speech services. | [Learn more](https://support.microsoft.com/help/4468250/windows-10-speech-voice-activation-inking-typing-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainspeechinkingtypingmodule) |
+| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy) |[Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
| Find my device | Use your device’s location data to help you find your device if you lose it. | [Learn more](https://support.microsoft.com/help/11579/microsoft-account-find-and-lock-lost-windows-device) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
-| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you have chosen (Security, Basic, Enhanced, or Full). Tailored experiences mean personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
-| Advertising Id | Apps can use advertising ID to provide more personalized advertising in accordance with the privacy policy of the app provider. | [Learn more](https://support.microsoft.com/help/4459081/general-privacy-settings-in-windows-10-microsoft-privacy) | [Privacy statement](https://privacy.microsoft.com/privacystatement#mainadvertisingidmodule) |
-| Activity History/Timeline – Cloud Sync | If you want timeline and other Windows features to help you continue what you were doing, even when you switch devices, send Microsoft your activity history, which includes info about websites you browse and how you use apps and services. | [Learn more](https://support.microsoft.com/help/4468227/windows-10-activity-history-and-your-privacy-microsoft-privacy) | [Privacy statement](https://privacy.microsoft.com/privacystatement#mainactivityhistorymodule) |
-| Cortana |
Cortana is Microsoft’s personal digital assistant, which helps busy people get things done, even while they’re at work. Cortana on Windows is available in [certain regions and languages](https://support.microsoft.com/instantanswers/557b5e0e-0eb0-44db-87d6-5e5db6f9c5b0/cortana-s-regions-and-languages). Cortana learns from certain data about the user, such as location, searches, calendar, contacts, voice input, speech patterns, email, content and communication history from text messages. In Microsoft Edge, Cortana uses browsing history. The user is in control of how much data is shared.
Cortana has powerful configuration options, specifically optimized for a business. By signing in with an Azure Active Directory (Azure AD) account, enterprise users can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
[Cortana integration in your business or enterprise](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-overview) | [Privacy statement](https://privacy.microsoft.com/privacystatement#maincortanamodule) |
+| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
+| Advertising Id | Apps can use advertising ID to provide more personalized advertising in accordance with the privacy policy of the app provider. | [Learn more](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) | [Privacy statement](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) |
+| Activity History/Timeline – Cloud Sync | If you want Windows Timeline and other Windows features to help you continue what you were doing, even when you switch devices, send Microsoft your activity history, which includes info about websites you browse and how you use apps and services. | [Learn more](https://support.microsoft.com/help/4468227/windows-10-activity-history-and-your-privacy-microsoft-privacy) | [Privacy statement](https://privacy.microsoft.com/privacystatement#mainactivityhistorymodule) |
+| Cortana |
Cortana is Microsoft’s personal digital assistant, which helps busy people get things done, even while they’re at work. Cortana on Windows is available in [certain regions and languages](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). Cortana learns from certain data about the user, such as location, searches, calendar, contacts, voice input, speech patterns, email, content and communication history from text messages. In Microsoft Edge, Cortana uses browsing history. The user is in control of how much data is shared.
Cortana has powerful configuration options, specifically optimized for a business. By signing in with an Azure Active Directory (Azure AD) account, enterprise users can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
[Cortana integration in your business or enterprise](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-overview) | [Privacy statement](https://privacy.microsoft.com/privacystatement#maincortanamodule) |
### 1.2 Data collection monitoring
-The Diagnostic Data Viewer (DDV) is a Windows app (available in Windows 10, version 1803 or later) that lets a user review the Windows diagnostic data that is being collected on their Windows 10 device and sent to Microsoft. DDV groups the information into simple categories based on how it is used by Microsoft. The [DDV Overview](diagnostic-data-viewer-overview.md) provides information on how users can get started on using this tool.
+[Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) is a Microsoft Store app (available in Windows 10, version 1803 and newer) that lets a user review the Windows diagnostic data that is being collected on their Windows 10 device and sent to Microsoft in real-time. DDV groups the information into simple categories that describe the data that’s being collected.
An administrator can also use the Diagnostic Data Viewer for PowerShell module to view the diagnostic data collected from the device instead of using the Diagnostic Data Viewer UI. The [Diagnostic Data Viewer for PowerShell Overview](microsoft-diagnosticdataviewer.md) provides further information.
## 2. Windows 10 data collection management
-Windows 10 provides the ability to manage privacy settings through several different methods. Users can change their privacy settings using the Windows 10 settings (**Start** > **Settings** > **Privacy**). The organization can also manage the privacy settings using group policy or mobile device management (MDM). The following sections provide an overview on how to manage the privacy settings previously discussed in this article.
+Windows 10 provides the ability to manage privacy settings through several different methods. Users can change their privacy settings using the Windows 10 settings (**Start > Settings > Privacy**). The organization can also manage the privacy settings using Group Policy or Mobile Device Management (MDM). The following sections provide an overview on how to manage the privacy settings previously discussed in this article.
### 2.1 Privacy setting options for users
-Once a Windows 10 device is set up, a user can manage data collection settings by going to **Start** > **Settings** > **Privacy**. IT administrators can control privacy settings via setting policy on the device (see Section 2.2 below). If this is the case, the user will see an alert that says ‘Some settings are hidden or managed by your organization’ when they navigate to **Start** > **Settings** > **Privacy**. Meaning the user can only change settings in accordance with the policies that the administrator has applied to the device.
+Once a Windows 10 device is set up, a user can manage data collection settings by navigating to **Start > Settings > Privacy**. Administrators can control privacy settings via setting policy on the device (see Section 2.2 below). If this is the case, the user will see an alert that says **Some settings are hidden or managed by your organization** when they navigate to **Start > Settings > Privacy**. In this case, the user can only change settings in accordance with the policies that the administrator has applied to the device.
### 2.2 Privacy setting controls for administrators
-The IT department can configure and control privacy settings across their organization by using Group Policy, registry, or Mobile Device Management (MDM) settings.
+Administrators can configure and control privacy settings across their organization by using Group Policy, Mobile Device Management (MDM), or Windows registry settings.
-The following table provides an overview of the privacy settings discussed earlier in this document with details on how to configure these via policy. The table also provides information on what the default value would be for each of these privacy settings if you do not manage the setting via policy and suppress the Out-of-box Experience (OOBE) during device setup. For an IT administrator interested in minimizing data, we also provide the recommended value to set.
+The following table provides an overview of the privacy settings discussed earlier in this document with details on how to configure these policies. The table also provides information on what the default value would be for each of these privacy settings if you do not manage the setting by using policy and suppress the Out-of-box Experience (OOBE) during device setup. If you’re interested in minimizing data collection, we also provide the recommended value to set.
> [!NOTE]
-> This is not a complete list of settings that involve connecting to Microsoft services. To see a more detailed list, please refer to Manage connections from [Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+> This is not a complete list of settings that involve connecting to Microsoft services. To see a more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
| Feature/Setting | GP/MDM Documentation | Default State if the Setup experience is suppressed | State to stop/minimize data collection |
|---|---|---|---|
| [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy: **Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**
MDM: [Privacy/AllowInputPersonalization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off |
-| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy: **Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
MDM: [Privacy/LetAppsAccessLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesslocation) | Off (Windows 10, version 1903 and later) | Off |
+| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy: **Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
MDM: [Privacy/LetAppsAccessLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later) | Off |
| [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy: **Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**
MDM: [Experience/AllFindMyDevice](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off |
-| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#enterprise-management) | Group Policy: **Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**
MDM: [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Desktop SKUs: Basic (Windows 10, version 1903 and later)
Server SKUs: Enhanced | Security and block endpoints |
+| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy: **Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**
MDM: [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Desktop editions: Required diagnostic data (Windows 10, version 1903 and later)
Server editions: Required diagnostic data | Security and block endpoints |
| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy: **Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**
MDM: [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later) | Off |
-| Tailored Experiences | Group Policy: **User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**
MDM: Link TBD | Off | Off |
-| Advertising ID | Group Policy: **Configuration** > **System** > **User Profile** > **Turn off the advertising Id**
MDM: [Privacy/DisableAdvertisingId](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off |
+| Tailored Experiences | Group Policy: **User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**
MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off |
+| Advertising ID | Group Policy: **Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**
MDM: [Privacy/DisableAdvertisingId](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off |
| Activity History/Timeline – Cloud Sync | Group Policy: **Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**
MDM: [Privacy/EnableActivityFeed](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off |
| [Cortana](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#2-cortana-and-search) | Group Policy: **Computer Configuration** > **Windows Components** > **Search** > **Allow Cortana**
MDM: [Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Off | Off |
### 2.3 Guidance for configuration options
-This section provides general details and links to more detailed information as well as instructions for IT administrators and compliance professional. These instructions allow IT admins and compliance pros to manage the device compliance. This information includes details about setting up a device, to configuring the device’s settings after setup is completed to minimize data collected and drive privacy related user experiences.
+This section provides general details and links to more detailed information, as well as instructions for administrators and compliance professionals. These instructions allow you to manage device settings to manage the compliance objectives of your organization. This information includes details about setting up a device, configuring the device’s settings after setup is complete to minimize data collection, and driving privacy-related user experiences.
-#### 2.3.1 Managing the device setup experience
+#### _2.3.1 Managing the device setup experience_
-Windows deployment can be configured using several different methods, which provide an administrator with options to control: how a device is set up, what’s enabled by default, and what the user is able to change on the system after they log on.
+Windows deployment can be configured using several different methods that provide an administrator with options for control, including how a device is set up, which options are enabled by default, and what the user is able to change on the device after they log on.
-The [Deploy and update Windows 10](https://docs.microsoft.com/windows/deployment/) section of the Windows IT Pro Center provides an overview of the different options.
+If you want the ability to fully control and apply restrictions on data being sent back to Microsoft, you can use [Configuration Manager](https://docs.microsoft.com/mem/configmgr/) as a deployment solution. Configuration Manager can be used to deploy a customized boot image using a variety of [deployment methods](https://docs.microsoft.com/mem/configmgr/osd/get-started/prepare-for-operating-system-deployment). You can further restrict any Configuration Manager-specific diagnostic data from being sent back to Microsoft by turning off this setting as outlined in the instructions [here](https://docs.microsoft.com/mem/configmgr/core/plan-design/diagnostics/frequently-asked-questions).
-#### 2.3.2 Managing connections from Windows components to Microsoft services
+Alternatively, your administrators can also choose to use Windows Autopilot. Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Autopilot profile and policies.
-IT administrators can manage the data sent from their organization to Microsoft by configuring settings associated with the functionality provided by these Windows components.
+You can use the following articles to learn more about Autopilot and how to use Autopilot to deploy Windows 10:
+- https://docs.microsoft.com/windows/deployment/windows-Autopilot/windows-Autopilot
+- https://docs.microsoft.com/windows/deployment/windows-Autopilot/deployment-process
-See [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services) for more details, including the different methods available on how to configure each setting, the impact to functionality and which versions of Windows that are applicable.
+#### _2.3.2 Managing connections from Windows components to Microsoft services_
-#### 2.3.3 Managing Windows 10 connections
+Administrators can manage the data sent from their organization to Microsoft by configuring settings associated with the functionality provided by Windows components.
-Some Windows components, apps, and related services transfer data to Microsoft network endpoints. An administrator may want to block these endpoints as an additional measure of ensuring privacy compliance within their organization.
+For more details, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). This topic includes the different methods available on how to configure each setting, the impact to functionality, and which versions of Windows that are applicable.
-[Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with the functionality that would be impacted. Details for additional Windows versions can be found on the [Windows Privacy site](https://docs.microsoft.com/windows/privacy/) under the “Manage Windows 10 connection endpoints” section of the left-hand navigation menu.
+#### _2.3.3 Managing Windows 10 connections_
-#### 2.3.4 Limited functionality baseline
+Some Windows components, apps, and related services transfer data to Microsoft network endpoints. An administrator may want to block these endpoints for their organization to meet their specific compliance objectives.
-An organization may want to further minimize the amount of data shared with Microsoft or apps by managing the connections and configuring additional settings on their devices. Similar to [Security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), we have a limited functionality baseline-focused configuring settings to minimize the data shared, however this comes with some potential impact to functionality on the device. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators who don’t want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization.
+[Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found on the [Windows Privacy site](https://docs.microsoft.com/windows/privacy/) under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu.
-#### 2.3.5 Diagnostic data: Managing notifications for change of level at logon
+#### _2.3.4 Limited functionality baseline_
-Windows 10, version 1803, and later provides users with a notification during sign in about changes to the diagnostic data level on the device so they are aware of any changes where additional data may be collected. For instance, if the diagnostic level on the device is set to Basic and an administrator changes it to Full, users will be notified when they next sign in. The IT administrator can disable these notifications by setting Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in change notifications** or the MDM policy `ConfigureTelemetryOptInChangeNotification`.
+An organization may want to further minimize the amount of data sent back to Microsoft or shared with Microsoft apps by managing the connections and configuring additional settings on their devices. Similar to [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), Microsoft has released a limited functionality baseline focused on configuring settings to minimize the data sent back to Microsoft. However, the functionality of the device could be impacted by applying these settings. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators that don’t want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization.
-#### 2.3.6 Diagnostic data: Managing end user choice for changing the setting
+>[!IMPORTANT]
+>We recommend that you fully test any modifications to these settings before deploying them in your organization.
-Windows 10, version 1803 and later, allows users to change their diagnostic data level to a lower setting than what their IT administrator has set. For instance, if the administrator has set the diagnostic data level to Enhanced or Full, a user can change the setting to Basic by going into **Settings** > **Privacy** > **Diagnostic & feedback**. The administrator can disable the user ability to change the setting via **Setting** > **Privacy** by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in setting user interface** or the MDM policy `ConfigureTelemetryOptInSettingsUx`.
+#### _2.3.5 Diagnostic data: Managing notifications for change of level at logon_
-#### 2.3.7 Diagnostic data: Managing device-based data delete
+Starting with Windows 10, version 1803, if an administrator modifies the diagnostic data collection setting, users are notified of this change during the initial device sign in. For example, if you configure the device to send optional diagnostic data, users will be notified the next time they sign into the device. You can disable these notifications by using the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in change notifications** or the MDM policy `ConfigureTelemetryOptInChangeNotification`.
-Windows 10, version 1803 and later, allows a user to delete diagnostic data collected from their device by going into **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button. An IT administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet script.
+#### _2.3.6 Diagnostic data: Managing end user choice for changing the setting_
+
+Windows 10, version 1803 and newer allows users to change their diagnostic data level to a lower setting than what their administrator has set. For example, if you have configured the device to send optional diagnostic data, a user can change the setting so that only required diagnostic data is sent by going into **Settings** > **Privacy** > **Diagnostics & feedback**. Administrators can restrict a user’s ability to change the setting using **Setting** > **Privacy** by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in setting user interface** or the MDM policy `ConfigureTelemetryOptInSettingsUx`.
+
+#### _2.3.7 Diagnostic data: Managing device-based data delete_
+
+Windows 10, version 1809 and newer allows a user to delete diagnostic data collected from their device by using **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet.
An administrator can disable a user’s ability to delete their device’s diagnostic data by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Disable deleting diagnostic data** or the MDM policy `DisableDeviceDelete`.
## 3. The process for exercising data subject rights
-This section discusses the different methods Microsoft provides for users and IT administrators to exercise data subject rights for data collected from a Windows 10 device.
+This section discusses the different methods Microsoft provides for users and administrators to exercise data subject rights for data collected from a Windows 10 device.
### 3.1 Delete
-Users can delete their device-based data by going to **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button. Administrators can also use the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet script.
+Users can delete their device-based data by going to **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet.
### 3.2 View
-The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides a view into the diagnostic data being collected from the Windows 10 device. IT administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet script.
+The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides a view into the diagnostic data being collected from a Windows 10 device. Administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet.
### 3.3 Export
-The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides the ability to export the diagnostic data captured while the app is running, by clicking the Export data button in the top menu. IT administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet script.
+The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides the ability to export the diagnostic data captured while the app is running, by clicking the **Export** data button in the top menu. Administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet script.
### 3.4 Devices connected to a Microsoft account
-If a user signs in to a Windows experience or app on their device with their Microsoft account (MSA), they can view, delete, and export data associated with their MSA on the [Privacy dashboard](https://account.microsoft.com/privacy).
+If a user signs in to a Windows experience or app on their device with their Microsoft account, they can view, delete, and export data associated with their Microsoft account on the [Privacy dashboard](https://account.microsoft.com/privacy).
## 4. Cross-border data transfers
@@ -177,26 +177,34 @@ Microsoft’s [Privacy Statement](https://privacy.microsoft.com/privacystatement
The following sections provide details about how privacy data is collected and managed across related Windows products.
-### 5.1 Windows Server 2016 and 2019
+### 5.1 Windows Server 2016 and newer
-Windows Server follows the same mechanisms as Windows 10 for handling of personal data. There are some differences regarding [diagnostic default settings for Windows Server](https://microsoft-my.sharepoint.com/personal/v-colinm_microsoft_com/Documents/WINDOWS%20PRIVACY/Windows%20diagnostic%20data%20and%20Windows%20Server).
+Windows Server follows the same mechanisms as Windows 10 for handling of personal data.
### 5.2 Surface Hub
-Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to an individual user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store.
+[Surface Hub](https://docs.microsoft.com/surface-hub/) is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. To delete the Windows diagnostic data sent to Microsoft for Surface Hub, you can use the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store
-For more details, see [Windows 10 Team Edition, Version 1703 for Surface Hub](gdpr-it-guidance.md#windows-10-team-edition-version-1703-for-surface-hub).
+>[!IMPORTANT]
+>Apps and services that run on Windows but are not considered part of Windows will manage data collection using their own controls. Please contact the publisher for further guidance on how to control the data collection and transmission of these apps and services.
-### 5.3 Windows 10 Analytics
+An administrator can configure privacy-related settings, such as choosing to only send required diagnostic data. Surface Hub does not support Group Policy for centralized management. However, administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, see [Manage settings with an MDM provider (Surface Hub)](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub).
-[Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-overview) is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. There are currently three solutions which you can use singly or in any combination: Device Health, Update Compliance, and Upgrade Readiness. Windows Analytics is a separate offering from Windows 10 and is dependent on enabling a minimum set of data collection on the device to function.
+### 5.3 Desktop Analytics
-For more details, see the [Windows Analytics overview page](https://docs.microsoft.com/windows/deployment/update/windows-analytics-overview).
+[Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. Desktop Analytics is a separate offering from Windows 10 and is dependent on enabling a minimum set of data collection on the device to function.
+### 5.4 Microsoft Managed Desktop
+
+[Microsoft Managed Desktop (MMD)](https://docs.microsoft.com/microsoft-365/managed-desktop/service-description/?view=o365-worldwide) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows 10 Enterprise edition, Office 365 ProPlus, and Microsoft security services.
## Additional Resources
-* [Microsoft Trust Center: GDPR Overview](https://www.microsoft.com/trustcenter/privacy/gdpr/gdpr-overview)
-* [Microsoft Trust Center: Privacy at Microsoft](https://www.microsoft.com/TrustCenter/Privacy/privacy-overview)
+* [Microsoft Trust Center: GDPR Overview](https://www.microsoft.com/trust-center/privacy/gdpr-overview)
+* [Microsoft Trust Center: Privacy at Microsoft](https://www.microsoft.com/trust-center/privacy)
* [Windows IT Pro Docs](https://docs.microsoft.com/windows/#pivot=it-pro)
-
+* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
+* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+* [Privacy at Microsoft](https://privacy.microsoft.com/privacy-report)
+* [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md)
+* [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 5165ffd9c7..153c7ca114 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -1,6 +1,6 @@
---
-title: Windows 10, version 1709 and newer diagnostic data for the Full level (Windows 10)
-description: Use this article to learn about the types of diagnostic data that is collected at the Full level.
+title: Windows 10, version 1709 and newer optional diagnostic data (Windows 10)
+description: Use this article to learn about the types of optional diagnostic data that is collected.
keywords: privacy,Windows 10
ms.prod: w10
ms.mktglfcycl: manage
@@ -16,7 +16,7 @@ ms.date: 12/04/2019
ms.reviewer:
---
-# Windows 10, version 1709 and newer diagnostic data for the Full level
+# Windows 10, version 1709 and newer optional diagnostic data
Applies to:
- Windows 10, version 1909
@@ -25,7 +25,7 @@ Applies to:
- Windows 10, version 1803
- Windows 10, version 1709
-Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1903 Basic level diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
+Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 2004 required diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
index 43a5191c6b..c4bb922fb2 100644
--- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
@@ -8,11 +8,11 @@ ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: mikeedgar
-ms.author: sanashar
-manager: sanashar
+ms.author: obezeajo
+manager: robsize
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 5/9/2019
+ms.date: 7/22/2020
---
# Windows 10, version 1903, connection endpoints for non-Enterprise editions
diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
new file mode 100644
index 0000000000..357c78dd10
--- /dev/null
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@@ -0,0 +1,203 @@
+---
+title: Windows 10, version 1909, connection endpoints for non-Enterprise editions
+description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1909.
+keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+audience: ITPro
+author: gental-giant
+ms.author: v-hakima
+manager: obezeajo
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 7/22/2020
+---
+# Windows 10, version 1909, connection endpoints for non-Enterprise editions
+
+ **Applies to**
+
+- Windows 10 Home, version 1909
+- Windows 10 Professional, version 1909
+- Windows 10 Education, version 1909
+
+In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-2004-endpoints.md), the following endpoints are available on other non-Enterprise editions of Windows 10, version 1909.
+
+The following methodology was used to derive the network endpoints:
+
+1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
+2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
+6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
+8. These tests were conducted for one week. If you capture traffic for longer you may have different results.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 Family
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+|arc.msn.com|HTTP/TLS v1.2|Windows Spotlight
+|api.asm.skype.com|TLS v1.2|Used to retrieve Skype configuration values
+|browser.pipe.aria.microsoft.com|HTTPS|Used to retrieve Skype configuration values
+|ctldl.windowsupdate.com/*|HTTP|Certificate Trust List
+|client.wns.windows.com|HTTP|Used for the Windows Push Notification Service(WNS)
+|config.edge.skype.com|HTTP/TLS v1.2|Used to retrieve Skype configuration values
+|dmd.metaservices.microsoft.com|HTTP|Device metadata
+|config.teams.microsoft.com|HTTPS|Used for Microsoft Teams application
+|*dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft Store
+|*.tlu.dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft Store
+|displaycatalog.mp.microsoft.com/*|HTTP/TLS v1.2|Used to communicate with Microsoft Store
+|evoke-windowsservices-tas.msedge.net|HTTP/TLS v1.2|Used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser
+|fe2cr.update.microsoft.com|HTTPS/TLS v1.2|Enables connections to Windows Update, Microsoft Update, and the online services of the Store
+|fe3cr.delivery.mp.microsoft.com|HTTPS/TLS v1.2|Used to download operating system patches, updates, and apps from Microsoft Store
+|go.microsoft.com|HTTP|Windows Defender and/or Microsoft forward link redirection service (FWLink)
+|g.live.com|HTTP|OneDrive
+|checkappexec.microsoft.com|HTTPS|Used for Windows Defender Smartscreen reporting and notifications
+|emdl.ws.microsoft.com|HTTP|Windows Update
+|*.prod.do.dsp.mp.microsoft.com|HTTP/TLS v1.2|Windows Update
+|*.au.download.windowsupdate.com|HTTP|Windows Update
+|download.windowsupdate.com|HTTP|Windows Update
+|inference.location.live.net|TLS v1.2|Used for Location Data
+|iecvlist.microsoft.com|HTTP|This endpoint is related to Microsoft Edge
+|login.live.com|HTTPS/TLS v1.2|Device Authentication
+|logincdn.msauth.net|HTTPS|OneDrive
+|licensing.mp.microsoft.com|HTTP/TLS v1.2|Licensing
+|maps.windows.com|TLS v1.2|Used to check for updates to maps that have been downloaded for offline use
+|mobile.pipe.aria.microsoft.com|HTTP|Office Telemetry
+|nav.smartscreen.microsoft.com|HTTP|Used for Windows Defender SmartScreen reporting and notifications
+|outlook.office365.com|HTTP|Used to connect to the Microsoft 365 admin center's shared infrastructure, including Office in a browser
+|ocsp.digicert.com|HTTP|Used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available
+|oneclient.sfx.ms|HTTPS|Used by OneDrive for Business to download and verify app updates
+|pti.store.microsoft.com/*|HTTP|Used to communicate with Microsoft Store
+|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP|Used to communicate with Microsoft Store
+|manage.devcenter.microsoft.com|HTTP/TLS v1.2|Used to get Microsoft Store analytics
+|ris.api.iris.microsoft.com|HTTPS|Used to retrieve Windows Spotlight metadata that describes content
+|settings-win.data.microsoft.com|HTTPS/TLS v1.2|Used for Windows apps to dynamically update their configuration
+|smartscreen-prod.microsoft.com|HTTP|Used for Windows Defender SmartScreen reporting and notifications
+|*.blob.core.windows.net|HTTP/TLS v1.2|Windows Telemetry
+|storage.live.com|HTTP/TLS v1.2|OneDrive
+|skydrivesync.policies.live.net|TLS v1.2|OneDrive
+|slscr.update.microsoft.com|HTTPS/TLS V1.2|Windows Update
+|tile-service.weather.microsoft.com|HTTP|Used for the Weather app
+|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTP|This endpoint is used for content regulation
+|watson.telemetry.microsoft.com*|HTTPS/TLS v1.2|Diagnostic Data
+|v10.events.data.microsoft.com/onecollector/1.0/|HTTPS|Microsoft Office
+|v10.events.data.microsoft.com|HTTPS/TLS v1.2|Used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service
+|www.bing.com|HTTPS/TLS v1.2|Cortana and Live Tiles
+|www.msftconnecttest.com|HTTP|Network Connection Status Indicator (NCSI)
+|wdcp.microsoft.com|HTTPS|Used for Windows Defender when Cloud-based Protection is enabled
+
+## Windows 10 Pro
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+|*.prod.do.dsp.mp.microsoft.com|HTTP/TLS v1.2|Windows Update
+|api.onedrive.com|HTTP|One Drive
+|smartscreen-prod.microsoft.com|HTTP|Used for Windows Defender SmartScreen reporting and notifications
+|nav.smartscreen.microsoft.com|HTTPS/TLS v1.2|Windows Defender
+|*.update.microsoft.com|HTTP|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store
+|browser.pipe.aria.microsoft.com|HTTPS|Used to retrieve Skype configuration values
+|*.windowsupdate.com|HTTP|Used to download operating system patches and updates
+|*.wns.windows.com|TLS v1.2|Used for the Windows Push Notification Services (WNS)
+|*dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft Store
+|c-ring.msedge.net|TLS v1.2|Cortana and Live Tiles
+|a-ring.msedge.net|TLS v1.2|Cortana and Live Tiles
+|*storecatalogrevocation.storequality.microsoft.com|HTTP/TLS v1.2|Used to revoke licenses for malicious apps on the Microsoft Store
+|arc.msn.com|HTTP/TLS v1.2|Windows Spotlight
+|*.blob.core.windows.net|HTTP/TLS v1.2|Windows Telemetry
+|cdn.onenote.net|HTTPS/TLS v1.2|OneNote Live Tile
+|checkappexec.microsoft.com|HTTPS|Used for Windows Defender SmartScreen reporting and notifications
+|config.edge.skype.com|HTTP/TLS v1.2|Used to retrieve Skype configuration values
+|config.teams.microsoft.com|HTTPS|Used for Microsoft Teams application
+|ctldl.windowsupdate.com|HTTP|Used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available
+|displaycatalog.mp.microsoft.com*|HTTP/TLS v1.2|Microsoft Store
+|emdl.ws.microsoft.com|HTTP|Windows Update
+|fe2cr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
+|fe3cr.delivery.mp.microsoft.com|HTTPS/TLS v1.2|Windows Update
+|slscr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
+|evoke-windowsservices-tas.msedge.net|HTTPS/TLS v1.2|Used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser
+|fp.msedge.net|HTTPS/TLS v1.2|Cortana and Live Tiles
+|fp-vp.azureedge.net|TLS v1.2|Cortana and Live Tiles
+|g.live.com|TLS v1.2|OneDrive
+|go.microsoft.com|HTTP|Windows Defender and/or Microsoft forward link redirection service (FWLink)
+|iecvlist.microsoft.com|HTTP|Microsoft Edge
+|inference.location.live.net|TLS v1.2|Used for Location Data
+|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP|Used to communicate with Microsoft Store
+|licensing.mp.microsoft.com*|HTTP/TLS v1.2|Licensing
+|login.live.com|HTTPS/TLS v1.2|Device Authentication
+|logincdn.msauth.net|HTTPS|Used for Microsoft accounts to sign in
+|manage.devcenter.microsoft.com|HTTP/TLS v1.2|Microsoft Store analytics
+|maps.windows.com|TLS v1.2|Related to Maps application
+|ocsp.digicert.com|HTTP|Used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available
+|ocsp.msocsp.com|HTTP|Used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available
+|oneclient.sfx.ms|HTTPS|Used by OneDrive for Business to download and verify app updates
+|mobile.pipe.aria.microsoft.com|HTTP|Office Telemetry
+|pti.store.microsoft.com/*|HTTP|Used to communicate with Microsoft Store
+|ris.api.iris.microsoft.com|TLS v1.2|Windows Spotlight
+|settings-win.data.microsoft.com|HTTPS/TLS v1.2|Used for Windows apps to dynamically update their configuration
+|spo-ring.msedge.net|TLSv1.2|Cortana and Live Tiles
+|telecommand.telemetry.microsoft.com|TLS v1.2|Used by Windows Error Reporting ||tile-service.weather.microsoft.com|HTTP|Used for the Weather app
+|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Used for content regulation
+|v10.events.data.microsoft.com/onecollector/1.0/|HTTPS/TLS v1.2|Diagnostic Data
+|v10.events.data.microsoft.com|HTTPS/TLS v1.2|Used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service
+|watson.telemetry.microsoft.com*|HTTPS/TLS v1.2|Used by Windows Error Reporting
+|wdcp.microsoft.com|HTTPS|Used for Windows Defender when Cloud-based Protection is enabled
+|www.bing.com|HTTPS/TLS v1.2|Cortana and Live Tiles
+|www.msftconnecttest.com|HTTP|Network Connection Status Indicator (NCSI)
+|outlook.office365.com|HTTP|Microsoft Office
+|storage.live.com|HTTP/TLS v1.2|One Drive
+|skydrivesync.policies.live.net|TLS v1.2|One Drive
+
+## Windows 10 Education
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+|arc.msn.com|HTTPS/TLS v1.2|Windows Spotlight
+|*.dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft
+|client.wns.windows.com|TLS v1.2|Used for the Windows Push Notification Services (WNS)
+|*storecatalogrevocation.storequality.microsoft.com|TLS v1.2|Used to revoke licenses for malicious apps on the Microsoft Store
+|ctldl.windowsupdate.com|HTTP|Certificate Trust List
+|dmd.metaservices.microsoft.com|HTTP|Device metadata
+|Inference.location.live.net|TLS v1.2|Location
+|oneclient.sfx.ms|HTTPS|OneDrive
+|storage.live.com|HTTP/TLS v1.2|One Drive
+|skydrivesync.policies.live.net|TLS v1.2|OneDrive
+|slscr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
+|fe2cr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
+|fe3cr.delivery.mp.microsoft.com|HTTPS/TLS v1.2|Windows Update
+|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTP/TLS v1.2|Windows Update
+|officehomeblobs.blob.core.windows.net|HTTP|Windows Telemetry
+|displaycatalog.mp.microsoft.com/*|HTTP/TLS v1.2|Microsoft Store
+|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP|Used to communicate with Microsoft Store
+|config.teams.microsoft.com|HTTPS|Teams
+|api.asm.skype.com|TLS v1.2|Used to retrieve Skype configuration values
+|config.edge.skype.com|HTTP/TLS v1.2|Used to retrieve Skype configuration values
+|logincdn.msauth.net|HTTPS|OneDrive
+|iecvlist.microsoft.com|HTTP|Microsoft Edge
+|download.windowsupdate.com|HTTP|Windows Update
+|checkappexec.microsoft.com|HTTPS|Windows Defender
+|pti.store.microsoft.com/*|HTTP|Microsoft Store
+|emdl.ws.microsoft.com|HTTP|Windows Update
+|evoke-windowsservices-tas.msedge.net|HTTPS/TLS v1.2|Photos app
+|g.live.com|TLS v1.2|OneDrive
+|go.microsoft.com|HTTP|Windows Defender
+|licensing.mp.microsoft.com|HTTP/TLS v1.2|Licensing
+|login.live.com|HTTPS/TLS v1.2|Device Authentication
+|manage.devcenter.microsoft.com|TLS v1.2|Microsoft Store analytics
+|ocsp.digicert.com|HTTP|CRL and OCSP checks to the issuing certificate authorities
+|ris.api.iris.microsoft.com|TLS v1.2|Windows spotlight
+|telecommand.telemetry.microsoft.com|TLS v1.2|Used by Windows Error Reporting
+|tile-service.weather.microsoft.com|HTTP|Used to download updates to the Weather app Live Tile
+|v10.events.data.microsoft.com|HTTPS/TLS v1.2|Diagnostic Data
+|V10.events.data.microsoft.com/onecollector/1.0/|HTTPS|Diagnostic Data
+|Watson.telemetry.microsoft.com/telemetry.request|HTTPS|Diagnostic Data
+|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data
+|outlook.office365.com|HTTP|Microsoft Office
+|www.bing.com|TLS v1.2|Used for updates for Cortana, apps, and Live Tiles
+|www.msftconnecttest.com|HTTP|Network Connection (NCSI)
diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md
deleted file mode 100644
index 273f2bac8d..0000000000
--- a/windows/privacy/windows-personal-data-services-configuration.md
+++ /dev/null
@@ -1,408 +0,0 @@
----
-title: Windows 10 personal data services configuration
-description: Learn more about Windows 10 configuration settings that are useful for complying with regulations such as the GDPR and protecting users' personal data.
-keywords: privacy, GDPR, windows, IT
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 05/11/2018
-ms.reviewer:
----
-# Windows 10 personal data services configuration
-
-Applies to:
-- Windows 10, version 1803 and newer
-
-Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization.
-
-IT Professionals that are interested in applying these settings via group policies can find the configuration for download [here](https://go.microsoft.com/fwlink/?linkid=874149).
-
-## Introduction
-
-Microsoft collects data from or generates it through interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, support, and improve Windows 10 services.
-
-Many Windows 10 services are controller services. A user can manage data collection settings, for example by opening *Start > Settings > Privacy* or by visiting the [Microsoft Privacy dashboard](https://account.microsoft.com/privacy). While this relationship between Microsoft and a user is evident in a consumer type scenario, an IT organization can influence that relationship. For example, the IT department has the ability to configure the Windows diagnostic data level across their organization by using Group Policy, registry, or Mobile Device Management (MDM) settings.
-
-Below is a collection of settings related to the Windows 10 personal data services configuration that IT Professionals can use as guidance for influencing Windows diagnostic data collection and personal data protection.
-
-## Windows diagnostic data
-
-Windows 10 collects Windows diagnostic data—such as usage data, performance data, inking, typing, and utterance data—and sends it back to Microsoft. That data is used for keeping the operating system secure and up-to-date, to troubleshoot problems, and to make product improvements. For users who have turned on "Tailored experiences", that data can also be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs.
-
-The following options for configuring Windows diagnostic data are relevant in this context.
-
-### Diagnostic level
-
-This setting determines the amount of Windows diagnostic data sent to Microsoft.
-
->[!NOTE]
->In Windows 10, version 1709, Microsoft introduced a new feature: “Limit Enhanced diagnostic data to the minimum required by Windows Analytics”. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics). For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
->| **Policy Name** | Allow Telemetry |
->| **Default setting** | 2 - Enhanced |
->| **Recommended** | 2 - Enhanced |
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
->| **Policy Name** | Allow Telemetry |
->| **Default setting** | 2 - Enhanced |
->| **Recommended** | 2 - Enhanced |
-
->[!NOTE]
->When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
->| **Value** | AllowTelemetry |
->| **Type** | REG_DWORD |
->| **Setting** | "00000002" |
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKCU\Software\Policies\Microsoft\Windows\DataCollection |
->| **Value** | AllowTelemetry |
->| **Type** | REG_DWORD |
->| **Setting** | "00000002" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **MDM CSP** | System |
->| **Policy** | AllowTelemetry (scope: device and user) |
->| **Default setting** | 2 – Enhanced |
->| **Recommended** | 2 – Allowed |
-
-### Diagnostic opt-in change notifications
-
-This setting determines whether a device shows notifications about Windows diagnostic data levels to people on first logon or when changes occur in the diagnostic configuration.
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
->| **Policy Name** | Configure telemetry opt-in change notifications |
->| **Default setting** | Enabled |
->| **Recommended** | Enabled |
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
->| **Value** | DisableTelemetryOptInChangeNotification |
->| **Type** | REG_DWORD |
->| **Setting** | "00000000" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **MDM CSP** | System |
->| **Policy** | ConfigureTelemetryOptInChangeNotification |
->| **Default setting** | 0 – Enabled |
->| **Recommended** | 0 – Enabled |
-
-### Configure telemetry opt-in setting user interface
-
-This setting determines whether people can change their own Windows diagnostic data level in *Start > Settings > Privacy > Diagnostics & feedback*.
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
->| **Policy Name** | Configure telemetry opt-in setting user interface |
->| **Default setting** | Enabled |
->| **Recommended** | Enabled |
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
->| **Value** | DisableTelemetryOptInSettingsUx |
->| **Type** | REG_DWORD |
->| **Setting** | "00000001" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **MDM CSP** | System |
->| **Policy** | ConfigureTelemetryOptInSettingsUx |
->| **Default setting** | 0 – Enabled |
->| **Recommended** | 0 – Enabled |
-
-## Policies affecting personal data protection managed by the Enterprise IT
-
-There are additional settings usually managed by the Enterprise IT that also affect the protection of personal data.
-
-The following options for configuring these policies are relevant in this context.
-
-### BitLocker
-
-The following settings determine whether fixed and removable drives are protected by the BitLocker Drive Encryption.
-
-#### Fixed Data Drives
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Fixed Data Drives |
->| **Policy Name** | Deny write access to fixed drives not protected by BitLocker |
->| **Default setting** | Not configured |
->| **Recommended** | Enabled |
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE |
->| **Value** | FDVDenyWriteAccess |
->| **Type** | REG_DWORD |
->| **Setting** | "00000001" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **MDM CSP** | BitLocker |
->| **Policy** | FixedDrivesRequireEncryption |
->| **Default setting** | Disabled |
->| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#fixeddrivesrequireencryption)) |
-
-#### Removable Data Drives
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Removable Data Drives |
->| **Policy Name** | Deny write access to removable drives not protected by BitLocker |
->| **Default setting** | Not configured |
->| **Recommended** | Enabled |
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE |
->| **Value** | RDVDenyWriteAccess |
->| **Type** | REG_DWORD |
->| **Setting** | "00000001" |
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\Software\Policies\Microsoft\FVE |
->| **Value** | RDVDenyCrossOrg |
->| **Type** | REG_DWORD |
->| **Setting** | "00000000" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **MDM CSP** | BitLocker |
->| **Policy** | RemovableDrivesRequireEncryption |
->| **Default setting** | Disabled |
->| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#removabledrivesrequireencryption)) |
-
-### Privacy – AdvertisingID
-
-This setting determines if the advertising ID, which preventing apps from using the ID for experiences across apps, is turned off.
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\System\User Profiles |
->| **Policy Name** | Turn off the advertising ID |
->| **Default setting** | Not configured |
->| **Recommended** | Enabled |
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo |
->| **Value** | DisabledByGroupPolicy |
->| **Type** | REG_DWORD |
->| **Setting** | "00000001" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **MDM CSP** | Privacy |
->| **Policy** | DisableAdvertisingId |
->| **Default setting** | 65535 (default) - Not configured |
->| **Recommended** | 1 – Enabled |
-
-### Edge
-
-These settings whether employees send “Do Not Track” from the Microsoft Edge web browser to websites.
-
->[!NOTE]
->Please see [this Microsoft blog post](https://blogs.microsoft.com/on-the-issues/2015/04/03/an-update-on-microsofts-approach-to-do-not-track/) for more details on why the “Do Not Track” is no longer the default setting.
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge |
->| **Policy Name** | Configure Do Not Track |
->| **Default setting** | Disabled |
->| **Recommended** | Disabled |
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Microsoft Edge |
->| **Policy Name** | Configure Do Not Track |
->| **Default setting** | Disabled |
->| **Recommended** | Disabled |
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main |
->| **Value** | DoNotTrack |
->| **Type** | REG_DWORD |
->| **Setting** | "00000000" |
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main |
->| **Value** | DoNotTrack |
->| **Type** | REG_DWORD |
->| **Setting** | "00000000" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **MDM CSP** | Browser |
->| **Policy** | AllowDoNotTrack (scope: device + user) |
->| **Default setting** | 0 (default) – Not allowed |
->| **Recommended** | 0 – Not allowed |
-
-### Internet Explorer
-
-These settings whether employees send “Do Not Track” header from the Microsoft Explorer web browser to websites.
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |
->| **Policy Name** | Always send Do Not Track header |
->| **Default setting** | Disabled |
->| **Recommended** | Disabled |
-
-> [!div class="mx-tableFixed"]
->|||
->|:-|:-|
->| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |
->| **Policy Name** | Always send Do Not Track header |
->| **Default setting** | Disabled |
->| **Recommended** | Disabled |
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->|||
->|:-|:-|
->| **Registry key** | HKLM\Software\Policies\Microsoft\Internet Explorer\Main |
->| **Value** | DoNotTrack |
->| **Type** | REG_DWORD |
->| **Setting** | "00000000" |
-
-> [!div class="mx-tableFixed"]
->|||
->|:-|:-|
->| **Registry key** | HKCU\Software\Policies\Microsoft\Internet Explorer\Main |
->| **Value** | DoNotTrack |
->| **Type** | REG_DWORD |
->| **Setting** | "00000000" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->|||
->|:-|:-|
->| **MDM CSP** | N/A |
-
-## Additional resources
-
-### FAQs
-
-* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
-* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
-* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
-* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
-
-### Blogs
-
-* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
-
-### Privacy Statement
-
-* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
-
-### Windows Privacy on docs.microsoft.com
-
-* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-* [Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-* [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data)
-* [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
-
-### Other resources
-
-* [Privacy at Microsoft](https://privacy.microsoft.com/)
diff --git a/windows/release-information/TOC.md b/windows/release-information/TOC.md
deleted file mode 100644
index f0457af621..0000000000
--- a/windows/release-information/TOC.md
+++ /dev/null
@@ -1,36 +0,0 @@
-# [Windows 10 release information](index.md)
-# [Message center](windows-message-center.yml)
-# Version 1909
-## [Known issues and notifications](status-windows-10-1909.yml)
-## [Resolved issues](resolved-issues-windows-10-1909.yml)
-# Version 1903
-## [Known issues and notifications](status-windows-10-1903.yml)
-## [Resolved issues](resolved-issues-windows-10-1903.yml)
-# Version 1809 and Windows Server 2019
-## [Known issues and notifications](status-windows-10-1809-and-windows-server-2019.yml)
-## [Resolved issues](resolved-issues-windows-10-1809-and-windows-server-2019.yml)
-# Version 1803
-## [Known issues and notifications](status-windows-10-1803.yml)
-## [Resolved issues](resolved-issues-windows-10-1803.yml)
-# Version 1709
-## [Known issues and notifications](status-windows-10-1709.yml)
-## [Resolved issues](resolved-issues-windows-10-1709.yml)
-# Version 1607 and Windows Server 2016
-## [Known issues and notifications](status-windows-10-1607-and-windows-server-2016.yml)
-## [Resolved issues](resolved-issues-windows-10-1607.yml)
-# Version 1507
-## [Known issues and notifications](status-windows-10-1507.yml)
-## [Resolved issues](resolved-issues-windows-10-1507.yml)
-# Previous versions
-## Windows 8.1 and Windows Server 2012 R2
-### [Known issues and notifications](status-windows-8.1-and-windows-server-2012-r2.yml)
-### [Resolved issues](resolved-issues-windows-8.1-and-windows-server-2012-r2.yml)
-## Windows Server 2012
-### [Known issues and notifications](status-windows-server-2012.yml)
-### [Resolved issues](resolved-issues-windows-server-2012.yml)
-## Windows 7 and Windows Server 2008 R2
-### [Known issues and notifications](status-windows-7-and-windows-server-2008-r2-sp1.yml)
-### [Resolved issues](resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml)
-## Windows Server 2008 SP2
-### [Known issues and notifications](status-windows-server-2008-sp2.yml)
-### [Resolved issues](resolved-issues-windows-server-2008-sp2.yml)
diff --git a/windows/release-information/breadcrumb/toc.yml b/windows/release-information/breadcrumb/toc.yml
deleted file mode 100644
index 5c9f236497..0000000000
--- a/windows/release-information/breadcrumb/toc.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-- name: Docs
- tocHref: /
- topicHref: /
- items:
- - name: Windows
- tocHref: /windows
- topicHref: /windows/windows-10
- items:
- - name: Release information
- tocHref: /windows/release-information/
- topicHref: /windows/release-information/index
diff --git a/windows/release-information/index.md b/windows/release-information/index.md
deleted file mode 100644
index c6eba252f9..0000000000
--- a/windows/release-information/index.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: Windows 10 - release information
-description: Learn release information for Windows 10 releases
-keywords: ["Windows 10", "Windows 10 October 2018 Update"]
-ms.prod: w10
-layout: LandingPage
-ms.topic: landing-page
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: lizap
-ms.author: elizapo
-ms.localizationpriority: high
----
-
-# Windows 10 release information
-
-Feature updates for Windows 10 are released twice a year, around March and September, via the Semi-Annual Channel. They will be serviced with monthly quality updates for 18 or 30 months from the date of the release, depending on the lifecycle policy.
-
-We recommend that you begin deployment of each Semi-Annual Channel release immediately as a targeted deployment to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible.
-
-For information about servicing timelines, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853).
-
-> [!NOTE]
-> Beginning with Windows 10, version 1903, you will find a [single entry for each SAC release](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523).
-
-
-
-
-
-
diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml
deleted file mode 100644
index 7df978985d..0000000000
--- a/windows/release-information/resolved-issues-windows-10-1507.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Resolved issues in Windows 10, version 1507
-metadata:
- document_id:
- title: Resolved issues in Windows 10, version 1507
- description: Resolved issues in Windows 10, version 1507
- keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10, version 1507"]
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- See a list of known issues that have been resolved for Windows 10, version 1507 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
-
- "
-- items:
- - type: markdown
- text: "
-
- "
-
-- title: Resolved issues
-- items:
- - type: markdown
- text: "
-
Summary
Originating update
Status
Date resolved
-
Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and results print job failure.
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
- "
diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml
deleted file mode 100644
index 5585df19da..0000000000
--- a/windows/release-information/resolved-issues-windows-10-1607.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Resolved issues in Windows 10, version 1607 and Windows Server 2016
-metadata:
- document_id:
- title: Resolved issues in Windows 10, version 1607 and Windows Server 2016
- description: Resolved issues in Windows 10, version 1607
- keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10, version 1607"]
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- See a list of known issues that have been resolved for Windows 10, version 1607 and Windows Server 2016 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
-
- "
-- items:
- - type: markdown
- text: "
-
- "
-
-- title: Resolved issues
-- items:
- - type: markdown
- text: "
-
Summary
Originating update
Status
Date resolved
-
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call NetQueryDisplayInformation may fail to return results after the first page of data.
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: After investigation, we have found that this issue does not affect this version of Windows.
Apps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”
- "
diff --git a/windows/release-information/resolved-issues-windows-10-1709.yml b/windows/release-information/resolved-issues-windows-10-1709.yml
deleted file mode 100644
index c85bdd82e9..0000000000
--- a/windows/release-information/resolved-issues-windows-10-1709.yml
+++ /dev/null
@@ -1,65 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Resolved issues in Windows 10, version 1709 and Windows Server, version 1709
-metadata:
- document_id:
- title: Resolved issues in Windows 10, version 1709 and Windows Server, version 1709
- description: Resolved issues in Windows 10, version 1709 and Windows Server 1709
- keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10, version 1709"]
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- See a list of known issues that have been resolved for Windows 10, version 1709 and Windows Server, version 1709 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
-
- "
-- items:
- - type: markdown
- text: "
-
- "
-
-- title: Resolved issues
-- items:
- - type: markdown
- text: "
-
Summary
Originating update
Status
Date resolved
-
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: Due to security related changes in KB4516066, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Select the Start button and type Services.
Locate Touch Keyboard and Handwriting Panel Service and double click on it or long press and select Properties.
Locate Startup type: and change it to Manual
Select Ok
The TabletInputService service is now in the default configuration and IME should work as expected.
- "
diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml
deleted file mode 100644
index 63b5bd826c..0000000000
--- a/windows/release-information/resolved-issues-windows-10-1803.yml
+++ /dev/null
@@ -1,79 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Resolved issues in Windows 10, version 1803
-metadata:
- document_id:
- title: Resolved issues in Windows 10, version 1803
- description: Resolved issues in Windows 10, version 1803
- keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10, version 1803"]
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- See a list of known issues that have been resolved for Windows 10, version 1803 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
-
- "
-- items:
- - type: markdown
- text: "
-
- "
-
-- title: Resolved issues
-- items:
- - type: markdown
- text: "
-
Summary
Originating update
Status
Date resolved
-
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Windows Mixed Reality Portal users may intermittently receive a 15-5 error code You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not wake up from sleep.
IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
Notification issue: \"Your device is missing important security and quality fixes.\" Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes.\"
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Windows Mixed Reality Portal users may intermittently receive a 15-5 error code
After installing KB4512501, Windows Mixed Reality Portal users may intermittently receive a 15-5 error code. In some cases, Windows Mixed Reality Portal may report that the headset is sleeping and pressing “Wake up” may appear to produce no action.
Affected platforms:
Client: Windows 10, version 1809; Windows 10, version 1803
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: Due to security related changes in KB4516058, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Select the Start button and type Services.
Locate Touch Keyboard and Handwriting Panel Service and double click on it or long press and select Properties.
Locate Startup type: and change it to Manual
Select Ok
The TabletInputService service is now in the default configuration and IME should work as expected.
Notification issue: \"Your device is missing important security and quality fixes.\"
Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes\" in the Windows Update dialog and a red \"!\" in the task tray on the Windows Update tray icon. This notification is intended for devices that are 90 days or more out of date, but some users with installed updates released in June or July also saw this notification.
Affected platforms:
Client: Windows 10, version 1803
Server: Windows Server, version 1803
Resolution: This issue was resolved on the server side on August 30, 2019. Only devices that are out of date by 90 days or more should now see the notification. No action is required by the user to resolve this issue. If you are still seeing the \"Your device is missing important security and quality fixes\" notification, we recommend selecting Check for Updates in the Windows Update dialog. For instructions, see Update Windows 10. Microsoft always recommends trying to keep your devices up to date, as the monthly updates contain important security fixes.
- "
diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
deleted file mode 100644
index 887025029f..0000000000
--- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
+++ /dev/null
@@ -1,89 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Resolved issues in Windows 10, version 1809 and Windows Server 2019
-metadata:
- document_id:
- title: Resolved issues in Windows 10, version 1809 and Windows Server 2019
- description: Resolved issues in Windows 10, version 1809 or Windows Server 2019
- keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10 1809"]
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- See a list of known issues that have been resolved for Windows 10, version 1809 and Windows Server 2019 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
-
- "
-- items:
- - type: markdown
- text: "
-
- "
-
-- title: Resolved issues
-- items:
- - type: markdown
- text: "
-
Summary
Originating update
Status
Date resolved
-
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Microsoft Defender Advanced Threat Protection might stop running The Microsoft Defender ATP service might stop running and might fail to send reporting data.
Windows Mixed Reality Portal users may intermittently receive a 15-5 error code You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not wake up from sleep.
Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call NetQueryDisplayInformation may fail to return results after the first page of data.
IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Microsoft Defender Advanced Threat Protection might stop running
After installing the optional non-security update (KB4520062), the Microsoft Defender Advanced Threat Protection (ATP) service might stop running and might fail to send reporting data. You might also receive a 0xc0000409 error in Event Viewer on MsSense.exe.
Note Microsoft Microsoft Defender Antivirus is not affected by this issue.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
Windows Mixed Reality Portal users may intermittently receive a 15-5 error code
After installing KB4511553, Windows Mixed Reality Portal users may intermittently receive a 15-5 error code. In some cases, Windows Mixed Reality Portal may report that the headset is sleeping and pressing “Wake up” may appear to produce no action.
Affected platforms:
Client: Windows 10, version 1809; Windows 10, version 1803
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: Due to security related changes in KB4512578, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Select the Start button and type Services.
Locate Touch Keyboard and Handwriting Panel Service and double click on it or long press and select Properties.
Locate Startup type: and change it to Manual
Select Ok
The TabletInputService service is now in the default configuration and IME should work as expected.
Apps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”
- "
diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml
deleted file mode 100644
index b398ac1bc9..0000000000
--- a/windows/release-information/resolved-issues-windows-10-1903.yml
+++ /dev/null
@@ -1,124 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Resolved issues in Windows 10, version 1903 and Windows Server, version 1903
-metadata:
- document_id:
- title: Resolved issues in Windows 10, version 1903 and Windows Server, version 1903
- description: Resolved issues in Windows 10, version 1903 and Windows Server 1903
- keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10, version 1903"]
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- See a list of known issues that have been resolved for Windows 10, version 1903 and Windows Server, version 1903 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
-
- "
-- items:
- - type: markdown
- text: "
-
- "
-
-- title: Resolved issues
-- items:
- - type: markdown
- text: "
-
Summary
Originating update
Status
Date resolved
-
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Unable to discover or connect to Bluetooth devices using some Realtek adapters Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.
Unable to discover or connect to Bluetooth devices using some Qualcomm adapters Microsoft has identified compatibility issues with some versions of Qualcomm Bluetooth radio drivers.
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.
dGPU occasionally disappear from device manager on Surface Book 2 Some apps or games may close or fail to open on Surface Book 2 devices with Nvidia dGPU.
IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
Some users report issues related to the Start menu and Windows Desktop Search A small number of users have reported issues related to the Start menu and Windows Desktop Search.
Windows Desktop Search may not return any results and may have high CPU usage Windows Desktop Search may not return any results and SearchUI.exe may have high CPU usage after installing KB4512941.
Domain connected devices that use MIT Kerberos realms will not start up Devices may not start after updating when connected to a domain that is configured to use MIT Kerberos realms.
Issues updating when certain versions of Intel storage drivers are installed Windows 10, version 1903 update may fail with certain versions of Intel Rapid Storage Technology (Intel RST) drivers.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.
Initiating a Remote Desktop connection may result in black screen When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen.
Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start on devices in which the operating system language was changed between updates.
Devices starting using PXE from a WDS or Configuration Manager servers may fail to start Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Resolution: This issue was resolved in KB4517389 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
Microsoft and NEC have found incompatibility issues with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards when running Windows 10, version 1903 on specific models of NEC devices. If these devices are updated to Windows 10, version 1903, they will no longer be able to use any Wi-Fi connections. The Wi-Fi driver may have a yellow exclamation point in device manager. The task tray icon for networking may show the icon for no internet and Network & Internet settings may not show any Wi-Fi networks.
To safeguard your update experience, we have applied a compatibility hold on the affected devices from being offered Windows 10, version 1903.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4522355. The safeguard hold is estimated to be removed in mid-November.
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Audio in games is quiet or different than expected
Microsoft has received reports that audio in certain games is quieter or different than expected. At the request of some of our audio partners, we implemented a compatibility change that enabled certain games to query support and render multi-channel audio. Due to customer feedback, we are reverting this change as some games and some devices are not rendering multi-channel audio as expected. This may result in games sounding different than customers are used to and may have missing channels.
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: Due to security related changes in KB4515384, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Select the Start button and type Services.
Locate Touch Keyboard and Handwriting Panel Service and double click on it or long press and select Properties.
Locate Startup type: and change it to Manual
Select Ok
The TabletInputService service is now in the default configuration and IME should work as expected.
Some users report issues related to the Start menu and Windows Desktop Search
Microsoft has received reports that a small number of users are having issues related to the Start menu and Windows Desktop Search.
Affected platforms:
Client: Windows 10, version 1903
Resolution: At this time, Microsoft has not found a Search or Start issue significantly impacting users originating from KB4515384. We will continue monitoring to ensure users have a high-quality experience when interacting with these areas. If you are currently having issues, we recommend you to take a moment to report it in via the Feedback Hub (Windows + F) then try the Windows 10 Troubleshoot settings (found in Settings). If you are having an issue with search, see Fix problems in Windows Search.
Screenshots and Snips have an unnatural orange tint
When creating screenshots or using similar tools (such as Snipping Tool or Snip & Sketch), the resulting images may have an unnatural orange tint. This issue is caused by the Eye Care mode feature of Lenovo Vantage. This issue started on or around September 5, 2019.
Windows Desktop Search may not return any results and may have high CPU usage
Microsoft is getting reports that a small number of users may not receive results when using Windows Desktop Search and may see high CPU usage from SearchUI.exe when searching after installing KB4512941. This issue is only encountered on devices in which searching the web from Windows Desktop Search has been disabled.
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive the error message, \"Updates Failed, There were problems installing some updates, but we'll try again later\" or \"Error 0x80073701\" on the Windows Update dialog or within Update history.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Resolution: This issue has been resolved for most users. If you are still having issues, please see KB4528159.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512508, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512941. The ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512941 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
dGPU occasionally disappear from device manager on Surface Book 2
Microsoft has identified a compatibility issue on some Surface Book 2 devices configured with Nvidia discrete graphics processing units (dGPUs). After updating to Windows 10, version 1903 (the May 2019 Update), some apps or games that needs to perform graphics intensive operations may close or fail to open.
To safeguard your update experience, we have applied a compatibility hold on Surface Book 2 devices with Nvidia dGPU from being offered Windows 10, version 1903 until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolved: To resolve this issue, you will need to update the firmware of your Surface Book 2 device. Please see the Surface Book 2 update history pagefor instructions on how to install the October 2019 updates on your device. There is no update for Windows needed for this issue.
The safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903.
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512941 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.
Issues updating when certain versions of Intel storage drivers are installed
Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).
To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing or being offered Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.
Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.8.1050.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Resolution: This issue was resolved in KB4512941 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Initiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen. Any version of Windows may encounter this issue when initiating a Remote Desktop connection to a Windows 10, version 1903 device which is running an affected display driver, including the drivers for the Intel 4 series chipset integrated GPU (iGPU).
Devices starting using PXE from a WDS or Configuration Manager servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager might fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503293 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).
To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903
Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903
Server: Windows 10, version 1909; Windows Server, version 1903
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809
Resolution: This issue was resolved with updated drivers from your device manufacturer (OEM) or Intel. The safeguard hold has been removed.
Note If you are still experiencing the issue described, please contact your device manufacturer (OEM).
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
- "
diff --git a/windows/release-information/resolved-issues-windows-10-1909.yml b/windows/release-information/resolved-issues-windows-10-1909.yml
deleted file mode 100644
index a1e9bd5092..0000000000
--- a/windows/release-information/resolved-issues-windows-10-1909.yml
+++ /dev/null
@@ -1,65 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Resolved issues in Windows 10, version 1909 and Windows Server, version 1909
-metadata:
- document_id:
- title: Resolved issues in Windows 10, version 1909 and Windows Server, version 1909
- description: Resolved issues in Windows 10, version 1909 and Windows Server 1909
- keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10, version 1909"]
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- See a list of known issues that have been resolved for Windows 10, version 1909 and Windows Server, version 1909 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
-
- "
-- items:
- - type: markdown
- text: "
-
- "
-
-- title: Resolved issues
-- items:
- - type: markdown
- text: "
-
Summary
Originating update
Status
Date resolved
-
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Unable to discover or connect to Bluetooth devices using some Realtek adapters Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).
To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903
Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903
Server: Windows 10, version 1909; Windows Server, version 1903
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.
- "
diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
deleted file mode 100644
index 0e9d00f112..0000000000
--- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: See a list of known issues that have been resolved for Windows 7 and Windows Server 2008 R2 SP1 over the last six months.
-metadata:
- document_id:
- title: Resolved issues in Windows 7 and Windows Server 2008 R2 SP1
- description: Resolved issues in Windows 7 and Windows Server 2008 R2 SP1
- keywords: ["Resolved issues in Windows 7", "Windows 7", "Windows Server 2008 R2 SP1"]
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- See a list of known issues that have been resolved for Windows 7 and Windows Server 2008 R2 SP1 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
-
- "
-- items:
- - type: markdown
- text: "
-
- "
-
-- title: Resolved issues
-- items:
- - type: markdown
- text: "
-
Summary
Originating update
Status
Date resolved
-
After installing an update and restarting, you might receive an error You might receive the error, “Failure to configure Windows updates. Reverting Changes.” or \"Failed\" in Update History.
MSRT might fail to install and be re-offered from Windows Update or WSUS The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.
You may receive an error when opening or using the Toshiba Qosmio AV Center Toshiba Qosmio AV Center may error when opening and you may also receive an error in Event Log related to cryptnet.dll.
After installing an update and restarting, you might receive an error
After installing KB4537820 and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This is expected in the following circumstances:
If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see KB4497181.
If you do not have an ESU MAK add-on key installed and activated.
If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this blog post. For information on the prerequisites, see the \"How to get this update\" section of this article.
After installing KB4534310, your desktop wallpaper when set to \"Stretch\" might display as black.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Resolution: This issue was resolved in KB4539601, if you are using Monthly Rollups. If you are using Security Only updates, see KB4539602. These updates are available for all customers running Windows 7 SP1 and Windows Server 2008 R2 SP1.
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from Windows Update (WU), Windows Server Update Services (WSUS) or Configuration Manager and might be re-offered. If you use WU or WSUS, you might also receive the following error in the WindowsUpdate.log, “Misc WARNING: Digital Signatures on file C:\\Windows\\SoftwareDistribution\\Download\\XXXX are not trusted: Error 0x800b0109”. If you use Configuration Manager, you might also receive the following error in the WUAHandler.log, \"Failed to download updates to the WUAgent datastore. Error = 0x800b0109. WUAHandler 14/11/2019 16:33:23 980 (0x03D4)\". Note All Configuration Manager information also applies to System Center Configuration Manager and Microsoft Endpoint Configuration Manager.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in the December 2019 release of Windows Malicious Software Removal Tool (MSRT).
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4519976. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.
You may receive an error when opening or using the Toshiba Qosmio AV Center
After installing KB4512506, you may receive an error when opening or using the Toshiba Qosmio AV Center. You may also receive an error in Event Log related to cryptnet.dll.
- "
diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
deleted file mode 100644
index bcebc8ddb6..0000000000
--- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
+++ /dev/null
@@ -1,65 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Resolved issues in Windows 8.1 and Windows Server 2012 R2
-metadata:
- document_id:
- title: Resolved issues in Windows 8.1 and Windows Server 2012 R2
- description: Resolved issues in Windows 8.1 and Windows Server 2012 R2
- keywords: ["Resolved issues in Windows 8.1", "Windows 8.1", "Windows Server 2012 R2"]
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- See a list of known issues that have been resolved for Windows 8.1 and Windows Server 2012 R2 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
-
- "
-- items:
- - type: markdown
- text: "
-
- "
-
-- title: Resolved issues
-- items:
- - type: markdown
- text: "
-
Summary
Originating update
Status
Date resolved
-
Printing from 32-bit apps might fail on a 64-bit OS When attempting to print, you may receive an error or the application may stop responding or close.
Windows RT 8.1 devices may have issues opening Internet Explorer 11 On Windows RT 8.1 devices, Internet Explorer 11 may not open and you may receive an error.
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print from a 32-bit app on a 64-bit operating system (OS), you may receive an error, or the application may stop responding or close. Note This issue only affects the 64-bit Security Only updates listed and does not affect any Monthly Rollup.
Affected platforms:
Client: Windows 8.1
Server: Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4525250. However, the issue occurs when you install only KB4512489 (released on August 13, 2019) without installing KB4507457, the previous Security Only update (released July 9, 2019). Reminder When using the Security Only updates, you must install the latest and all previous Security Only updates to ensure that the device contains all resolved security vulnerabilities.
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520005. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.
Windows RT 8.1 devices may have issues opening Internet Explorer 11
On Windows 8.1 RT devices, Internet Explorer 11 may not open and you may receive the error, \"C:\\Program Files\\Internet Explorer\\iexplore.exe: A certificate was explicitly revoked by its issuer.\"
- "
diff --git a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
deleted file mode 100644
index 794271af56..0000000000
--- a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Resolved issues in Windows Server 2008 SP2
-metadata:
- document_id:
- title: Resolved issues in Windows Server 2008 SP2
- description: Resolved issues in Windows Server 2008 SP2
- keywords: ["Resolved issues in Windows Server 2008 SP2", "Windows Server 2008 SP2"]
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- See a list of known issues that have been resolved for Windows Server 2008 SP2 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
-
- "
-- items:
- - type: markdown
- text: "
-
- "
-
-- title: Resolved issues
-- items:
- - type: markdown
- text: "
-
Summary
Originating update
Status
Date resolved
-
After installing an update and restarting, you might receive an error You might receive the error, “Failure to configure Windows updates. Reverting Changes.” or \"Failed\" in Update History.
MSRT might fail to install and be re-offered from Windows Update or WSUS The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.
Issues manually installing updates by double-clicking the .msu file You may encounter issues manually installing updates by double-clicking the .msu file and may receive an error.
After installing an update and restarting, you might receive an error
After installing KB4537810 and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This is expected in the following circumstances:
If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see KB4497181.
If you do not have an ESU MAK add-on key installed and activated.
If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this blog post. For information on the prerequisites, see the \"How to get this update\" section of this article.
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from Windows Update (WU), Windows Server Update Services (WSUS) or Configuration Manager and might be re-offered. If you use WU or WSUS, you might also receive the following error in the WindowsUpdate.log, “Misc WARNING: Digital Signatures on file C:\\Windows\\SoftwareDistribution\\Download\\XXXX are not trusted: Error 0x800b0109”. If you use Configuration Manager, you might also receive the following error in the WUAHandler.log, \"Failed to download updates to the WUAgent datastore. Error = 0x800b0109. WUAHandler 14/11/2019 16:33:23 980 (0x03D4)\". Note All Configuration Manager information also applies to System Center Configuration Manager and Microsoft Endpoint Configuration Manager.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in the December 2019 release of Windows Malicious Software Removal Tool (MSRT).
Issues manually installing updates by double-clicking the .msu file
After installing the SHA-2 update (KB4474419) released on September 10, 2019, you may encounter issues manually installing updates by double-clicking on the .msu file and may receive the error, \"Installer encountered an error: 0x80073afc. The resource loader failed to find MUI file.\"
Affected platforms:
Server: Windows Server 2008 SP2
Workaround: Open a command prompt and use the following command (replacing <msu location> with the actual location and filename of the update): wusa.exe <msu location> /quiet
Resolution: This issue is resolved in KB4474419 released October 8, 2019. It will install automatically from Windows Update and Windows Server Update Services (WSUS). If you need to install this update manually, you will need to use the workaround above.
Note If you previously installed KB4474419 released September 23, 2019, then you already have the latest version of this update and do not need to reinstall.
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520002. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.
- "
diff --git a/windows/release-information/resolved-issues-windows-server-2012.yml b/windows/release-information/resolved-issues-windows-server-2012.yml
deleted file mode 100644
index d9f4e51351..0000000000
--- a/windows/release-information/resolved-issues-windows-server-2012.yml
+++ /dev/null
@@ -1,63 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: See a list of known issues that have been resolved for Windows Server 2012 over the last six months.
-metadata:
- document_id:
- title: Resolved issues in Windows Server 2012
- description: Resolved issues in Windows Server 2012
- keywords: ["Resolved issues in Windows Server 2012", "Windows Server 2012"]
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- See a list of known issues that have been resolved for Windows Server 2012 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
-
- "
-- items:
- - type: markdown
- text: "
-
- "
-
-- title: Resolved issues
-- items:
- - type: markdown
- text: "
-
Summary
Originating update
Status
Date resolved
-
Printing from 32-bit apps might fail on a 64-bit OS When attempting to print, you may receive an error or the application may stop responding or close.
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print from a 32-bit app on a 64-bit operating system (OS), you may receive an error, or the application may stop responding or close. Note This issue only affects the 64-bit Security Only updates listed and does not affect any Monthly Rollup.
Affected platforms:
Client: Windows 8.1
Server: Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4525253. However, the issue occurs when you install only KB4512482 (released on August 13, 2019) without installing KB4507447, the previous Security Only update (released July 9, 2019). Reminder When using the Security Only updates, you must install the latest and all previous Security Only updates to ensure that the device contains all resolved security vulnerabilities.
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520007. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.
- "
diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml
deleted file mode 100644
index 9c9ab15b4e..0000000000
--- a/windows/release-information/status-windows-10-1507.yml
+++ /dev/null
@@ -1,101 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Windows 10, version 1507
-metadata:
- document_id:
- title: Windows 10, version 1507
- description: View announcements and review known issues and fixes for Windows 10 version 1507
- keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- Find information on known issues for Windows 10, version 1507. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
- "
-
-- items:
- - type: list
- style: cards
- className: cardsM
- columns: 3
- items:
-
- - href: https://aka.ms/Windows7ESU
- html: Stay protected with Extended Security Updates >
- image:
- src: https://docs.microsoft.com/media/common/i_subscription.svg
- title: Still have devices running Windows 7 in your enterprise?
- - href: https://aka.ms/1909mechanics
- html: Explore the improvements >
- image:
- src: http://docs.microsoft.com/media/common/i_investigate.svg
- title: Windows 10, version 1909 delivery options
- - href: https://aka.ms/whats-new-in-1909
- html: Learn about the latest capabilities for IT >
- image:
- src: http://docs.microsoft.com/media/common/i_article.svg
- title: What’s new in Windows 10, version 1909
-- items:
- - type: markdown
- text: "
-
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
You might encounter issues trying to install or after installing KB4502496.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4502496) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update.
Select the start button or Windows Desktop Search and type update history and select View your Update history.
On the Settings/View update history dialog window, Select Uninstall Updates.
On the Installed Updates dialog window, find and select KB4502496 and select the Uninstall button.
Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
\"The request was aborted: Could not create SSL/TLS secure Channel\"
SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
Perform the operation from a process that has administrator privilege.
Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
- "
diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
deleted file mode 100644
index 7aa6de52e5..0000000000
--- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
+++ /dev/null
@@ -1,113 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Windows 10, version 1607 and Windows Server 2016
-metadata:
- document_id:
- title: Windows 10, version 1607 and Windows Server 2016
- description: View announcements and review known issues and fixes for Windows 10 version 1607 and Windows Server 2016
- keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- Find information on known issues for Windows 10, version 1607 and Windows Server 2016. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
- "
-
-- items:
- - type: list
- style: cards
- className: cardsM
- columns: 3
- items:
-
- - href: https://aka.ms/Windows7ESU
- html: Stay protected with Extended Security Updates >
- image:
- src: https://docs.microsoft.com/media/common/i_subscription.svg
- title: Still have devices running Windows 7 in your enterprise?
- - href: https://aka.ms/1909mechanics
- html: Explore the improvements >
- image:
- src: http://docs.microsoft.com/media/common/i_investigate.svg
- title: Windows 10, version 1909 delivery options
- - href: https://aka.ms/whats-new-in-1909
- html: Learn about the latest capabilities for IT >
- image:
- src: http://docs.microsoft.com/media/common/i_article.svg
- title: What’s new in Windows 10, version 1909
-- items:
- - type: markdown
- text: "
-
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
Cluster service may fail if the minimum password length is set to greater than 14 The cluster service may fail to start if “Minimum Password Length” is configured with greater than 14 characters.
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.
If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
Select the start button or Windows Desktop Search and type update history and select View your Update history.
On the Settings/View update history dialog window, Select Uninstall Updates.
On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
Restart your device.
Upon restart use the “Reset this PC” feature and you should not encounter this issue.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
You might encounter issues trying to install or after installing KB4524244.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update.
Select the start button or Windows Desktop Search and type update history and select View your Update history.
On the Settings/View update history dialog window, Select Uninstall Updates.
On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
\"The request was aborted: Could not create SSL/TLS secure Channel\"
SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
Perform the operation from a process that has administrator privilege.
Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Cluster service may fail if the minimum password length is set to greater than 14
After installing KB4467684, the cluster service may fail to start with the error \"2245 (NERR_PasswordTooShort)\" if the Group Policy \"Minimum Password Length\" is configured with greater than 14 characters.
Affected platforms:
Client: Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
Server: Windows Server 2016
Workaround: Set the domain default \"Minimum Password Length\" policy to less than or equal to 14 characters.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
- "
diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml
deleted file mode 100644
index 8938c52372..0000000000
--- a/windows/release-information/status-windows-10-1709.yml
+++ /dev/null
@@ -1,103 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Windows 10, version 1709 and Windows Server, version 1709
-metadata:
- document_id:
- title: Windows 10, version 1709 and Windows Server, version 1709
- description: View announcements and review known issues and fixes for Windows 10 version 1709 and Windows Server 1709
- keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- Find information on known issues for Windows 10, version 1709 and Windows Server, version 1709. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
- "
-
-- items:
- - type: list
- style: cards
- className: cardsM
- columns: 3
- items:
-
- - href: https://aka.ms/Windows7ESU
- html: Stay protected with Extended Security Updates >
- image:
- src: https://docs.microsoft.com/media/common/i_subscription.svg
- title: Still have devices running Windows 7 in your enterprise?
- - href: https://aka.ms/1909mechanics
- html: Explore the improvements >
- image:
- src: http://docs.microsoft.com/media/common/i_investigate.svg
- title: Windows 10, version 1909 delivery options
- - href: https://aka.ms/whats-new-in-1909
- html: Learn about the latest capabilities for IT >
- image:
- src: http://docs.microsoft.com/media/common/i_article.svg
- title: What’s new in Windows 10, version 1909
-- items:
- - type: markdown
- text: "
-
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.
If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
Select the start button or Windows Desktop Search and type update history and select View your Update history.
On the Settings/View update history dialog window, Select Uninstall Updates.
On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
Restart your device.
Upon restart use the “Reset this PC” feature and you should not encounter this issue.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
You might encounter issues trying to install or after installing KB4524244.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update.
Select the start button or Windows Desktop Search and type update history and select View your Update history.
On the Settings/View update history dialog window, Select Uninstall Updates.
On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
\"The request was aborted: Could not create SSL/TLS secure Channel\"
SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
Perform the operation from a process that has administrator privilege.
Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
- "
diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml
deleted file mode 100644
index 1baf22a6b0..0000000000
--- a/windows/release-information/status-windows-10-1803.yml
+++ /dev/null
@@ -1,107 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Windows 10, version 1803
-metadata:
- document_id:
- title: Windows 10, version 1803
- description: View announcements and review known issues and fixes for Windows 10 version 1803
- keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- Find information on known issues for Windows 10, version 1803. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
-
-
Current status as of November 12, 2019:
Windows 10, version 1803 (the April 2018 Update) Home and Pro editions have reached end of service. For Windows 10 devices that are at, or within several months of reaching end of service, Windows Update will automatically initiate a feature update (with users having the ability to choose a convenient time); keeping those devices supported and receiving the monthly updates that are critical to device security and ecosystem health.
-
-
- "
-
-- items:
- - type: list
- style: cards
- className: cardsM
- columns: 3
- items:
-
- - href: https://aka.ms/Windows7ESU
- html: Stay protected with Extended Security Updates >
- image:
- src: https://docs.microsoft.com/media/common/i_subscription.svg
- title: Still have devices running Windows 7 in your enterprise?
- - href: https://aka.ms/1909mechanics
- html: Explore the improvements >
- image:
- src: http://docs.microsoft.com/media/common/i_investigate.svg
- title: Windows 10, version 1909 delivery options
- - href: https://aka.ms/whats-new-in-1909
- html: Learn about the latest capabilities for IT >
- image:
- src: http://docs.microsoft.com/media/common/i_article.svg
- title: What’s new in Windows 10, version 1909
-- items:
- - type: markdown
- text: "
-
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.
If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
Select the start button or Windows Desktop Search and type update history and select View your Update history.
On the Settings/View update history dialog window, Select Uninstall Updates.
On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
Restart your device.
Upon restart use the “Reset this PC” feature and you should not encounter this issue.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
You might encounter issues trying to install or after installing KB4524244.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update.
Select the start button or Windows Desktop Search and type update history and select View your Update history.
On the Settings/View update history dialog window, Select Uninstall Updates.
On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
\"The request was aborted: Could not create SSL/TLS secure Channel\"
SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
Perform the operation from a process that has administrator privilege.
Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
- "
diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
deleted file mode 100644
index a684f5350f..0000000000
--- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
+++ /dev/null
@@ -1,117 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Windows 10, version 1809 and Windows Server 2019
-metadata:
- document_id:
- title: Windows 10, version 1809 and Windows Server 2019
- description: View announcements and review known issues and fixes for Windows 10 version 1809 and Windows Server 2019
- keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- Find information on known issues for Windows 10, version 1809 and Windows Server 2019. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
-
-
Current status as of November 12, 2019:
Windows 10, version 1809 is designated for broad deployment. The recommended servicing status is Semi-Annual Channel.
-
-
- "
-
-- items:
- - type: list
- style: cards
- className: cardsM
- columns: 3
- items:
-
- - href: https://aka.ms/Windows7ESU
- html: Stay protected with Extended Security Updates >
- image:
- src: https://docs.microsoft.com/media/common/i_subscription.svg
- title: Still have devices running Windows 7 in your enterprise?
- - href: https://aka.ms/1909mechanics
- html: Explore the improvements >
- image:
- src: http://docs.microsoft.com/media/common/i_investigate.svg
- title: Windows 10, version 1909 delivery options
- - href: https://aka.ms/whats-new-in-1909
- html: Learn about the latest capabilities for IT >
- image:
- src: http://docs.microsoft.com/media/common/i_article.svg
- title: What’s new in Windows 10, version 1909
-- items:
- - type: markdown
- text: "
-
Devices with some Asian language packs installed may receive an error Devices with Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.
If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
Select the start button or Windows Desktop Search and type update history and select View your Update history.
On the Settings/View update history dialog window, Select Uninstall Updates.
On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
Restart your device.
Upon restart use the “Reset this PC” feature and you should not encounter this issue.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
You might encounter issues trying to install or after installing KB4524244.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update.
Select the start button or Windows Desktop Search and type update history and select View your Update history.
On the Settings/View update history dialog window, Select Uninstall Updates.
On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
\"The request was aborted: Could not create SSL/TLS secure Channel\"
SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.
Devices with some Asian language packs installed may receive an error
After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
Perform the operation from a process that has administrator privilege.
Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
- "
diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml
deleted file mode 100644
index 4fe4e28478..0000000000
--- a/windows/release-information/status-windows-10-1903.yml
+++ /dev/null
@@ -1,99 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Windows 10, version 1903 and Windows Server, version 1903
-metadata:
- document_id:
- title: Windows 10, version 1903 and Windows Server, version 1903
- description: View announcements and review known issues and fixes for Windows 10 version 1903 and Windows Server 1903
- keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- Find information on known issues and the status of the rollout for Windows 10, version 1903 and Windows Server, version 1903. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
-
-
Current status as of November 12, 2019:
Windows 10, version 1903 (the May 2019 Update) is designated ready for broad deployment for all users via Windows Update.
We recommend commercial customers running earlier versions of Windows 10 begin broad deployments of Windows 10, version 1903 in their organizations.
Note Follow @WindowsUpdate to find out when new content is published to the release information dashboard.
-
-
- "
-
-- items:
- - type: list
- style: cards
- className: cardsM
- columns: 3
- items:
-
- - href: https://aka.ms/Windows7ESU
- html: Stay protected with Extended Security Updates >
- image:
- src: https://docs.microsoft.com/media/common/i_subscription.svg
- title: Still have devices running Windows 7 in your enterprise?
- - href: https://aka.ms/1909mechanics
- html: Explore the improvements >
- image:
- src: http://docs.microsoft.com/media/common/i_investigate.svg
- title: Windows 10, version 1909 delivery options
- - href: https://aka.ms/whats-new-in-1909
- html: Learn about the latest capabilities for IT >
- image:
- src: http://docs.microsoft.com/media/common/i_article.svg
- title: What’s new in Windows 10, version 1909
-- items:
- - type: markdown
- text: "
-
Issues with some older versions of Avast and AVG anti-virus products Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.
If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
Select the start button or Windows Desktop Search and type update history and select View your Update history.
On the Settings/View update history dialog window, Select Uninstall Updates.
On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
Restart your device.
Upon restart use the “Reset this PC” feature and you should not encounter this issue.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
You might encounter issues trying to install or after installing KB4524244.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update.
Select the start button or Windows Desktop Search and type update history and select View your Update history.
On the Settings/View update history dialog window, Select Uninstall Updates.
On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some older versions of Avast Antivirus and AVG Antivirus that might still be installed by a small number of users. Any application from Avast or AVG that contains Antivirus version 19.5.4444.567 or earlier is affected.
To safeguard your upgrade experience, we have applied a hold on devices with affected Avast and AVG Antivirus from being offered or installing Windows 10, version 1903 or Windows 10, version 1909, until the application is updated.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903
Server: Windows Server, version 1909; Windows Server, version 1903
Workaround: Before updating to Windows 10, version 1903 or Windows 10, version 1909, you will need to download and install an updated version of your Avast or AVG application. Guidance for Avast and AVG customers can be found in the following support articles:
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new version of your Avast or AVG application has been installed and the Windows 10, version 1903 or Windows 10, version 1909 feature update has been automatically offered to you.
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
\"The request was aborted: Could not create SSL/TLS secure Channel\"
SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.
- "
diff --git a/windows/release-information/status-windows-10-1909.yml b/windows/release-information/status-windows-10-1909.yml
deleted file mode 100644
index 6029fe13f7..0000000000
--- a/windows/release-information/status-windows-10-1909.yml
+++ /dev/null
@@ -1,97 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Windows 10, version 1909 and Windows Server, version 1909
-metadata:
- document_id:
- title: Windows 10, version 1909 and Windows Server, version 1909
- description: View announcements and review known issues and fixes for Windows 10 version 1909 and Windows Server 1909
- keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- Find information on known issues and the status of the rollout for Windows 10, version 1909 and Windows Server, version 1909. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
-
-
Current status as of January 21, 2020:
Windows 10, version 1909 is available for any user on a recent version of Windows 10 who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.
We are starting the next phase in our controlled approach to automatically initiate a feature update for an increased number of devices running the October 2018 Update (Windows 10, version 1809) Home and Pro editions, keeping those devices supported and receiving the monthly updates that are critical to device security and ecosystem health. Our rollout process starts several months in advance of the end of service date to provide adequate time for a smooth update process.
For information on how users running Windows 10, version 1903 can update to Windows 10, version 1909 in a new, streamlined way, see this post.
Note follow @WindowsUpdate on Twitter to find out when new content is published to the release information dashboard.
-
-
- "
-
-- items:
- - type: list
- style: cards
- className: cardsM
- columns: 3
- items:
-
- - href: https://aka.ms/Windows7ESU
- html: Stay protected with Extended Security Updates >
- image:
- src: https://docs.microsoft.com/media/common/i_subscription.svg
- title: Still have devices running Windows 7 in your enterprise?
- - href: https://aka.ms/1909mechanics
- html: Explore the improvements >
- image:
- src: http://docs.microsoft.com/media/common/i_investigate.svg
- title: Windows 10, version 1909 delivery options
- - href: https://aka.ms/whats-new-in-1909
- html: Learn about the latest capabilities for IT >
- image:
- src: http://docs.microsoft.com/media/common/i_article.svg
- title: What’s new in Windows 10, version 1909
-- items:
- - type: markdown
- text: "
-
Issues with some older versions of Avast and AVG anti-virus products Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.
If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
Select the start button or Windows Desktop Search and type update history and select View your Update history.
On the Settings/View update history dialog window, Select Uninstall Updates.
On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
Restart your device.
Upon restart use the “Reset this PC” feature and you should not encounter this issue.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
You might encounter issues trying to install or after installing KB4524244.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update.
Select the start button or Windows Desktop Search and type update history and select View your Update history.
On the Settings/View update history dialog window, Select Uninstall Updates.
On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some older versions of Avast Antivirus and AVG Antivirus that might still be installed by a small number of users. Any application from Avast or AVG that contains Antivirus version 19.5.4444.567 or earlier is affected.
To safeguard your upgrade experience, we have applied a hold on devices with affected Avast and AVG Antivirus from being offered or installing Windows 10, version 1903 or Windows 10, version 1909, until the application is updated.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903
Server: Windows Server, version 1909; Windows Server, version 1903
Workaround: Before updating to Windows 10, version 1903 or Windows 10, version 1909, you will need to download and install an updated version of your Avast or AVG application. Guidance for Avast and AVG customers can be found in the following support articles:
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new version of your Avast or AVG application has been installed and the Windows 10, version 1903 or Windows 10, version 1909 feature update has been automatically offered to you.
- "
diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
deleted file mode 100644
index d7e5928590..0000000000
--- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
+++ /dev/null
@@ -1,111 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Windows 7 and Windows Server 2008 R2 SP1
-metadata:
- document_id:
- title: Windows 7 and Windows Server 2008 R2 SP1
- description: View announcements and review known issues and fixes for Windows 7 and Windows Server 2008 R2 SP1
- keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- Find information on known issues for Windows 7 and Windows Server 2008 R2 SP1. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
- "
-
-- items:
- - type: list
- style: cards
- className: cardsM
- columns: 3
- items:
-
- - href: https://aka.ms/Windows7ESU
- html: Stay protected with Extended Security Updates >
- image:
- src: https://docs.microsoft.com/media/common/i_subscription.svg
- title: Still have devices running Windows 7 in your enterprise?
- - href: https://aka.ms/1909mechanics
- html: Explore the improvements >
- image:
- src: http://docs.microsoft.com/media/common/i_investigate.svg
- title: Windows 10, version 1909 delivery options
- - href: https://aka.ms/whats-new-in-1909
- html: Learn about the latest capabilities for IT >
- image:
- src: http://docs.microsoft.com/media/common/i_article.svg
- title: What’s new in Windows 10, version 1909
-- items:
- - type: markdown
- text: "
-
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
-
Summary
Originating update
Status
Last updated
-
After installing an update and restarting, you might receive an error You might receive the error, “Failure to configure Windows updates. Reverting Changes.” or \"Failed\" in Update History.
IA64 and x64 devices may fail to start after installing updates After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.
After installing an update and restarting, you might receive an error
After installing KB4537820 and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This is expected in the following circumstances:
If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see KB4497181.
If you do not have an ESU MAK add-on key installed and activated.
If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this blog post. For information on the prerequisites, see the \"How to get this update\" section of this article.
After installing KB4534310, your desktop wallpaper when set to \"Stretch\" might display as black.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Resolution: This issue was resolved in KB4539601, if you are using Monthly Rollups. If you are using Security Only updates, see KB4539602. These updates are available for all customers running Windows 7 SP1 and Windows Server 2008 R2 SP1.
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
\"The request was aborted: Could not create SSL/TLS secure Channel\"
SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.
IA64 and x64 devices may fail to start after installing updates
IA64 devices (in any configuration) and x64 devices using EFI boot that were provisioned after the July 9th updates and/or skipped the recommended update (KB3133977), may fail to start with the following error:
\"File: \\Windows\\system32\\winload.efi
Status: 0xc0000428
Info: Windows cannot verify the digital signature for this file.\"
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Take Action: To resolve this issue please follow the steps outlined in the SHA-2 support FAQ article for error code 0xc0000428.
- "
diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
deleted file mode 100644
index 01f8a8436e..0000000000
--- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
+++ /dev/null
@@ -1,111 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Windows 8.1 and Windows Server 2012 R2
-metadata:
- document_id:
- title: Windows 8.1 and Windows Server 2012 R2
- description: View announcements and review known issues and fixes for Windows 8.1 and Windows Server 2012 R2.
- keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- Find information on known issues for Windows 8.1 and Windows Server 2012 R2. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
- "
-
-- items:
- - type: list
- style: cards
- className: cardsM
- columns: 3
- items:
-
- - href: https://aka.ms/Windows7ESU
- html: Stay protected with Extended Security Updates >
- image:
- src: https://docs.microsoft.com/media/common/i_subscription.svg
- title: Still have devices running Windows 7 in your enterprise?
- - href: https://aka.ms/1909mechanics
- html: Explore the improvements >
- image:
- src: http://docs.microsoft.com/media/common/i_investigate.svg
- title: Windows 10, version 1909 delivery options
- - href: https://aka.ms/whats-new-in-1909
- html: Learn about the latest capabilities for IT >
- image:
- src: http://docs.microsoft.com/media/common/i_article.svg
- title: What’s new in Windows 10, version 1909
-- items:
- - type: markdown
- text: "
-
Japanese IME doesn't show the new Japanese Era name as a text input option With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
You might encounter issues trying to install or after installing KB4502496.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4502496) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update.
Select the start button or Windows Desktop Search and type update history and select View your Update history.
On the Settings/View update history dialog window, Select Uninstall Updates.
On the Installed Updates dialog window, find and select KB4502496 and select the Uninstall button.
Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
\"The request was aborted: Could not create SSL/TLS secure Channel\"
SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
Affected platforms:
Client: Windows 8.1
Server: Windows Server 2012 R2; Windows Server 2012
Workaround:
If you see any of the previous dictionary updates listed below, uninstall it from Programs and features > Uninstall or change a program. New words that were in previous dictionary updates are also in this update.
Update for Japanese Microsoft IME Standard Dictionary (15.0.2013)
Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.2013)
Update for Japanese Microsoft IME Standard Dictionary (15.0.1215)
Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1215)
Update for Japanese Microsoft IME Standard Dictionary (15.0.1080)
Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1080)
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
Perform the operation from a process that has administrator privilege.
Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
- "
diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml
deleted file mode 100644
index 386d5d16ad..0000000000
--- a/windows/release-information/status-windows-server-2008-sp2.yml
+++ /dev/null
@@ -1,91 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Windows Server 2008 SP2
-metadata:
- document_id:
- title: Windows Server 2008 SP2
- description: View announcements and review known issues and fixes for Windows Server 2008 SP2.
- keywords: Windows, Windows 10, issues, fixes, announcements, Windows Server, advisories
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- Find information on known issues for Windows Server 2008 SP2. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
- "
-
-- items:
- - type: list
- style: cards
- className: cardsM
- columns: 3
- items:
-
- - href: https://aka.ms/Windows7ESU
- html: Stay protected with Extended Security Updates >
- image:
- src: https://docs.microsoft.com/media/common/i_subscription.svg
- title: Still have devices running Windows 7 in your enterprise?
- - href: https://aka.ms/1909mechanics
- html: Explore the improvements >
- image:
- src: http://docs.microsoft.com/media/common/i_investigate.svg
- title: Windows 10, version 1909 delivery options
- - href: https://aka.ms/whats-new-in-1909
- html: Learn about the latest capabilities for IT >
- image:
- src: http://docs.microsoft.com/media/common/i_article.svg
- title: What’s new in Windows 10, version 1909
-- items:
- - type: markdown
- text: "
-
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
-
Summary
Originating update
Status
Last updated
-
After installing an update and restarting, you might receive an error You might receive the error, “Failure to configure Windows updates. Reverting Changes.” or \"Failed\" in Update History.
After installing an update and restarting, you might receive an error
After installing KB4537810 and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This is expected in the following circumstances:
If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see KB4497181.
If you do not have an ESU MAK add-on key installed and activated.
If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this blog post. For information on the prerequisites, see the \"How to get this update\" section of this article.
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
\"The request was aborted: Could not create SSL/TLS secure Channel\"
SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.
- "
diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml
deleted file mode 100644
index cba7737955..0000000000
--- a/windows/release-information/status-windows-server-2012.yml
+++ /dev/null
@@ -1,111 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Windows Server 2012
-metadata:
- document_id:
- title: Windows Server 2012
- description: View announcements and review known issues and fixes for Windows Server 2012
- keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
- ms.localizationpriority: high
- author: greg-lindsay
- ms.author: greglin
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- Find information on known issues for Windows Server 2012. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
- "
-
-- items:
- - type: list
- style: cards
- className: cardsM
- columns: 3
- items:
-
- - href: https://aka.ms/Windows7ESU
- html: Stay protected with Extended Security Updates >
- image:
- src: https://docs.microsoft.com/media/common/i_subscription.svg
- title: Still have devices running Windows 7 in your enterprise?
- - href: https://aka.ms/1909mechanics
- html: Explore the improvements >
- image:
- src: http://docs.microsoft.com/media/common/i_investigate.svg
- title: Windows 10, version 1909 delivery options
- - href: https://aka.ms/whats-new-in-1909
- html: Learn about the latest capabilities for IT >
- image:
- src: http://docs.microsoft.com/media/common/i_article.svg
- title: What’s new in Windows 10, version 1909
-- items:
- - type: markdown
- text: "
-
Japanese IME doesn't show the new Japanese Era name as a text input option With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
You might encounter issues trying to install or after installing KB4502496.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4502496) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update.
Select the start button or Windows Desktop Search and type update history and select View your Update history.
On the Settings/View update history dialog window, Select Uninstall Updates.
On the Installed Updates dialog window, find and select KB4502496 and select the Uninstall button.
Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
\"The request was aborted: Could not create SSL/TLS secure Channel\"
SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
Affected platforms:
Client: Windows 8.1
Server: Windows Server 2012 R2; Windows Server 2012
Workaround:
If you see any of the previous dictionary updates listed below, uninstall it from Programs and features > Uninstall or change a program. New words that were in previous dictionary updates are also in this update.
Update for Japanese Microsoft IME Standard Dictionary (15.0.2013)
Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.2013)
Update for Japanese Microsoft IME Standard Dictionary (15.0.1215)
Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1215)
Update for Japanese Microsoft IME Standard Dictionary (15.0.1080)
Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1080)
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
Perform the operation from a process that has administrator privilege.
Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
The February 2020 optional monthly “D” release for Windows 10, version 1909 and Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
February 27, 2020 01:30 PM PT
-
February 2020 Windows \"C\" optional release is available.
The February 2020optional monthly “C” release for all supported versions of Windows prior to Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
February 25, 2020 08:00 AM PT
-
Status of February 2020 “C” release
The optional monthly “C” release for February 2020 for all supported versions of Windows and Windows Server prior to Windows 10, version 1903 and Windows Server, version 1903 will be available in the near term. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
The February 2020 security update release, referred to as our “B” release, is now available for Windows 10, version 1909 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
February 11, 2020 08:00 AM PT
-
Take action: ESU security updates available for Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2
Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 reached end of support on January 14, 2020. For customers who have purchased Extended Security Updates (ESU), the first monthly ESU security updates are now available. If your organization has not yet been able to complete your transition to Windows 10, Windows Server 2016, or Windows Server 2019 and want to continue to receive security updates for your current version of Windows, you will need to purchase Extended Security Updates. For information on how to do so, please see How to get Extended Security Updates for eligible Windows devices, Windows 7 ESU frequently ask questions, and Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 ESU frequently asked questions.
We recommend ESU customers review the applicable KB article below for prerequisites and other important information you will need to deploy these updates.
The following updates were released today for Windows Server 2008 SP2:
Internet Explorer 11 Cumulative Updates (KB4537767)
February 11, 2020 08:00 AM PT
-
Resolved: Windows Search shows blank box
We are aware of a temporary server-side issue causing Windows search to show a blank box. This issue has been resolved for most users and in some cases, you might need to restart your device. We are working diligently to fully resolve the issue and will provide an update once resolved.
This issue was resolved at 12:00 PM PST. If you are still experiencing issues, please restart your device. In rare cases, to mitigate this issue you may need to manually end the SearchUI.exe or SearchApp.exe process via Task Manager. (To locate these processes, select CTRL + Shift + Esc then select the Details tab.) If you have restarted and tried the previous mitigations and are still encountering issues with Windows Search, you are not experiencing the issue described here. Please see Fix problems in Windows Search for other mitigations.
The January2020 optional monthly “D” release for Windows 10, version 1909 and Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
January 28, 2020 08:00 AM PT
-
January 2020 Windows \"C\" optional release is available.
The January 2020 optional monthly “C” release for all supported versions of Windows is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
Windows 7 reached end of support on January 14, 2020. If your organization has not yet been able to complete your transition from Windows 7 to Windows 10, and want to continue to receive security updates while you complete your upgrade projects, please read How to get Extended Security Updates for eligible Windows devices. For more information on end of service dates for currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
The January 2020 security update release, referred to as our “B” release, is now available for Windows 10, version 1909 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
On January 14, 2020, Microsoft released security updates to address an elliptic-curve cryptography (ECC) certificate validation issue in the Windows CryptoAPI. This vulnerability applies to all versions of the Windows 10 operating system, client and server. While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to all of your Windows 10 devices with priority. Here is what you need to know:
If you are running a supported version of Windows 10 and have automatic updates enabled, you are automatically protected and do not need to take any further action.
If you are managing updates on behalf of your organization, you should download the latest updates from the Microsoft Security Update Guide and apply those updates to your Windows 10 devices and servers as soon as possible.
The December 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1909 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
December 10, 2019 08:00 AM PT
-
Timing of Windows 10 optional update releases (December 2019)
For the balance of this calendar year, there will be no optional non-security “C” and “D” releases for Windows 10. The \"C\" releases normally target the third week of the month, with \"D\" releases targeting the fourth week. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer.
Learn how to get Windows 10, version 1909 (the November 2019 Update), and explore how we’ve worked to make this a great experience for all devices, including a new, streamlined (and fast) update experience for devices updating directly from the May 2019 Update.
Learn how devices running Windows 10, version 1903 can update to Windows 10, version 1909 using the same servicing technology used to deliver monthly quality updates, resulting in a single restart and reducing update-related downtime.
The November 2019 security update release, referred to as our “B” release, is now available for all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
November 12, 2019 10:00 AM PT
-
Timing of Windows 10 optional update releases (November/December 2019)
For the balance of this calendar year, there will be no optional non-security “C” and “D” releases for Windows 10. The \"C\" releases normally target the third week of the month, with \"D\" releases targeting the fourth week. Note There will be a December Security Update Tuesday release, as usual. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer
Windows 10, version 1803 (the April 2018 Update) Home and Pro editions have reached end of service. For Windows 10 devices that are at, or within several months of reaching end of service, Windows Update will automatically initiate a feature update (with users having the ability to choose a convenient time); keeping those devices supported and receiving the monthly updates that are critical to device security and ecosystem health. For more information on end of service dates for currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
The October 2019 optional monthly “D” release for Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
October 24, 2019 08:00 AM PT
-
October 2019 Windows \"C\" optional release is available.
The October 2019optional monthly “C” release for all supported versions of Windows is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
Consumer and commercial editions of Windows 10, version 1703 have reached end of service. As devices running these editions are no longer receiving monthly security and quality updates containing protections from the latest security threats, we recommend that you update these devices to the latest version of Windows 10 immediately. For more information on end of service dates for currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
Note The Windows 10, version 1703 section will be removed from this dashboard on November 12, 2019.
The October 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
On October 3, 2019, Microsoft expanded delivery of the out-of-band Internet Explorer scripting engine security vulnerability (CVE-2019-1367) update released on September 23, 2019 to Windows Update and Windows Server Update Services (WSUS). This is now a required security update for all supported versions of Windows as it includes the Internet Explorer scripting engine vulnerability mitigation and corrects a recent printing issue some users have experienced. All customers using Windows Update or WSUS will be offered this update automatically. We recommend that you install this update as soon as a possible, then restart your PC to fully apply the mitigations and help secure your devices. As with all cumulative updates, this update supersedes any preceding update.
Note: This update does not replace the standard October 2019 monthly security update release, which is scheduled for October 8, 2019.
The September 2019 optional monthly “D” release for Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
September 26, 2019 02:00 PM PT
-
Status update: September 2019 Windows \"C\" optional release available
The September 2019 optional monthly “C” release for all supported versions of Windows is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
September 24, 2019 08:10 AM PT
-
Plan for change: Windows Media Center Electronic Program Guide retiring in January 2020
Starting in January 2020, Microsoft is retiring its Electronic Program Guide (EPG) service for all versions of Windows Media Center. To continue receiving TV Program Guide information on your Windows Media Center, you’ll need to configure an alternate TV listing provider.
September 24, 2019 08:00 AM PT
-
Status of September 2019 “C” release
The optional monthly “C” release for September 2019 for all supported versions of Windows and Windows Server prior to Windows 10, version 1903 and Windows Server, version 1903 will be available in the near term. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
September 19, 2019 04:11 PM PT
-
Plan for change: End of service reminders for Windows 10, versions 1703 and 1803
The Enterprise and Education editions of Windows 10, version 1703 (the Creators Update) will reach end of service on October 8, 2019. The Home, Pro, Pro for Workstations, and IoT Core editions of Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019. We recommend that you update devices running these versions and editions to the latest version of Windows 10—Windows 10, version 1903—as soon as possible to help keep them protected and your environments secure.
September 13, 2019 03:23 PM PT
-
September 2019 security update available for all supported versions of Windows
The September 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. We recommend that you install these updates promptly. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
The August optional monthly “D” release for Windows 10, version 1903 is now available. Follow @WindowsUpdate for the latest on the availability of this release.
August 30, 2019 08:00 AM PT
-
Feature update install notification on Windows 10, version 1809 (the October 2018 Update)
We've had reports on August 29th that some customers running Windows 10, version 1809 (the October 2018 Update) have received notification to install the latest feature update (version 1903) early. Updating remains in your control. To install the update, you must select one of the following options: \"Pick a Time\", \"Restart Tonight,\" or \"Restart Now\". If you are not ready to update at this time, simply dismiss the notification by clicking the arrow in the top right corner. If you have updated to Windows 10, version 1903 and would like to go back to your previous version, see the instructions here.
Internet Explorer 11 (KB 4492872) is now available via Windows Update (WU) and Windows Server Update Services (WSUS) for commercial customers running Windows Server 2012 and Windows Embedded 8 Standard. For details about these changes and end of support for IE10, please refer to the IT Pro blog.
August 29, 2019 08:00 AM PT
-
Windows 10, version 1903 rollout begins The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback.
May 21, 2019 10:00 AM PT
-
- "
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index 0665f58b3c..dabc7f749b 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -169,7 +169,7 @@ When Active Directory is installed on the first domain controller in the domain,
## Guest account
-The Guest account is a default local account has limited access to the computer and is disabled by default. The Guest account cannot be deleted or disabled, and the account name cannot be changed. By default, the Guest account password is left blank. A blank password allows the Guest account to be accessed without requiring the user to enter a password.
+The Guest account is a default local account that has limited access to the computer and is disabled by default. By default, the Guest account password is left blank. A blank password allows the Guest account to be accessed without requiring the user to enter a password.
The Guest account enables occasional or one-time users, who do not have an individual account on the computer, to sign in to the local server or domain with restricted rights and permissions. The Guest account can be enabled, and the password can be set up if needed, but only by a member of the Administrator group on the domain.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 7e98cba59b..0ff8876a89 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -8,11 +8,14 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: dulcemontemayor
-ms.author: dansimp
+ms.author: v-tea
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.reviewer:
+ms.custom:
+- CI 120967
+- CSSTroubleshooting
---
# Manage Windows Defender Credential Guard
@@ -24,7 +27,7 @@ ms.reviewer:
## Enable Windows Defender Credential Guard
-Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
+Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard [hardware readiness tool](dg-readiness-tool.md). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
@@ -33,9 +36,13 @@ The same set of procedures used to enable Windows Defender Credential Guard on p
You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed.
1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**.
+
2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
+
3. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
+
4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
+
5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) for more details.
@@ -46,8 +53,10 @@ To enforce processing of the group policy, you can run ```gpupdate /force```.
### Enable Windows Defender Credential Guard by using Intune
-1. From **Home** click **Microsoft Intune**
-2. Click **Device configuration**
+1. From **Home**, click **Microsoft Intune**.
+
+2. Click **Device configuration**.
+
3. Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**.
> [!NOTE]
@@ -63,6 +72,7 @@ Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows
If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
+
> [!NOTE]
> If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
@@ -70,22 +80,31 @@ You can do this by using either the Control Panel or the Deployment Image Servic
**Add the virtualization-based security features by using Programs and Features**
1. Open the Programs and Features control panel.
+
2. Click **Turn Windows feature on or off**.
+
3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
+
4. Select the **Isolated User Mode** check box at the top level of the feature selection.
+
5. Click **OK**.
**Add the virtualization-based security features to an offline image by using DISM**
1. Open an elevated command prompt.
+
2. Add the Hyper-V Hypervisor by running the following command:
- ```
+
+ ```console
dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
```
+
3. Add the Isolated User Mode feature by running the following command:
- ```
+
+ ```console
dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
```
+
> [!NOTE]
> In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
@@ -97,11 +116,13 @@ You can do this by using either the Control Panel or the Deployment Image Servic
1. Open Registry Editor.
2. Enable virtualization-based security:
+
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
- Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
- Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
3. Enable Windows Defender Credential Guard:
+
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
- Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
@@ -117,9 +138,10 @@ You can do this by using either the Control Panel or the Deployment Image Servic
You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-```
+```console
DG_Readiness_Tool.ps1 -Enable -AutoReboot
```
+
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
@@ -131,7 +153,9 @@ DG_Readiness_Tool.ps1 -Enable -AutoReboot
You can view System Information to check that Windows Defender Credential Guard is running on a PC.
1. Click **Start**, type **msinfo32.exe**, and then click **System Information**.
+
2. Click **System Summary**.
+
3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Configured**.
Here's an example:
@@ -140,9 +164,10 @@ You can view System Information to check that Windows Defender Credential Guard
You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-```
+```console
DG_Readiness_Tool_v3.6.ps1 -Ready
```
+
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
@@ -154,14 +179,25 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: 0x1, 0
- - The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means it's not configured to run.
- - The second variable: 0 means it's configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
+ - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0**
+ - The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run.
+ - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
- **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
- **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
+ - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+ - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.
+ - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command:
+
+ ```powershell
+ (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
+ ```
+
+ This command generates the following output:
+ - **0**: Windows Defender Credential Guard is disabled (not running)
+ - **1**: Windows Defender Credential Guard is enabled (running)
+ > [!NOTE]
+ > Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running.
## Disable Windows Defender Credential Guard
@@ -181,7 +217,7 @@ To disable Windows Defender Credential Guard, you can use the following set of p
4. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
- ``` syntax
+ ```console
mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
@@ -218,10 +254,11 @@ For more info on virtualization-based security and HVCI, see [Enable virtualizat
You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-```
+```console
DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
```
-> [!IMPORTANT]
+
+> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
@@ -229,7 +266,7 @@ DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
From the host, you can disable Windows Defender Credential Guard for a virtual machine:
-``` PowerShell
+```powershell
Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
```
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index b45b7ac061..8a678b6ff4 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -11,7 +11,6 @@ ms.collection: M365-identity-device-management
ms.topic: article
ms.prod: w10
ms.technology: windows
-ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
ms.date: 07/27/2017
@@ -26,13 +25,16 @@ ms.reviewer:
Enterprise certificate pinning is a Windows feature for remembering, or “pinning,” a root issuing certificate authority or end entity certificate to a given domain name.
Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.
->[!NOTE]
+> [!NOTE]
> External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning.
Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site’s server authentication certificate chain matches a restricted set of certificates.
These restrictions are encapsulated in a Pin Rules Certificate Trust List (CTL) that is configured and deployed to Windows 10 computers.
Any site certificate triggering a name mismatch causes Windows to write an event to the CAPI2 event log and prevents the user from navigating to the web site using Microsoft Edge or Internet Explorer.
+> [!NOTE]
+> Enterprise Certificate Pinning feature triggering doesn't cause clients other than Microsoft Edge or Internet Explorer to block the connection.
+
## Deployment
To deploy enterprise certificate pinning, you need to:
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 300a074c68..01f18214de 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -98,6 +98,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
| 0x801C03F0 | There is no key registered for the user. |
| 0x801C03F1 | There is no UPN in the token. |
| 0x801C044C | There is no core window for the current thread. |
+| 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request AAD token for provisioning. Unable to enroll a device to use a PIN for login. |
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
index c2c8040070..73e734e99b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
@@ -31,6 +31,9 @@ In a mobile-first, cloud-first world, Azure Active Directory enables single sign
To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain applications even for the right people? For example, it might be OK for you if the right people are accessing certain applications from a trusted network; however, you might not want them to access these applications from a network you don't trust. You can address these questions using conditional access.
+> [!NOTE]
+> For more details about the way Windows Hello for Business interacts with Azure Multi Factor Authentication and Conditional Access, see [this article](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompted-for-mfa-as-expected/ba-p/1449032).
+
Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access. Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access.
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index c75524b41e..cb21e54fe3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -74,6 +74,9 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider. The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM. The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+> [!IMPORTANT]
+> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
+
## Hybrid Azure AD join authentication using a Certificate
@@ -87,3 +90,5 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider. The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM. The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+> [!IMPORTANT]
+> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller for the first time.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 7c4e019e6d..8a785dcf5f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -46,13 +46,22 @@ By default, the Active Directory Certificate Authority provides and publishes th
Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs.
- **Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
+
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
+
8. Close the console.
#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
@@ -66,13 +75,21 @@ The auto-enrollment feature in Windows enables you to effortlessly replace these
Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
+
4. Click the **Superseded Templates** tab. Click **Add**.
+
5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**.
+
6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**.
+
7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**.
+
8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
+
9. Click **OK** and close the **Certificate Templates** console.
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
@@ -95,33 +112,54 @@ Approximately 60 days prior to enrollment agent certificate's expiration, the AD
Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority Management** console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
-6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
- **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
+
+6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
+
+ > [!NOTE]
+ > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
8. On the **Security** tab, click **Add**.
+
9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**.
+
10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**.
-11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+
+11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+
12. Close the console.
-#### Creating an Enrollment Agent certificate for typical Service Acconts
+#### Creating an Enrollment Agent certificate for typical Service Accounts
Sign-in a certificate authority or management workstations with *Domain Admin* equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent (Offline request)** template in the details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
+
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
+
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**.
+
9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+
10. Close the console.
### Creating Windows Hello for Business authentication certificate template
@@ -131,28 +169,68 @@ During Windows Hello for Business provisioning, the Windows 10, version 1703 cli
Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
-5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
- **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
-6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
+5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
+
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
+
+6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
+
8. On the **Issuance Requirements** tab, select the **This number of authorized signatures** check box. Type **1** in the text box.
- * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
+
+ Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
+
9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
+
10. On the **Request Handling** tab, select the **Renew with same key** check box.
+
11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
+
12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
+
13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template.
+
14. Click on the **Apply** to save changes and close the console.
#### Mark the template as the Windows Hello Sign-in template
Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials.
+
1. Open an elevated command prompt.
+
2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
+If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example:
+
+```console
+CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication
+
+Old Value:
+msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888)
+CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
+CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
+TEMPLATE_SERVER_VER_WINBLUE< [!NOTE]
> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
@@ -165,11 +243,17 @@ The certificate authority may only issue certificates for certificate templates
#### Publish Certificate Templates to the Certificate Authority
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+
1. Open the **Certificate Authority** management console.
+
2. Expand the parent node from the navigation pane.
+
3. Click **Certificate Templates** in the navigation pane.
+
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
-5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+
+5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+
6. Close the console.
@@ -182,9 +266,13 @@ The newly created domain controller authentication certificate template supersed
Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Expand the parent node from the navigation pane.
+
3. Click **Certificate Templates** in the navigation pane.
+
4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
+
5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
@@ -214,4 +302,3 @@ Sign-in to the certificate authority or management workstation with _Enterprise
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. Configure Windows Hello for Business settings: PKI (*You are here*)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 440ab1ea70..d7355b0c32 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -74,9 +74,12 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
+> [!NOTE]
+> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows 10 device settings to enable Windows Hello for Business in Intune](https://docs.microsoft.com/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization#policy-conflicts-from-multiple-policy-sources)
+
#### Enable Windows Hello for Business
-The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled.
+The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled.
You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index cb6105c66b..51d246f3f4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -8,7 +8,6 @@ ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
audience: ITPro
-author: mikestephens-MS
ms.author: dolmont
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 0b032dbbdc..6a70672f7a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -99,7 +99,9 @@ Windows Hello for Business with a key does not support RDP. RDP does not support
## Learn more
-[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/implementing-windows-hello-for-business-at-microsoft)
+[Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/en-us/itshowcase/implementing-strong-user-authentication-with-windows-hello-for-business)
+
+[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft)
[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 9ee26abcab..4bf706bbbc 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -1,12 +1,12 @@
---
-title: Smart Cards Debugging Information (Windows 10)
-description: This topic explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
+title: Smart Card Troubleshooting (Windows 10)
+description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
@@ -16,11 +16,11 @@ ms.date: 04/19/2017
ms.reviewer:
---
-# Smart Cards Debugging Information
+# Smart Card Troubleshooting
Applies To: Windows 10, Windows Server 2016
-This topic explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
+This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
Debugging and tracing smart card issues requires a variety of tools and approaches. The following sections provide guidance about tools and approaches you can use.
@@ -28,7 +28,7 @@ Debugging and tracing smart card issues requires a variety of tools and approach
- [Debugging and tracing using WPP](#debugging-and-tracing-using-wpp)
-- [Kerberos protocol, KDC and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
+- [Kerberos protocol, KDC, and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
- [Smart Card service](#smart-card-service)
@@ -44,7 +44,8 @@ For a complete description of Certutil including examples that show how to use i
To list certificates that are available on the smart card, type certutil -scinfo.
-> **Note** Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
+> [!NOTE]
+> Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
### Delete certificates on the smart card
@@ -56,7 +57,7 @@ To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card C
## Debugging and tracing using WPP
-Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider, and it provides a mechanism for the trace provider to log real-time binary messages. Logged messages can subsequently be converted to a human-readable trace of the operation of the trace provider. For more information about WPP, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
+Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
### Enable the trace
@@ -68,7 +69,7 @@ Using WPP, use one of the following commands to enable tracing:
You can use the parameters in the following table.
-| **Friendly name** | **GUID** | **Flags** |
+| Friendly name | GUID | Flags |
|-------------------|--------------------------------------|-----------|
| scardsvr | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
| winscard | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
@@ -84,13 +85,13 @@ Examples
To enable tracing for the SCardSvr service:
-- tracelog.exe -kd -rt -start scardsvr -guid \#13038e47-ffec-425d-bc69-5707708075fe -f .\\scardsvr.etl -flags 0xffff -ft 1
+- **tracelog.exe -kd -rt -start scardsvr -guid \#13038e47-ffec-425d-bc69-5707708075fe -f .\\scardsvr.etl -flags 0xffff -ft 1**
-- logman start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\\scardsvr.etl -mode 0x00080000
+- **logman start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\\scardsvr.etl -mode 0x00080000**
To enable tracing for scfilter.sys:
-tracelog.exe -kd -rt -start scfilter -guid \#eed7f3c9-62ba-400e-a001-658869df9a91 -f .\\scfilter.etl -flags 0xffff -ft 1
+ - **tracelog.exe -kd -rt -start scfilter -guid \#eed7f3c9-62ba-400e-a001-658869df9a91 -f .\\scfilter.etl -flags 0xffff -ft 1**
### Stop the trace
@@ -100,65 +101,66 @@ Using WPP, use one of the following commands to stop the tracing:
- **logman -stop** <*FriendlyName*> **-ets**
-Examples
+#### Examples
To stop a trace:
-- tracelog.exe -stop scardsvr
+- **tracelog.exe -stop scardsvr**
-- logman -stop scardsvr -ets
+- **logman -stop scardsvr -ets**
## Kerberos protocol, KDC and NTLM debugging and tracing
-You can use the following resources to begin troubleshooting these protocols and the KDC:
+You can use these resources to troubleshoot these protocols and the KDC:
-- [Kerberos and LDAP Troubleshooting Tips](https://technet.microsoft.com/library/bb463167.aspx)
+- [Kerberos and LDAP Troubleshooting Tips](https://technet.microsoft.com/library/bb463167.aspx).
-- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit) You can use the trace log tool in this SDK to debug Kerberos authentication failures.
+- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
-To begin tracing, you can use Tracelog. Different components use different control GUIDs as explained in the following examples. For more information, see [Tracelog](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
+To begin tracing, you can use Tracelog. Different components use different control GUIDs as explained in these examples. For more information, see [Tracelog](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
### NTLM
To enable tracing for NTLM authentication, run the following at the command line:
-tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1
+ - **tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1**
-To stop tracing for NTLM authentication, run the following at the command line:
+To stop tracing for NTLM authentication, run this command:
-tracelog -stop ntlm
+ - **tracelog -stop ntlm**
### Kerberos authentication
-To enable tracing for Kerberos authentication, run the following at the command line:
+To enable tracing for Kerberos authentication, run this command:
-tracelog.exe -kd -rt -start kerb -guid \#6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\\kerb.etl -flags 0x43 -ft 1
+ - **tracelog.exe -kd -rt -start kerb -guid \#6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\\kerb.etl -flags 0x43 -ft 1**
-To stop tracing for Kerberos authentication, run the following at the command line:
+To stop tracing for Kerberos authentication, run this command:
-tracelog.exe -stop kerb
+ - **tracelog.exe -stop kerb**
### KDC
To enable tracing for the Key Distribution Center (KDC), run the following at the command line:
-tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1
+ - **tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1**
To stop tracing for the KDC, run the following at the command line:
-tracelog.exe -stop kdc
+ - **tracelog.exe -stop kdc**
-To stop tracing from a remote computer, run the following at the command line: logman.exe -s *<ComputerName>*.
+To stop tracing from a remote computer, run this command: logman.exe -s *<ComputerName>*.
-> **Note** The default location for logman.exe is %systemroot%system32\\. Use the **-s** option to supply a computer name.
+> [!NOTE]
+> The default location for logman.exe is %systemroot%system32\\. Use the **-s** option to supply a computer name.
### Configure tracing with the registry
You can also configure tracing by editing the Kerberos registry values shown in the following table.
-| **Element** | **Registry Key Setting** |
+| Element | Registry Key Setting |
|-------------|----------------------------------------------------|
| NTLM | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1\_0 Value name: NtLmInfoLevel Value type: DWORD Value data: c0015003 |
| Kerberos | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos Value name: LogToFile Value type: DWORD Value data: 00000001
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters Value name: KerbDebugLevel Value type: DWORD Value data: c0000043
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters Value name: LogToFile Value type: DWORD Value data: 00000001 |
@@ -166,7 +168,7 @@ You can also configure tracing by editing the Kerberos registry values shown in
If you used Tracelog, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
-Otherwise, if you used the registry key settings shown in the previous table, look for the generated trace log files in the following locations:
+If you used the registry key settings shown in the previous table, look for the trace log files in the following locations:
- NTLM: %systemroot%\\tracing\\msv1\_0
@@ -178,7 +180,7 @@ To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a
## Smart Card service
-The smart card resource manager service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process.
+The smart card resource manager service runs in the context of a local service. It's implemented as a shared service of the services host (svchost) process.
**To check if Smart Card service is running**
@@ -202,9 +204,9 @@ The smart card resource manager service runs in the context of a local service,
You can use the following command at the command prompt to check whether the service is running: **sc queryex scardsvr**.
-The following is example output from running this command:
+This is an example output from this command:
-```
+```console
SERVICE_NAME: scardsvr
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
@@ -232,13 +234,14 @@ As with any device connected to a computer, Device Manager can be used to view p
4. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then click **Properties**.
-> **Note** If the smart card reader is not listed in Device Manager, in the **Action** menu, click **Scan for hardware changes**.
+> [!NOTE]
+> If the smart card reader is not listed in Device Manager, in the **Action** menu, click **Scan for hardware changes**.
## CryptoAPI 2.0 Diagnostics
-CryptoAPI 2.0 Diagnostics is a feature that is available in Windows operating systems that supports CryptoAPI 2.0. This feature can help you troubleshoot public key infrastructure (PKI) issues.
+CryptoAPI 2.0 Diagnostics is available in Windows versions that support CryptoAPI 2.0 and can help you troubleshoot public key infrastructure (PKI) issues.
-CryptoAPI 2.0 Diagnostics logs events in the Windows event log, which contain detailed information about certificate chain validation, certificate store operations, and signature verification. This information makes it easier to identify the causes of issues and reduces the time required for diagnosis.
+CryptoAPI 2.0 Diagnostics logs events in the Windows event log. The logs contain detailed information about certificate chain validation, certificate store operations, and signature verification. This information makes it easier to identify the causes of issues and reduces the time required for diagnosis.
For more information about CryptoAPI 2.0 Diagnostics, see [Troubleshooting an Enterprise PKI](https://technet.microsoft.com/library/cc771463.aspx).
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 15ea04101f..9c9011d7ad 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -14,7 +14,6 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
-ms.localizationpriority: medium
ms.date: 07/27/2017
---
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index bb1cf1508f..a979d2b781 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -35,7 +35,7 @@ The Create command sets up new virtual smart cards on the user’s system. It re
| Parameter | Description |
|-----------|-------------|
| /name | Required. Indicates the name of the new virtual smart card. |
-| /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN. **DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708. **PROMPT** Prompts the user to enter a value for the administrator key. **RANDOM** Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key must be entered as 48 hexadecimal characters. |
+| /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN. **DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708. **PROMPT** Prompts the user to enter a value for the administrator key. **RANDOM** Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key is set as 48 hexadecimal characters. |
| /PIN | Indicates desired user PIN value. **DEFAULT** Specifies the default PIN of 12345678. **PROMPT** Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. |
| /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK. **DEFAULT** Specifies the default PUK of 12345678. **PROMPT** Prompts the user to enter a PUK at the command line. |
| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Endpoint Configuration Manager. |
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index a162e20e45..0b6ff85b21 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -16,38 +16,38 @@ ms.author: dansimp
This topic explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The scenario is:
-- You connect to a network using Wi-Fi or VPN.
-- You want to use the credentials that you use for the WiFi or VPN authentication to also authenticate requests to access a domain resource you are connecting to, without being prompted for your domain credentials separately.
+- You connect to a network using Wi-Fi or VPN.
+- You want to use the credentials that you use for the WiFi or VPN authentication to also authenticate requests to access a domain resource you are connecting to, without being prompted for your domain credentials separately.
For example, you want to connect to a corporate network and access an internal website that requires Windows integrated authentication.
-At a high level, the way this works is that the credentials that are used for the connection authentication are put in Credential Manager as the default credentials for the logon session.
-Credential Manager is a place where credentials in the OS are can be stored for specific domain resources based on the targetname of the resource.
-For VPN, the VPN stack saves its credential as the session default.
-For WiFi, EAP does it.
+At a high level, the way this works is that the credentials that are used for the connection authentication are put in Credential Manager as the default credentials for the logon session.
+Credential Manager is a place where credentials in the OS are can be stored for specific domain resources based on the targetname of the resource.
+For VPN, the VPN stack saves its credential as the session default.
+For WiFi, EAP does it.
-The credentials are put in Credential Manager as a "\*Session" credential.
-A "\*Session" credential implies that it is valid for the current user session.
-The credentials are also cleaned up when the WiFi or VPN connection is disconnected.
+The credentials are put in Credential Manager as a "\*Session" credential.
+A "\*Session" credential implies that it is valid for the current user session.
+The credentials are also cleaned up when the WiFi or VPN connection is disconnected.
-When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
-For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations).
+When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
+For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations).
-The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
-If the app is not UWP, it does not matter.
-But if it is a UWP app, it will look at the device capability for Enterprise Authentication.
+The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
+If the app is not UWP, it does not matter.
+But if it is a UWP app, it will look at the device capability for Enterprise Authentication.
If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.
-This behavior helps prevent credentials from being misused by untrusted third parties.
+This behavior helps prevent credentials from being misused by untrusted third parties.
## Intranet zone
-For the Intranet zone, by default it only allows single-label names, such as Http://finance.
-If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the [Registry CSP](https://msdn.microsoft.com/library/windows/hardware/dn904964.aspx).
+For the Intranet zone, by default it only allows single-label names, such as Http://finance.
+If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the [Registry CSP](https://msdn.microsoft.com/library/windows/hardware/dn904964.aspx).
### Setting the ZoneMap
-The ZoneMap is controlled using a registry that can be set through MDM.
-By default, single-label names such as http://finance are already in the intranet zone.
+The ZoneMap is controlled using a registry that can be set through MDM.
+By default, single-label names such as http://finance are already in the intranet zone.
For multi-label names, such as http://finance.net, the ZoneMap needs to be updated.
## MDM Policy
@@ -56,9 +56,9 @@ OMA URI example:
./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/``/* as an Integer Value of 1 for each of the domains that you want to SSO into from your device. This adds the specified domains to the Intranet Zone of the Edge browser.
-## Credential requirements
+## Credential requirements
-For VPN, the following types of credentials will be added to credential manager after authentication:
+For VPN, the following types of credentials will be added to credential manager after authentication:
- Username and password
- Certificate-based authentication:
@@ -67,7 +67,7 @@ For VPN, the following types of credentials will be added to credential manager
- Smart Card Certificate
- Windows Hello for Business Certificate
-The username should also include a domain that can be reached over the connection (VPN or WiFi).
+The username should also include a domain that can be reached over the connection (VPN or WiFi).
## User certificate templates
@@ -82,17 +82,17 @@ If the credentials are certificate-based, then the elements in the following tab
## NDES server configuration
-The NDES server is required to be configured so that incoming SCEP requests can be mapped to the correct template to be used.
-For more information, see [Configure certificate infrastructure for SCEP](https://docs.microsoft.com/intune/deploy-use/Configure-certificate-infrastructure-for-scep).
+The NDES server is required to be configured so that incoming SCEP requests can be mapped to the correct template to be used.
+For more information, see [Configure certificate infrastructure for SCEP](https://docs.microsoft.com/mem/intune/protect/certificates-scep-configure).
## Active Directory requirements
-You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well.
+You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well.
The domain controllers will need to have appropriate KDC certificates for the client to trust them as domain controllers, and since phones are not domain-joined, the root CA of the KDC’s certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store.
-The domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication.
-This is because Windows 10 Mobile requires strict KDC validation to be enabled.
-This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server.
-For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382).
+The domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication.
+This is because Windows 10 Mobile requires strict KDC validation to be enabled.
+This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server.
+For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382).
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 3d0fdc211e..19df534358 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -62,8 +62,7 @@ The following is a sample Native VPN profile. This blob would fall under the Pro
- Eap
- Eap
+ Eap
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index b36af3f717..6ea046a8f3 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -115,6 +115,12 @@ Please check the driver instance for the device you are testing. Some drivers ma
If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers).
+### My system's Kernel DMA Protection is off. Can DMA-remapping for a specific device be turned on?
+
+Yes. DMA remapping for a specific device can be turned on independent from Kernel DMA Protection. For example, if the driver opts in and VT-d (Virtualization Technology for Directed I/O) is turned on, then DMA remapping will be enabled for the devices driver even if Kernel DMA Protection is turned off.
+
+Kernel DMA Protection is a policy that allows or blocks devices to perform DMA, based on their remapping state and capabilities.
+
### Do Microsoft drivers support DMA-remapping?
In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA Remapping.
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index da6eece1fe..fb2784e2d5 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -112,7 +112,7 @@ The following table defines which Windows features require TPM support.
Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
-|-|-|-|-
Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot
- BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support
+ BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support
Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
Windows Defender Application Control (Device Guard) | No | Yes | Yes
Windows Defender System Guard | Yes | No | Yes
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
index 94634c4b79..d94485704c 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -41,7 +41,7 @@ This policy setting configured which TPM authorization values are stored in the
|--------------|---------------|---------|-----------------|-----------------|------------------|
| OwnerAuthAdmin | StorageOwnerAuth | Create SRK | No | Yes | Yes |
| OwnerAuthEndorsement | EndorsementAuth | Create or use EK (1.2 only: Create AIK) | No | Yes | Yes |
-| OwnerAuthFull | LockoutAuth | Reset/change Dictionary Attack Protection | No | No | No |
+| OwnerAuthFull | LockoutAuth | Reset/change Dictionary Attack Protection | No | No | Yes |
There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
index 60283edd89..23f23e50da 100644
--- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
@@ -4,7 +4,6 @@ description: Learn how unenlightened and enlightened apps might behave, based on
keywords: WIP, Enterprise Data Protection, EDP, Windows Information Protection, unenlightened apps, enlightened apps
ms.prod: w10
ms.mktglfcycl: explore
-ms.pagetype: security
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index b3f555bb13..c1f81c4974 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -214,6 +214,8 @@ Path Publisher
Where `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the **Publisher** name and `WORDPAD.EXE` is the **File** name.
+Regarding to how to get the Product Name for the Apps you wish to Add, please reach out to our Windows Support Team to request the guidelines
+
### Import a list of apps
This section covers two examples of using an AppLocker XML file to the **Protected apps** list. You’ll use this option if you want to add multiple apps at the same time.
@@ -461,10 +463,10 @@ contoso.sharepoint.com|contoso.visualstudio.com
Specify the domains used for identities in your environment.
All traffic to the fully-qualified domains appearing in this list will be protected.
-Separate multiple domains with the "," delimiter.
+Separate multiple domains with the "|" delimiter.
```code
-exchange.contoso.com,contoso.com,region.contoso.com
+exchange.contoso.com|contoso.com|region.contoso.com
```
### Network domains
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index c5bd8c7fbb..24e94ee4c1 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -26,6 +26,12 @@
#### [Prepare for your migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md)
#### [Set up Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md)
#### [Onboard to Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md)
+### [Manage Microsoft Defender ATP post migration]()
+#### [Overview](microsoft-defender-atp/manage-atp-post-migration.md)
+#### [Intune (recommended)](microsoft-defender-atp/manage-atp-post-migration-intune.md)
+#### [Configuration Manager](microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md)
+#### [Group Policy Objects](microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md)
+#### [PowerShell, WMI, and MPCmdRun.exe](microsoft-defender-atp/manage-atp-post-migration-other-tools.md)
## [Security administration]()
### [Threat & Vulnerability Management]()
@@ -43,7 +49,7 @@
### [Attack surface reduction]()
#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
-#### [Attack surface reduction evaluation](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
+#### [Evaluate attack surface reduction rules](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
#### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md)
@@ -51,6 +57,7 @@
##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md)
+##### [View attack surface reduction events](microsoft-defender-atp/event-views.md)
#### [Hardware-based isolation]()
##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
@@ -76,12 +83,14 @@
#### [Exploit protection]()
##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md)
##### [Exploit protection evaluation](microsoft-defender-atp/evaluate-exploit-protection.md)
+##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
+##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md)
#### [Network protection]()
##### [Protect your network](microsoft-defender-atp/network-protection.md)
-##### [Network protection evaluation](microsoft-defender-atp/evaluate-network-protection.md)
-##### [Enable network protection](microsoft-defender-atp/enable-network-protection.md)
+##### [Evaluate network protection](microsoft-defender-atp/evaluate-network-protection.md)
+##### [Turning on network protection](microsoft-defender-atp/enable-network-protection.md)
#### [Web protection]()
##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
@@ -93,7 +102,9 @@
#### [Controlled folder access]()
##### [Protect folders](microsoft-defender-atp/controlled-folders.md)
-##### [Controlled folder access evaluation](microsoft-defender-atp/evaluate-controlled-folder-access.md)
+##### [Evaluate controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
+##### [Enable controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
+##### [Customize controlled folder access](microsoft-defender-atp/customize-controlled-folders.md)
@@ -109,7 +120,7 @@
#### [Configure next-generation protection]()
##### [Configure Microsoft Defender Antivirus features](microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md)
-##### [Utilize Microsoft cloud-delivered protection](microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
+##### [Use Microsoft cloud-delivered protection](microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
###### [Enable cloud-delivered protection](microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md)
###### [Specify the cloud-delivered protection level](microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md)
###### [Configure and validate network connections](microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md)
@@ -127,6 +138,15 @@
##### [Antivirus compatibility]()
###### [Compatibility charts](microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
###### [Use limited periodic antivirus scanning](microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md)
+
+##### [Manage next-generation protection in your business]()
+###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
+###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next-generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
+###### [Use Group Policy settings to manage next-generation protection](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
+###### [Use PowerShell cmdlets to manage next-generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
+###### [Use Windows Management Instrumentation (WMI) to manage next-generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
+###### [Use the mpcmdrun.exe command line tool to manage next-generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
+###### [Handle false positives/negatives in Microsoft Defender Antivirus](microsoft-defender-antivirus/antivirus-false-positives-negatives.md)
##### [Deploy, manage updates, and report on antivirus]()
###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
@@ -153,7 +173,7 @@
####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
####### [Configure antivirus exclusions Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
-
+####### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md)
###### [Configure scanning antivirus options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
@@ -163,14 +183,6 @@
##### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
-##### [Manage antivirus in your business]()
-###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
-###### [Use Group Policy settings to configure and manage antivirus](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
-###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
-###### [Use PowerShell cmdlets to configure and manage antivirus](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
-###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
-###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
-
##### [Manage scans and remediation]()
###### [Management overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
@@ -190,16 +202,6 @@
###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
###### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
-##### [Manage next-generation protection in your business]()
-###### [Handle false positives/negatives in Microsoft Defender Antivirus](microsoft-defender-antivirus/antivirus-false-positives-negatives.md)
-###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
-###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
-###### [Use Group Policy settings to manage next generation protection](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
-###### [Use PowerShell cmdlets to manage next generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
-###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
-###### [Use the mpcmdrun.exe command line tool to manage next generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
-
-
#### [Better together: Microsoft Defender Antivirus and Microsoft Defender ATP](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
#### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md)
@@ -296,14 +298,15 @@
#### [Devices list]()
##### [View and organize the Devices list](microsoft-defender-atp/machines-view-overview.md)
+##### [Device timeline event flags](microsoft-defender-atp/device-timeline-event-flag.md)
##### [Manage device group and tags](microsoft-defender-atp/machine-tags.md)
#### [Take response actions]()
##### [Take response actions on a device]()
###### [Response actions on devices](microsoft-defender-atp/respond-machine-alerts.md)
###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
-###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
-###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
+###### [Start an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
+###### [Start a Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-devices)
###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-devices)
###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
@@ -320,9 +323,6 @@
###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
-###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
-###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
-###### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
#### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
##### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
@@ -343,8 +343,9 @@
#### [Custom detections]()
-##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
-##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
+##### [Custom detections overview](microsoft-defender-atp/overview-custom-detections.md)
+##### [Create detection rules](microsoft-defender-atp/custom-detection-rules.md)
+##### [View & manage detection rules](microsoft-defender-atp/custom-detections-manage.md)
### [Behavioral blocking and containment]()
#### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md)
@@ -422,7 +423,7 @@
#### [Ensure your devices are configured properly](microsoft-defender-atp/configure-machines.md)
#### [Monitor and increase device onboarding](microsoft-defender-atp/configure-machines-onboarding.md)
#### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md)
-#### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
+#### [Optimize attack surface reduction rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
### [Configure portal settings]()
#### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
@@ -461,7 +462,7 @@
#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
-
+### [Use audit mode](microsoft-defender-atp/audit-windows-defender.md)
## Reference
### [Management and APIs]()
@@ -570,6 +571,7 @@
###### [Vulnerability]()
####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
####### [List vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
+####### [List vulnerabilities by machine and software](microsoft-defender-atp/get-all-vulnerabilities-by-machines.md)
####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md)
####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md)
@@ -600,6 +602,7 @@
##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
+##### [Fetch alerts from customer tenant](microsoft-defender-atp/fetch-alerts-mssp.md)
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
#### [Partners & APIs]()
@@ -614,7 +617,12 @@
###### [Using device groups](microsoft-defender-atp/machine-groups.md)
###### [Create and manage device tags](microsoft-defender-atp/machine-tags.md)
-#### [Configure managed security service provider (MSSP) integration](microsoft-defender-atp/configure-mssp-support.md)
+#### [Managed security service provider (MSSP) integration]()
+##### [Configure managed security service provider integration](microsoft-defender-atp/configure-mssp-support.md)
+##### [Grant MSSP access to the portal](microsoft-defender-atp/grant-mssp-access.md)
+##### [Access the MSSP customer portal](microsoft-defender-atp/access-mssp-portal.md)
+##### [Configure alert notifications](microsoft-defender-atp/configure-mssp-notifications.md)
+##### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
### [Partner integration scenarios]()
#### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md)
@@ -815,7 +823,7 @@
####### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md)
####### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md)
####### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md)
-####### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing/event-4780.md)
+####### [Event 4780 S: The ACL was set on accounts that are members of administrators groups.](auditing/event-4780.md)
####### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md)
####### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md)
####### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md)
@@ -841,6 +849,8 @@
####### [Event 4689 S: A process has exited.](auditing/event-4689.md)
###### [Audit RPC Events](auditing/audit-rpc-events.md)
####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md)
+###### [Audit Token Right Adjusted](auditing/audit-token-right-adjusted.md)
+####### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md)
###### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md)
####### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md)
####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md)
@@ -1206,7 +1216,7 @@
###### [System cryptography: Force strong key protection for user keys stored on the computer](security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)
###### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)
###### [System objects: Require case insensitivity for non-Windows subsystems](security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md)
-###### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md)
+###### [System objects: Strengthen default permissions of internal system objects (Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md)
###### [System settings: Optional subsystems](security-policy-settings/system-settings-optional-subsystems.md)
###### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)
###### [User Account Control: Admin Approval Mode for the Built-in Administrator account](security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index b6b09ddae8..c3bada3ea8 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -28,7 +28,8 @@ If you define this policy setting, you can specify whether to audit successes, a
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
-> **Note:** You can set a SACL on a file system object using the **Security** tab in that object's **Properties** dialog box.
+> [!NOTE]
+> You can set a SACL on a file system object using the **Security** tab in that object's **Properties** dialog box.
**Default:** No auditing.
@@ -41,10 +42,10 @@ You can configure this security setting by opening the appropriate policy under
|----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 560 | Access was granted to an already existing object. |
| 562 | A handle to an object was closed. |
-| 563 | An attempt was made to open an object with the intent to delete it. \*\*Note: \*\* This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile(). |
+| 563 | An attempt was made to open an object with the intent to delete it. **Note:** This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile(). |
| 564 | A protected object was deleted. |
| 565 | Access was granted to an already existing object type. |
-| 567 | A permission associated with a handle was used. \*\*Note: \*\* A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
+| 567 | A permission associated with a handle was used. **Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
| 568 | An attempt was made to create a hard link to a file that is being audited. |
| 569 | The resource manager in Authorization Manager attempted to create a client context. |
| 570 | A client attempted to access an object. **Note:** An event will be generated for every attempted operation on the object. |
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index cf8e0d63b8..b310cd06ca 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -146,6 +146,7 @@ This event generates when a logon session is created (on destination machine). I
| Logon Type | Logon Title | Description |
|:----------:|---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `0` | `System` | Used only by the System account, for example at system startup. |
| `2` | `Interactive` | A user logged on to this computer. |
| `3` | `Network` | A user or computer logged on to this computer from the network. |
| `4` | `Batch` | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
@@ -155,6 +156,8 @@ This event generates when a logon session is created (on destination machine). I
| `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
+| `12` | `CashedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. |
+| `13` | `CachedUnlock` | Workstation logon. |
- **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index b099911afd..d8e637e093 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 07/23/2020
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -226,6 +226,6 @@ For 4771(F): Kerberos pre-authentication failed.
| **Pre-Authentication Type** | Value is **not 15** when account must use a smart card for authentication. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
| **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
| **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
-| **Result Code** | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication. |
-| **Result Code** | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This can be an indicator of brute-force attack on the account password, especially for highly critical accounts. |
+| **Failure Code** | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication. |
+| **Failure Code** | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This can be an indicator of brute-force attack on the account password, especially for highly critical accounts. |
diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
index bddb29f760..2bc61ffce1 100644
--- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
@@ -2,7 +2,6 @@
title: Plan and deploy advanced security audit policies (Windows 10)
description: Learn to deploy an effective security audit policy in a network that includes advanced security audit policies.
ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442
-
ms.reviewer:
ms.author: dansimp
ms.prod: w10
diff --git a/windows/security/threat-protection/device-guard/memory-integrity.md b/windows/security/threat-protection/device-guard/memory-integrity.md
index 7cdda06143..5e2defcf75 100644
--- a/windows/security/threat-protection/device-guard/memory-integrity.md
+++ b/windows/security/threat-protection/device-guard/memory-integrity.md
@@ -3,7 +3,6 @@ title: Memory integrity
keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
description: Memory integrity.
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 3d52254721..7e2cc61fe3 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -1,7 +1,7 @@
---
title: Threat Protection (Windows 10)
description: Learn how Microsoft Defender ATP helps protect against threats.
-keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
+keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -27,7 +27,7 @@ ms.topic: conceptual
@@ -77,8 +77,8 @@ The attack surface reduction set of capabilities provide the first line of defen
-**[Next generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
+**[Next-generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
+To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats.
- [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus)
- [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus)
diff --git a/windows/security/threat-protection/intelligence/TOC.md b/windows/security/threat-protection/intelligence/TOC.md
index a01098c5a3..48c382b306 100644
--- a/windows/security/threat-protection/intelligence/TOC.md
+++ b/windows/security/threat-protection/intelligence/TOC.md
@@ -34,6 +34,8 @@
## [Submit files for analysis](submission-guide.md)
+## [Troubleshoot malware submission](portal-submission-troubleshooting.md)
+
## [Safety Scanner download](safety-scanner-download.md)
## [Industry collaboration programs](cybersecurity-industry-partners.md)
diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md
index c6973ab9e1..e3d47a044c 100644
--- a/windows/security/threat-protection/intelligence/developer-faq.md
+++ b/windows/security/threat-protection/intelligence/developer-faq.md
@@ -31,20 +31,20 @@ Submit the file in question as a software developer. Wait until your submission
If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
-We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted software.
+We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md).
## Why is Microsoft asking for a copy of my program?
-This can help us with our analysis. Participants of the Microsoft Active Protection Service (MAPS) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
+This can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
## Why does Microsoft classify my installer as a software bundler?
-It contains instructions to offer a program classified as unwanted software. You can review the criteria we use to check applications for behaviors that are considered unwanted.
+It contains instructions to offer a program classified as unwanted software. You can review the [criteria](criteria.md) we use to check applications for behaviors that are considered unwanted.
-## Why is the Windows Firewall blocking my program?
+## Why is the Windows Defender Firewall blocking my program?
-This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network.
+This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security).
-## Why does the Windows Defender SmartScreen say my program is not commonly downloaded?
+## Why does the Microsoft Defender SmartScreen say my program is not commonly downloaded?
-This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website.
+This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index bc3ecd48d1..747950168f 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -2,7 +2,7 @@
title: Fileless threats
ms.reviewer:
description: Learn about the categories of fileless threats and malware that "live off the land"
-keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next generation protection
+keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next-generation protection
ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
diff --git a/windows/security/threat-protection/intelligence/images/msi-contoso-approval-required.png b/windows/security/threat-protection/intelligence/images/msi-contoso-approval-required.png
new file mode 100644
index 0000000000..90bc4428f9
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/msi-contoso-approval-required.png differ
diff --git a/windows/security/threat-protection/intelligence/images/msi-enterprise-app-user-setting.jpg b/windows/security/threat-protection/intelligence/images/msi-enterprise-app-user-setting.jpg
new file mode 100644
index 0000000000..e68ffa40aa
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/msi-enterprise-app-user-setting.jpg differ
diff --git a/windows/security/threat-protection/intelligence/images/msi-grant-admin-consent.jpg b/windows/security/threat-protection/intelligence/images/msi-grant-admin-consent.jpg
new file mode 100644
index 0000000000..2bb2627bc2
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/msi-grant-admin-consent.jpg differ
diff --git a/windows/security/threat-protection/intelligence/images/msi-microsoft-permission-requested-your-organization.png b/windows/security/threat-protection/intelligence/images/msi-microsoft-permission-requested-your-organization.png
new file mode 100644
index 0000000000..e423857bff
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/msi-microsoft-permission-requested-your-organization.png differ
diff --git a/windows/security/threat-protection/intelligence/images/msi-microsoft-permission-required.jpg b/windows/security/threat-protection/intelligence/images/msi-microsoft-permission-required.jpg
new file mode 100644
index 0000000000..fdac1cd4be
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/msi-microsoft-permission-required.jpg differ
diff --git a/windows/security/threat-protection/intelligence/images/msi-permissions.jpg b/windows/security/threat-protection/intelligence/images/msi-permissions.jpg
new file mode 100644
index 0000000000..957c78aac1
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/msi-permissions.jpg differ
diff --git a/windows/security/threat-protection/intelligence/images/msi-properties.png b/windows/security/threat-protection/intelligence/images/msi-properties.png
new file mode 100644
index 0000000000..196a5fce92
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/msi-properties.png differ
diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
new file mode 100644
index 0000000000..df44f6142a
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
@@ -0,0 +1,89 @@
+---
+title: Troubleshoot MSI portal errors caused by admin block
+description: Troubleshoot MSI portal errors
+ms.reviewer:
+keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn’t detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn’t detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: dansimp
+author: dansimp
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+search.appverid: met150
+---
+
+# Troubleshooting malware submission errors caused by administrator block
+In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this.
+
+## Review your settings
+Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under **Enterprise Applications** > **Users can consent to apps accessing company data on their behalf**, check whether Yes or No is selected.
+
+- If this is set to **No**, an AAD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with AAD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their AAD admin. Go to the following section for more information.
+
+- It this is set to **Yes**, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign-in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If this is set to **No** you'll need to request an AAD admin enable it.
+
+## Implement Required Enterprise Application permissions
+This process requires a global or application admin in the tenant.
+ 1. Open [Enterprise Application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d).
+ 2. Click **Grant admin consent for organization**.
+ 3. If you're able to do so, Review the API permissions required for this application. This should be exactly the same as in the following image. Provide consent for the tenant.
+
+ 
+
+ 4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.
+
+## Option 1 Approve enterprise application permissions by user request
+> [!Note]
+> This is currently a preview feature.
+
+Azure Active Directory admins will need to allow for users to request admin consent to apps. Verify the setting is configured to **Yes** in [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/).
+
+
+
+More information is available in [Configure Admin consent workflow](https://docs.microsoft.com/azure/active-directory/manage-apps/configure-admin-consent-workflow).
+
+Once this setting is verified, users can go through the enterprise customer sign-in at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission), and submit a request for admin consent, including justification.
+
+
+
+Admin will be able to review and approve the application permissions [Azure admin consent requests](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AccessRequests/menuId/).
+
+After providing consent, all users in the tenant will be able to use the application.
+
+## Option 2 Provide admin consent by authenticating the application as an admin
+This process requires that global admins go through the Enterprise customer sign-in flow at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission).
+
+
+
+Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and click **Accept**.
+
+All users in the tenant will now be able to use this application.
+
+## Option 3: Delete and re-add app permissions
+If neither of these options resolve the issue, try the following steps (as an admin):
+
+1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b)
+and click **delete**.
+
+ 
+
+2. Capture TenantID from [Properties](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties).
+
+3. Replace {tenant-id} with the specific tenant that needs to grant consent to this application in the URL below. Copy this URL into browser. The rest of the parameters are already completed.
+``https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id=f0cf43e5-8a9b-451c-b2d5-7285c785684d&state=12345&redirect_uri=https%3a%2f%2fwww.microsoft.com%2fwdsi%2ffilesubmission&scope=openid+profile+email+offline_access``
+
+ 
+
+4. Review the permissions required by the application, and then click **Accept**.
+
+5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051).
+
+ 
+
+6. Sign in to [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission) as an enterprise user with a non-admin account to see if you have access.
+
+ If the warning is not resolved after following these troubleshooting steps, call Microsoft support.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
index e9fd6a400e..a0e3d27f66 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
@@ -3,7 +3,6 @@ title: What to do with false positives/negatives in Microsoft Defender Antivirus
description: Did Microsoft Defender Antivirus miss or wrongly detect something? Find out what you can do.
keywords: Microsoft Defender Antivirus, false positives, false negatives, exclusions
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
index 691027c34e..072cc3c421 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
@@ -3,7 +3,6 @@ title: Collect diagnostic data for Update Compliance and Windows Defender Micros
description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add in
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
index 840b26d06e..9c9ec19ea9 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
@@ -3,7 +3,6 @@ title: Collect diagnostic data of Microsoft Defender Antivirus
description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -25,6 +24,9 @@ manager: dansimp
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV.
+> [!NOTE]
+> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
+
On at least two devices that are experiencing the same issue, obtain the .cab diagnostic file by taking the following steps:
1. Open an administrator-level version of the command prompt as follows:
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
index 0286462e81..4a296ac42c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
@@ -3,17 +3,16 @@ title: Use the command line to manage Microsoft Defender Antivirus
description: Run Microsoft Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility.
keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer: ksarens
manager: dansimp
+ms.date: 08/17/2020
---
# Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool
@@ -31,11 +30,12 @@ You can perform various Microsoft Defender Antivirus functions with the dedicate
The utility has the following commands:
-```DOS
+```console
MpCmdRun.exe [command] [-options]
```
Here's an example:
-```
+
+```console
MpCmdRun.exe -Scan -ScanType 2
```
@@ -55,6 +55,7 @@ MpCmdRun.exe -Scan -ScanType 2
| `-ListAllDynamicSignatures` | Lists the loaded dynamic Security intelligence |
| `-RemoveDynamicSignature [-SignatureSetID]` | Removes dynamic Security intelligence |
| `-CheckExclusion -path ` | Checks whether a path is excluded |
+| `-ValidateMapsConnection` | Verifies that your network can communicate with the Microsoft Defender Antivirus cloud service. This command will only work on Windows 10, version 1703 or higher.|
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
new file mode 100644
index 0000000000..53d9dc6877
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
@@ -0,0 +1,155 @@
+---
+title: Common mistakes to avoid when defining exclusions
+description: Avoid common mistakes when defining exclusions for Microsoft Defender Antivirus scans.
+keywords: exclusions, files, extension, file type, folder name, file name, scans
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.reviewer:
+manager: dansimp
+---
+
+# Common mistakes to avoid when defining exclusions
+You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable.
+
+This topic describes some common mistake that you should avoid when defining exclusions.
+
+Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions).
+
+## Excluding certain trusted items
+There are certain files, file types, folders, or processes that you should not exclude from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning.
+
+**Do not add exclusions for the following folder locations:**
+
+- %systemdrive%
+- C:
+- C:\
+- C:\*
+- %ProgramFiles%\Java
+- C:\Program Files\Java
+- %ProgramFiles%\Contoso\
+- C:\Program Files\Contoso\
+- %ProgramFiles(x86)%\Contoso\
+- C:\Program Files (x86)\Contoso\
+- C:\Temp
+- C:\Temp\
+- C:\Temp\*
+- C:\Users\
+- C:\Users\*
+- C:\Users\\AppData\Local\Temp\
+- C:\Users\\AppData\LocalLow\Temp\
+- C:\Users\\AppData\Roaming\Temp\
+- %Windir%\Prefetch
+- C:\Windows\Prefetch
+- C:\Windows\Prefetch\
+- C:\Windows\Prefetch\*
+- %Windir%\System32\Spool
+- C:\Windows\System32\Spool
+- C:\Windows\System32\CatRoot2
+- %Windir%\Temp
+- C:\Windows\Temp
+- C:\Windows\Temp\
+- C:\Windows\Temp\*
+
+**Do not add exclusions for the following file extensions:**
+- .7zip
+- .bat
+- .bin
+- .cab
+- .cmd
+- .com
+- .cpl
+- .dll
+- .exe
+- .fla
+- .gif
+- .gz
+- .hta
+- .inf
+- .java
+- .jar
+- .job
+- .jpeg
+- .jpg
+- .js
+- .ko
+- .ko.gz
+- .msi
+- .ocx
+- .png
+- .ps1
+- .py
+- .rar
+- .reg
+- .scr
+- .sys
+- .tar
+- .tmp
+- .url
+- .vbe
+- .vbs
+- .wsf
+- .zip
+
+>[!NOTE]
+> You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
+
+**Do not add exclusions for the following processes:**
+- AcroRd32.exe
+- bitsadmin.exe
+- excel.exe
+- iexplore.exe
+- java.exe
+- outlook.exe
+- psexec.exe
+- powerpnt.exe
+- powershell.exe
+- schtasks.exe
+- svchost.exe
+- wmic.exe
+- winword.exe
+- wuauclt.exe
+- addinprocess.exe
+- addinprocess32.exe
+- addinutil.exe
+- bash.exe
+- bginfo.exe[1]
+- cdb.exe
+- csi.exe
+- dbghost.exe
+- dbgsvc.exe
+- dnx.exe
+- fsi.exe
+- fsiAnyCpu.exe
+- kd.exe
+- ntkd.exe
+- lxssmanager.dll
+- msbuild.exe[2]
+- mshta.exe
+- ntsd.exe
+- rcsi.exe
+- system.management.automation.dll
+- windbg.exe
+
+## Using just the file name in the exclusion list
+A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**.
+
+## Using a single exclusion list for multiple server workloads
+Do not use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload.
+
+## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists
+Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables.
+See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.
+
+## Related topics
+
+- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
index 9ca273c668..ac38745a10 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Manage Windows Defender in your business
description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender AV
keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
index 3464a06430..9800bbf096 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
@@ -7,7 +7,6 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -23,13 +22,11 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-**Use Microsoft Intune to configure scanning options**
+## Use Microsoft Intune to configure scanning options
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
-
-
-## Use Microsoft Endpoint Configuration Manager to configure scanning options:
+## Use Microsoft Endpoint Configuration Manager to configure scanning options
See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
@@ -70,6 +67,8 @@ See [Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell
For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx).
+
+
## Email scanning limitations
Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
index 5fb8feab26..8a479654ed 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Enable Block at First Sight to detect malware in seconds
description: Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly.
keywords: scan, BAFS, malware, first seen, first sight, cloud, defender
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -33,7 +31,7 @@ You can [specify how long the file should be prevented from running](configure-c
When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean.
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
index 7840be58fc..3d86286bb7 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure the Microsoft Defender AV cloud block timeout period
description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination.
keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -15,7 +14,6 @@ ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
-ms.custom: nextgen
---
# Configure the cloud block timeout period
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
index b7af3e0452..0c3ce33cac 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure how users can interact with Microsoft Defender AV
description: Configure how end-users interact with Microsoft Defender AV, what notifications they see, and if they can override settings.
keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,7 +11,6 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
index 78dd9f20a7..e7d0bb0417 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Set up exclusions for Microsoft Defender AV scans
description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender AV. Validate your exclusions with PowerShell.
keywords:
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -25,13 +23,26 @@ manager: dansimp
You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
->[!WARNING]
->Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+## Configure and validate exclusions
+
+To configure and validate exclusions, see the following:
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process.
+## Recommendations for defining exclusions
+
+Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+
+The following is a list of recommendations that you should keep in mind when defining exclusions:
+
+- Exclusions are technically a protection gap—always consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc.
+- Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process.
+- Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues—mostly around performance, or sometimes around application compatibility that exclusions could mitigate.
+- Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded.
+
## Related articles
-[Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md)
\ No newline at end of file
+- [Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md)
+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
index 17b4284fa0..d9e2707453 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Configure and validate exclusions based on extension, name, or location
description: Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
keywords: exclusions, files, extension, file type, folder name, file name, scans
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -30,9 +28,9 @@ manager: dansimp
You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
> [!NOTE]
-> Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
+> Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell.
-This article describes how to configure exclusion lists for the files and folders.
+This article describes how to configure exclusion lists for the files and folders. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
Exclusion | Examples | Exclusion list
---|---|---
@@ -199,9 +197,9 @@ The following table describes how the wildcards can be used and provides some ex
-### System environmental variables
+### System environment variables
-The following table lists and describes the system account environmental variables.
+The following table lists and describes the system account environment variables.
@@ -569,3 +567,4 @@ You can also copy the string into a blank text file and attempt to save it with
- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
index 16fc08a832..e77c12eda2 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure local overrides for Microsoft Defender AV settings
description: Enable or disable users from locally changing settings in Microsoft Defender AV.
keywords: local override, local policy, group policy, gpo, lockdown,merge, lists
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
index 3f6f29e47b..c705e4b465 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
@@ -3,7 +3,6 @@ title: Configure Microsoft Defender Antivirus features
description: You can configure Microsoft Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell.
keywords: Microsoft Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
index f441fe1064..1901905edb 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure and validate Microsoft Defender Antivirus network connections
description: Configure and test your connection to the Microsoft Defender Antivirus cloud protection service.
keywords: antivirus, Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 06/25/2020
+ms.date: 07/08/2020
ms.reviewer:
manager: dansimp
---
@@ -47,13 +46,15 @@ See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defend
After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
-Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
+Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection.
+
+The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
| **Service**| **Description** |**URL** |
| :--: | :-- | :-- |
| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com` `*.wdcpalt.microsoft.com` `*.wd.microsoft.com`|
-| Microsoft Update Service (MU) Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com` `*.delivery.mp.microsoft.com` `*.windowsupdate.com` for details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
+| Microsoft Update Service (MU) Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com` `*.delivery.mp.microsoft.com` `*.windowsupdate.com`
For details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com` `*.download.windowsupdate.com` `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net` `ussus1westprod.blob.core.windows.net` `usseu1northprod.blob.core.windows.net` `usseu1westprod.blob.core.windows.net` `ussuk1southprod.blob.core.windows.net` `ussuk1westprod.blob.core.windows.net` `ussas1eastprod.blob.core.windows.net` `ussas1southeastprod.blob.core.windows.net` `ussau1eastprod.blob.core.windows.net` `ussau1southeastprod.blob.core.windows.net` |
| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/` `https://www.microsoft.com/pkiops/certs` `https://crl.microsoft.com/pki/crl/products` `https://www.microsoft.com/pki/certs` |
@@ -112,9 +113,6 @@ You will also see a detection under **Quarantined threats** in the **Scan histor
The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-microsoft-defender-antivirus.md).
->[!IMPORTANT]
->You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
-
## Related articles
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
index 57a0ea6f0e..945265b8a3 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure Microsoft Defender Antivirus notifications
description: Configure and customize Microsoft Defender Antivirus notifications.
keywords: notifications, defender, antivirus, endpoint, management, admin
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
index ffe624dd8e..31d62322c4 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure exclusions for files opened by specific processes
description: You can exclude files from scans if they have been opened by a specific process.
keywords: Microsoft Defender Antivirus, process, exclusion, files, scans
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -22,7 +21,7 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans.
+You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
This topic describes how to configure exclusion lists for the following:
@@ -194,5 +193,6 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
index 2f09169a15..20f94ac46b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Enable and configure Microsoft Defender Antivirus protection features
description: Enable behavior-based, heuristic, and real-time protection in Microsoft Defender AV.
keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, Microsoft Defender Antivirus, antimalware, security, defender
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
index 727463b3d6..6bcef11259 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Enable and configure Microsoft Defender Antivirus protection capabilities
description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning
keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
index f8ac6071ef..8b66efba75 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Remediate and resolve infections detected by Microsoft Defender Antivirus
description: Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
keywords: remediation, fix, remove, threats, quarantine, scan, restore
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -54,9 +53,9 @@ Threats | Specify threats upon which default action should not be taken when det
> [!IMPORTANT]
> Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
->
+>
> If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Microsoft Defender Antivirus](restore-quarantined-files-microsoft-defender-antivirus.md).
->
+>
> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md).
Also see [Configure remediation-required scheduled full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md#remed) for more remediation-related settings.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
index 59e059aeb5..ab7fa39e3c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
@@ -5,7 +5,6 @@ manager: dansimp
description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions.
keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -18,10 +17,6 @@ ms.custom: nextgen
# Configure Microsoft Defender Antivirus exclusions on Windows Server
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
> [!NOTE]
@@ -43,7 +38,7 @@ In addition to server role-defined automatic exclusions, you can add or remove c
## Opt out of automatic exclusions
-In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles.
+In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
> [!WARNING]
> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles.
@@ -401,11 +396,8 @@ This section lists the folder exclusions that are delivered automatically when y
## Related articles
- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
-
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-
+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
index 0a108f47da..440b53b85c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Run and customize scheduled and on-demand scans
description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index 0a108f47da..440b53b85c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Run and customize scheduled and on-demand scans
description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
index b9406da6f4..0036dd3c81 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Deploy, manage, and report on Microsoft Defender Antivirus
description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI
keywords: deploy, manage, update, protection, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
index 6e0bb71ecc..56d1a243c9 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Deploy and enable Microsoft Defender Antivirus
description: Deploy Microsoft Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI.
keywords: deploy, enable, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
index a906762b9a..c2f2824510 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment gu
description: Learn how to deploy Microsoft Defender Antivirus in a virtual desktop environment for the best balance between protection and performance.
keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
index 40994831c4..f996b8c772 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Block potentially unwanted applications with Microsoft Defender Antivirus
description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware.
keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
index 84f310871d..dbd8db2df4 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Enable cloud-delivered protection in Microsoft Defender Antivirus
description: Enable cloud-delivered protection to benefit from fast and advanced protection features.
keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -25,7 +23,7 @@ ms.custom: nextgen
> [!NOTE]
> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
index 1c2dec92b5..f6fcbbbeda 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Evaluate Microsoft Defender Antivirus
description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows 10.
keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -31,7 +29,7 @@ Use this guide to determine how well Microsoft Defender Antivirus protects you f
>- Fast learning (including Block at first sight)
>- Potentially unwanted application blocking
-It explains the important next generation protection features of Microsoft Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network.
+It explains the important next-generation protection features of Microsoft Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network.
You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png
index cdc75b8852..35f66083f3 100644
Binary files a/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png and b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
index 545f77a114..75c974ae9b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Enable the limited periodic Microsoft Defender Antivirus scanning feature
description: Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers
keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
index c29455e452..8b91ba2fde 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Apply Microsoft Defender Antivirus updates after certain events
description: Manage how Microsoft Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports.
keywords: updates, protection, force updates, events, startup, check for latest, notifications
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
index 8956c31df7..690a9eee6a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Apply Microsoft Defender AV protection updates to out of date endpoints
description: Define when and how updates should be applied for endpoints that have not updated in a while.
keywords: updates, protection, out-of-date, outdated, old, catch-up
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
index 5ba75a3387..b626c962ef 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Schedule Microsoft Defender Antivirus protection updates
description: Schedule the day, time, and interval for when protection updates should be downloaded
keywords: updates, security baselines, schedule updates
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
search.appverid: met150
ms.mktglfcycl: manage
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
index 58e3fd0a6f..38a6d28737 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Manage how and where Microsoft Defender AV receives updates
description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates.
keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index f619b37fca..6f73b79b2b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Manage Microsoft Defender Antivirus updates and apply baselines
description: Manage how Microsoft Defender Antivirus receives protection and product updates.
keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -58,6 +57,28 @@ All our updates contain:
* serviceability improvements
* integration improvements (Cloud, MTP)
+
+ June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2)
+
+ Security intelligence update version: **1.319.20.0**
+ Released: **June 22, 2020**
+ Platform: **4.18.2006.10**
+ Engine: **1.1.17200.2**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
+* Skipping aggressive catchup scan in Passive mode.
+* Allow Defender to update on metered connections
+* Fixed performance tuning when caching is disabled
+* Fixed registry query
+* Fixed scantime randomization in ADMX
+
+### Known Issues
+No known issues
+
+
+
May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
index fb9cbcf454..86217f98d9 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Define how mobile devices are updated by Microsoft Defender AV
description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender AV protection updates.
keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 1c06747e7f..8f16436956 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -7,7 +7,6 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -27,7 +26,7 @@ manager: dansimp
Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode.
- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.)
-- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/shadow-protection) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
+- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
## Antivirus and Microsoft Defender ATP
@@ -97,3 +96,5 @@ If you uninstall the other product, and choose to use Microsoft Defender Antivir
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md)
- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
+- [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
+- [Configure Endpoint Protection on a standalone client](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure-standalone-client)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
index 4be2a05301..3952f63c4c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
@@ -3,7 +3,6 @@ title: Next-generation protection in Windows 10, Windows Server 2016, and Window
description: Learn how to manage, configure, and use Microsoft Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016
keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
index 2108fffbab..a5087f74b0 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
@@ -7,7 +7,6 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -20,7 +19,8 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Windows Server 2016
+- Windows Server 2019
Microsoft Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
index 0a396c5667..e824427101 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
@@ -3,7 +3,6 @@ title: Microsoft Defender Offline in Windows 10
description: You can use Microsoft Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network.
keywords: scan, defender, offline
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
index 1bb6d1137c..d32346b285 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
@@ -3,7 +3,6 @@ title: Microsoft Defender Antivirus in the Windows Security app
description: With Microsoft Defender AV now included in the Windows Security app, you can review, compare, and perform common tasks.
keywords: wdav, antivirus, firewall, security, windows
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
index 58f370b7dd..55931f992b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: "Better together - Microsoft Defender Antivirus and Office 365 (including
description: "Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more."
keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 3d058b3d8f..52690f977b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -9,7 +9,6 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
@@ -28,6 +27,7 @@ ms.custom: nextgen
During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring.
With tamper protection, malicious apps are prevented from taking actions such as:
+
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
@@ -38,7 +38,8 @@ With tamper protection, malicious apps are prevented from taking actions such as
### How it works
Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as:
-- Configuring settings in Registry Editor on your Windows machine
+
+- Configuring settings in Registry Editor on your Windows machine
- Changing settings through PowerShell cmdlets
- Editing or removing security settings through group policies
@@ -60,9 +61,9 @@ Tamper protection doesn't prevent you from viewing your security settings. And,
> [!NOTE]
> Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry.
->
+>
> To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
->
+>
> Once you’ve made this update, tamper protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do this.
@@ -172,23 +173,23 @@ If you are an organization using [Microsoft Defender ATP E5](https://www.microso
### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy?
-Your regular group policy doesn’t apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on.
+Your regular group policy doesn’t apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on.
->[!NOTE]
->A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection. To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Microsoft Defender Antivirus settings.
-> Sample Microsoft Defender Antivirus settings:
-> Turn off Microsoft Defender Antivirus
-> Computer Configuration\Administrative Templates\Windows Components\Windows Defender\
-Value DisableAntiSpyware = 0
->Turn off real-time protection
-Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\
-Value DisableRealtimeMonitoring = 0
+> [!NOTE]
+> A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection.
+
+To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Microsoft Defender Antivirus settings.
+
+Some sample Microsoft Defender Antivirus settings:
+
+- *Turn off real-time protection*
+ Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\\
+ Value `DisableRealtimeMonitoring` = 0
### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only?
Configuring tamper protection in Intune can be targeted to your entire organization as well as to specific devices and user groups.
-
### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?
Currently we do not have support to manage Tamper Protection through Microsoft Endpoint Configuration Manager.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
index 18c0fdfc15..a2c6bdee36 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Hide the Microsoft Defender Antivirus interface
description: You can hide virus and threat protection tile in the Windows Security app.
keywords: ui lockdown, headless mode, hide app, hide settings, hide interface
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
index aa0b387ceb..da205310f1 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Monitor and report on Microsoft Defender Antivirus protection
description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Microsoft Defender AV with PowerShell and WMI.
keywords: siem, monitor, report, Microsoft Defender AV
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
index 325b0800ee..434a02f941 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Restore quarantined files in Microsoft Defender AV
description: You can restore files and folders that were quarantined by Microsoft Defender AV.
keywords:
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
index 1e4a2b7142..d23aa3b802 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Review the results of Microsoft Defender AV scans
description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
keywords: scan results, remediation, full scan, quick scan
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
index a0fc81be46..5266967e27 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Run and customize on-demand scans in Microsoft Defender AV
description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
keywords: scan, on-demand, dos, intune, instant scan
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
index a155de8626..7c297d11d4 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Schedule regular quick and full scans with Microsoft Defender AV
description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 12/10/2018
+ms.date: 07/22/2020
ms.reviewer:
manager: dansimp
---
@@ -71,7 +70,7 @@ Scheduled scans will run at the day and time you specify. You can use Group Poli
>[!NOTE]
>If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time.
-**Use Group Policy to schedule scans:**
+### Use Group Policy to schedule scans
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
@@ -80,7 +79,7 @@ Scan | Specify the day of the week to run a scheduled scan | Specify the day (or
Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am
Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours. In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled
-**Use PowerShell cmdlets to schedule scans:**
+### Use PowerShell cmdlets to schedule scans
Use the following cmdlets:
@@ -94,7 +93,7 @@ Set-MpPreference -RandomizeScheduleTaskTimes
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-**Use Windows Management Instruction (WMI) to schedule scans:**
+### Use Windows Management Instruction (WMI) to schedule scans
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -113,13 +112,16 @@ See the following for more information and allowed parameters:
You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group Policy, PowerShell, or WMI.
-**Use Group Policy to schedule scans**
+> [!NOTE]
+> These scans will not honor the CPU throttling configuration and take full advantage of the resources available to complete the scan as fast as possible.
+
+### Use Group Policy to schedule scans
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled
-**Use PowerShell cmdlets:**
+### Use PowerShell cmdlets
Use the following cmdlets:
@@ -129,7 +131,7 @@ Set-MpPreference -ScanOnlyIfIdleEnabled
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-**Use Windows Management Instruction (WMI):**
+### Use Windows Management Instruction (WMI)
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -146,15 +148,14 @@ See the following for more information and allowed parameters:
Some threats may require a full scan to complete their removal and remediation. You can schedule when these scans should occur with Group Policy, PowerShell, or WMI.
-
-**Use Group Policy to schedule remediation-required scans**
+### Use Group Policy to schedule remediation-required scans
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never
Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
-**Use PowerShell cmdlets:**
+### Use PowerShell cmdlets
Use the following cmdlets:
@@ -165,7 +166,7 @@ Set-MpPreference -RemediationScheduleTime
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-**Use Windows Management Instruction (WMI):**
+### Use Windows Management Instruction (WMI)
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -185,14 +186,14 @@ See the following for more information and allowed parameters:
You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group Policy, PowerShell, or WMI.
-**Use Group Policy to schedule daily scans:**
+### Use Group Policy to schedule daily scans
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never
Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
-**Use PowerShell cmdlets to schedule daily scans:**
+### Use PowerShell cmdlets to schedule daily scans
Use the following cmdlets:
@@ -202,7 +203,7 @@ Set-MpPreference -ScanScheduleQuickTime
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-**Use Windows Management Instruction (WMI) to schedule daily scans:**
+### Use Windows Management Instruction (WMI) to schedule daily scans
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -219,16 +220,12 @@ See the following for more information and allowed parameters:
You can force a scan to occur after every [protection update](manage-protection-updates-microsoft-defender-antivirus.md) with Group Policy.
-**Use Group Policy to schedule scans after protection updates**
+### Use Group Policy to schedule scans after protection updates
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled
-
-
-
-
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
index c6a20d3a13..07f45f646e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
@@ -7,11 +7,10 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 09/03/2018
+ms.date: 08/12/2020
ms.reviewer:
manager: dansimp
ms.custom: nextgen
@@ -62,7 +61,8 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
5. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**.
6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
- - **Default Microsoft Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files.
+ - **Default blocking level** provides strong detection without increasing the risk of detecting legitimate files.
+ - **Moderate blocking level** provides moderate only for high confidence detections
- **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
- **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
- **Zero tolerance blocking level** blocks all unknown executables.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
index 75665404c2..6bc4a4a744 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Microsoft Defender AV event IDs and error codes
description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors
keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
index 43310f4b21..a2747a705d 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
@@ -3,7 +3,6 @@ title: Troubleshoot problems with reporting tools for Microsoft Defender AV
description: Identify and solve common problems when attempting to report in Microsoft Defender AV protection status in Update Compliance
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
index 266e82be31..58572c3d52 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Configure Microsoft Defender Antivirus with Group Policy
description: Configure Microsoft Defender Antivirus settings with Group Policy
keywords: group policy, GPO, configuration, settings
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
index 37d31d6dc7..71edcfc785 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure Microsoft Defender Antivirus with Configuration Manager and Int
description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection
keywords: scep, intune, endpoint protection, configuration
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
index de3c6cfb93..2bfad82a62 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Use PowerShell cmdlets to configure and run Microsoft Defender AV
description: In Windows 10, you can use PowerShell cmdlets to run scans, update Security intelligence, and change settings in Microsoft Defender Antivirus.
keywords: scan, command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 02/24/2020
+ms.date: 07/23/2020
ms.reviewer:
manager: dansimp
---
@@ -59,3 +58,4 @@ Omit the `-online` parameter to get locally cached help.
- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus Cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
index 5a54bd4546..49f9134d53 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure Microsoft Defender Antivirus with WMI
description: Use WMI scripts to configure Microsoft Defender AV.
keywords: wmi, scripts, windows management instrumentation, configuration
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
index e998e86722..9eb816975e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Use next-generation technologies in Microsoft Defender Antivirus through
description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection.
keywords: Microsoft Defender Antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -24,7 +22,7 @@ ms.custom: nextgen
Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
To take advantage of the power and speed of these next-generation technologies, Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
index 51cc0fbe72..91d3f43edb 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: "Why you should use Microsoft Defender Antivirus together with Microsoft
description: "For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings."
keywords: windows defender, antivirus, third party av
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.topic: article
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index 0a946cec7c..4dcd95abef 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 06/02/2020
+ms.date: 08/17/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -43,16 +43,20 @@ Depending on your organization's settings, employees can copy and paste images (
### Why don't employees see their Favorites in the Application Guard Edge session?
-To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.
+To help keep the Application Guard Edge session secure and isolated from the host device, favorites that are stored in an Application Guard Edge session are not copied to the host device.
-### Why aren’t employees able to see their Extensions in the Application Guard Edge session?
+### Are extensions supported in the Application Guard?
-Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.
+Extension installs in the container are supported from Microsoft Edge version 81. For more details, see [Extension support inside the container](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard#extension-support-inside-the-container).
### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
+If Application Guard is used with network proxies, they need to be specified by fully qualified domain name (FQDN) in the system proxy settings (likewise in a PAC script if that is the type of proxy configuration used). Additionally these proxies need to be marked as *neutral* in the **Application trust** list. The FQDNs for the PAC file and the proxy servers the PAC file redirects to must be added as neutral resources in the network isolation policies that are used by Application Guard. You can verify this by going to `edge://application-guard-internals/#utilities` and entering the FQDN for the pac/proxy in the **check url trust** field. Verify that it says *Neutral.*
+
+Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the enterprise IP ranges in the network isolation policies that are used by Application Guard. Additionally, go to `edge://application-guard-internals/#utilities` to view the Application Guard proxy configuration. This step can be done in both the host and within Application Guard to verify that each side is using the proxy setup you expect.
+
### Which Input Method Editors (IME) in 19H1 are not supported?
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard.
@@ -83,27 +87,88 @@ To trust a subdomain, you must precede your domain with two dots, for example: `
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
-When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's standalone mode. However, when using Windows Enterprise you will have access to Application Guard's enterprise-managed mode. This mode has some extra features that the standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
### Is there a size limit to the domain lists that I need to configure?
-Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383B limit.
+Yes, both the enterprise resource domains hosted in the cloud and the domains categorized as both work and personal have a 16383B limit.
### Why does my encryption driver break Microsoft Defender Application Guard?
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT").
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work, and will result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
-### Why do the Network Isolation policies in Group Policy and CSP look different?
+### Why do the network isolation policies in Group Policy and CSP look different?
-There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatary network isolation policies to deploy WDAG are different between CSP and GP.
+There is not a one-to-one mapping among all the network isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
-Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
### Why did Application Guard stop working after I turned off hyperthreading?
-If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
+If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility that Microsoft Defender Application Guard no longer meets the minimum requirements.
+### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
+
+Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
+
+### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file?
+
+This is a known issue. To mitigate this you need to create two firewall rules.
+For guidance on how to create a firewall rule by using group policy, see:
+- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
+- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
+
+First rule (DHCP Server):
+1. Program path: `%SystemRoot%\System32\svchost.exe`
+2. Local Service: Sid: `S-1-5-80-2009329905-444645132-2728249442-922493431-93864177` (Internet Connection Service (SharedAccess))
+3. Protocol UDP
+4. Port 67
+
+Second rule (DHCP Client)
+This is the same as the first rule, but scoped to local port 68.
+In the Microsoft Defender Firewall user interface go through the following steps:
+1. Right click on inbound rules, create a new rule.
+2. Choose **custom rule**.
+3. Program path: **%SystemRoot%\System32\svchost.exe**.
+4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
+5. Any IP addresses.
+6. Allow the connection.
+7. All profiles.
+8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
+9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
+
+### Why can I not launch Application Guard when Exploit Guard is enabled?
+
+There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to the **use default**.
+
+
+### How can I have ICS in enabled state yet still use Application Guard?
+
+This is a two step process.
+
+Step 1:
+
+Enable Internet Connection sharing by changing the Group Policy setting **Prohibit use of Internet Connection Sharing on your DNS domain network.** This setting is part of the Microsoft security baseline. Change it from **Enabled** to **Disabled**.
+
+Step 2:
+
+1. Disable IpNat.sys from ICS load:
+`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`.
+2. Configure ICS (SharedAccess) to enabled:
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`.
+3. Disable IPNAT (Optional):
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`.
+4. Restart the device.
+
+### Why doesn't Application Guard work, even though it's enabled through Group Policy?
+
+Application Guard must meet all these prerequisites to be enabled in Enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard).
+To understand why it is not enabled in Enterprise mode, check the status of the evaluation to understand what's missing.
+
+For CSP (Intune) you can query the status node by using **Get**. This is described in the [Application Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp). On this page, you will see the **status** node as well as the meaning of each bit. If the status is not 63, you are missing a prerequisite.
+
+For Group Policy you need to look at the registry. See **Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP** Status. The meaning of each bit is the same as the CSP.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
new file mode 100644
index 0000000000..647939803c
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
@@ -0,0 +1,56 @@
+---
+title: Access the Microsoft Defender Security Center MSSP customer portal
+description: Access the Microsoft Defender Security Center MSSP customer portal
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Access the Microsoft Defender Security Center MSSP customer portal
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+
+
+
+>[!NOTE]
+>These set of steps are directed towards the MSSP.
+
+By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
+
+
+MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
+
+In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
+
+
+Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
+
+1. As an MSSP, login to Azure AD with your credentials.
+
+2. Switch directory to the MSSP customer's tenant.
+
+3. Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field.
+
+4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`.
+
+
+## Related topics
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Configure alert notifications](configure-mssp-notifications.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
index e520b394a2..07fcff8c6f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
@@ -28,7 +28,7 @@ Adds or remove tag to a specific [Machine](machine.md).
## Limitations
-1. You can post on machines last seen in the past 30 days.
+1. You can post on machines last seen according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -50,7 +50,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
## HTTP request
-```
+```http
POST https://api.securitycenter.windows.com/api/machines/{id}/tags
```
@@ -83,12 +83,13 @@ Here is an example of a request that adds machine tag.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-```
+```http
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
Content-type: application/json
{
"Value" : "test Tag 2",
"Action": "Add"
}
+```
-- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
\ No newline at end of file
+- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index fc9bf5c636..d5802d8faf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -175,12 +175,19 @@ When you enable Intune integration, Intune will automatically create a classic C
>[!NOTE]
> The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints.
+
## Preview features
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available.
+## Share endpoint alerts with Microsoft Compliance Center
+
+Forwards endpoint security alerts and their triage status to Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.
+
+After configuring the [Security policy violation indicators](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings.md#indicators) in the insider risk management settings, Microsoft Defender ATP alerts will be shared with insider risk management for applicable users.
+
## Enable advanced features
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
index d568ae26bb..cad9c6214b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
@@ -43,6 +43,7 @@ For information on other tables in the advanced hunting schema, see [the advance
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
| `RemoteIP` | string | IP address that was being connected to |
+| `AttackTechniques` | string | MITRE ATT&CK techniques associated with the activity that triggered the alert |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
| `Table` | string | Table that contains the details of the event |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
index f48045b11f..1f7e4db8a1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
@@ -27,6 +27,10 @@ ms.topic: article
The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
+> [!NOTE]
+> Collection of DeviceLogonEvents is not supported on Windows 7 or Windows Server 2008 R2.
+> We recommend upgrading to Windows 10 or Windows Server 2019 for optimal visibility into user logon activity.
+
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
@@ -68,4 +72,4 @@ For information on other tables in the advanced hunting schema, see [the advance
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
\ No newline at end of file
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
index 94c74051a1..59a850ea64 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
@@ -57,3 +57,4 @@ Table and column names are also listed within the Microsoft Defender Security Ce
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Learn the query language](advanced-hunting-query-language.md)
+- [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
index e8811269cd..820026e626 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@@ -49,9 +49,9 @@ lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that
firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that device.
lastUpdateTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was last updated.
resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
-incidentId | Nullable Long | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert.
-investigationId | Nullable Long | The [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) ID related to the Alert.
-investigationState | Nullable Enum | The current state of the [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
+incidentId | Nullable Long | The [Incident](view-incidents-queue.md) ID of the Alert.
+investigationId | Nullable Long | The [Investigation](automated-investigations.md) ID related to the Alert.
+investigationState | Nullable Enum | The current state of the [Investigation](automated-investigations.md). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
assignedTo | String | Owner of the alert.
severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
@@ -61,6 +61,8 @@ category| String | Category of the alert.
detectionSource | String | Detection source.
threatFamilyName | String | Threat family.
machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
+computerDnsName | String | [machine](machine.md) fully qualified name.
+aadTenantId | String | The Azure Active Directory ID.
comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time.
### Response example for getting single alert:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
index 182bb5e356..9022d913df 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
@@ -29,8 +29,8 @@ Directory enables enforcing Device compliance and Conditional Access policies
based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense
(MTD) solution that you can deploy to leverage this capability via Intune.
-For more information on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
-Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android).
+For more information about how to set up Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
+Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
## Configure custom indicators
@@ -43,7 +43,10 @@ Microsoft Defender ATP for Android enables admins to configure custom indicators
## Configure web protection
Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
-For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android).
+>[!NOTE]
+> Microsoft Defender ATP for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
+For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-manage-android).
+
## Related topics
- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
index cb62aaa586..d2f56eeeb1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
@@ -26,7 +26,7 @@ ms.topic: conceptual
This topic describes deploying Microsoft Defender ATP for Android on Intune
Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll your
-device](https://microsoft.sharepoint.com/teams/WDATPIndia/Shared%20Documents/General/PM%20Docs/External%20Documentation/aka.ms/enrollAndroid).
+device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal).
> [!NOTE]
@@ -45,7 +45,7 @@ This topic describes how to deploy Microsoft Defender ATP for Android on Intune
Download the onboarding package from Microsoft Defender Security Center.
1. In [Microsoft Defender Security
-Center](https://microsoft.sharepoint.com/teams/WDATPIndia/Shared%20Documents/General/PM%20Docs/External%20Documentation/securitycenter.microsoft.com), go to **Settings** \> **Machine Management** \> **Onboarding**.
+Center](https://securitycenter.microsoft.com), go to **Settings** \> **Machine Management** \> **Onboarding**.
2. In the first drop-down, select **Android** as the Operating system.
@@ -136,7 +136,7 @@ Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) .
As Microsoft Defender ATP for Android is deployed via managed Google Play,
updates to the app are automatic via Google Play.
-Currently only Work Profile enrolled devices are supported for deployment.
+Currently only Personal devices with Work Profile enrolled are supported for deployment.
>[!NOTE]
@@ -283,7 +283,7 @@ and then your onboarding should be successful.
4. At this stage the device is successfully onboarded onto Microsoft Defender
ATP for Android. You can verify this on the [Microsoft Defender Security
-Center](https://microsoft.sharepoint.com/teams/WDATPIndia/Shared%20Documents/General/PM%20Docs/External%20Documentation/securitycenter.microsoft.com)
+Center](https://securitycenter.microsoft.com)
by navigating to the **Devices** page.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
index 546c64449d..a7f95c1789 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
@@ -123,7 +123,7 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a
## Power BI dashboard samples in GitHub
-For more information see the [Power BI report templates](https://github.com/microsoft/MDATP-PowerBI-Templates).
+For more information see the [Power BI report templates](https://github.com/microsoft/MicrosoftDefenderATP-PowerBI).
## Sample reports
View the Microsoft Defender ATP Power BI report samples. For more information, see [Browse code samples](https://docs.microsoft.com/samples/browse/?products=mdatp).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
index ffa10fbfc2..992ba51235 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
@@ -7,7 +7,6 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: martyav
@@ -51,7 +50,7 @@ ASR currently supports all of the rules below:
* [Block all Office applications from creating child processes](attack-surface-reduction.md#block-all-office-applications-from-creating-child-processes)
* [Block Office applications from creating executable content](attack-surface-reduction.md#block-office-applications-from-creating-executable-content)
* [Block Office applications from injecting code into other processes](attack-surface-reduction.md#block-office-applications-from-injecting-code-into-other-processes)
-* [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md##block-javascript-or-vbscript-from-launching-downloaded-executable-content)
+* [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md#block-javascript-or-vbscript-from-launching-downloaded-executable-content)
* [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts)
* [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros)
* [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index a6be5fa509..de60666730 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -3,7 +3,6 @@ title: Use attack surface reduction rules to prevent malware infection
description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -31,7 +30,7 @@ Attack surface reduction rules target software behaviors that are often abused b
- Running obfuscated or otherwise suspicious scripts
- Performing behaviors that apps don't usually initiate during normal day-to-day work
-These behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe.
+Such behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe.
Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
@@ -96,7 +95,7 @@ The following sections describe each of the 15 attack surface reduction rules. T
|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Not supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
@@ -113,7 +112,7 @@ The following sections describe each of the 15 attack surface reduction rules. T
This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
- Executable files (such as .exe, .dll, or .scr)
-- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+- Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
@@ -191,9 +190,6 @@ This rule prevents scripts from launching potentially malicious downloaded conte
Although not common, line-of-business applications sometimes use scripts to download and launch installers.
-> [!IMPORTANT]
-> File and folder exclusions don't apply to this attack surface reduction rule.
-
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
@@ -330,7 +326,7 @@ GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c`
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
* Executable files (such as .exe, .dll, or .scr)
-* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+* Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
@@ -346,7 +342,7 @@ GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
### Block Office communication application from creating child processes
-This rule prevents Outlook from creating child processes, while till allowing legitimate Outlook functions.
+This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
@@ -385,13 +381,16 @@ GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
This rule prevents malware from abusing WMI to attain persistence on a device.
+> [!IMPORTANT]
+> File and folder exclusions don't apply to this attack surface reduction rule.
+
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
This rule was introduced in:
- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
-Intune name: Block persistence through WMI event subscription
+Intune name: Not yet available
Configuration Manager name: Not yet available
diff --git a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
index db8dec5ba9..093a2013f5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
@@ -1,9 +1,8 @@
---
-title: Test how Microsoft Defender ATP features work
-description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it were enabled
+title: Test how Microsoft Defender ATP features work in audit mode
+description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it was enabled.
keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,28 +11,27 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 04/02/2019
ms.reviewer:
manager: dansimp
---
-# Use audit mode
+# Test how Microsoft Defender ATP features work in audit mode
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
+You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature.
-You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
+You may want to enable audit mode when testing how the features will work in your organization. Ensure it doesn't affect your line-of-business apps, and get an idea of how many suspicious file modification attempts generally occur over a certain period of time.
-While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
+The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log will record events as if the features were fully enabled. With audit mode, you can review the event log to see what impact the feature would have had if it was enabled.
To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**.
You can use Microsoft Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
+This article provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index dab80159ea..cb7648e275 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -158,4 +158,7 @@ When you click on the pending actions link, you'll be taken to the Action center
## Next steps
-[View and approve remediation actions](manage-auto-investigation.md)
+- [View and approve remediation actions](manage-auto-investigation.md)
+
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 81ce65baaa..fa431dbc93 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -21,16 +21,16 @@ ms.topic: conceptual
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
-Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually.
+Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, and to reduce the volume of alerts that must be investigated individually, Microsoft Defender ATP includes automated investigation and remediation capabilities.
-The automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when the investigation was initiated.
+Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when each investigation was initiated.
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
## How the automated investigation starts
-When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
+When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
>[!NOTE]
>Currently, automated investigation only supports the following OS versions:
@@ -41,7 +41,7 @@ When an alert is triggered, a security playbook goes into effect. Depending on t
## Details of an automated investigation
-During and after an automated investigation, you can view details about the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs.
+During and after an automated investigation, you can view details about the investigation. Select a triggering alert to view the investigation details. From there, you can go to the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs.
|Tab |Description |
|--|--|
@@ -50,7 +50,7 @@ During and after an automated investigation, you can view details about the inve
|**Evidence** |Shows the entities that were found to be malicious during the investigation.|
|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.|
-|**Pending actions** |If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. |
+|**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. |
> [!IMPORTANT]
> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
@@ -59,33 +59,39 @@ During and after an automated investigation, you can view details about the inve
While an investigation is running, any other alerts generated from the device are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.
-If an incriminated entity is seen in another device, the automated investigation process will expand its scope to include that device, and a general security playbook will start on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
+If an incriminated entity is seen in another device, the automated investigation process expands its scope to include that device, and a general security playbook starts on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action requires an approval, and is visible on the **Pending actions** tab.
## How threats are remediated
-Depending on how you set up the device groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats.
+Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically remediates threats.
+
+> [!NOTE]
+> Microsoft Defender ATP tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
You can configure the following levels of automation:
|Automation level | Description|
|---|---|
-|No automated response | Devices do not get any automated investigations run on them. |
-|Semi - require approval for any remediation | This is the default automation level.
An approval is needed for any remediation action. |
-|Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders.
Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.|
-|Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.
Files or executables in all other folders will automatically be remediated if needed.|
-|Full - remediate threats automatically | All remediation actions will be performed automatically.|
+|**Full - remediate threats automatically** | All remediation actions are performed automatically.
*This option is selected by default for Microsoft Defender ATP tenants created on or after August 16, 2020.*|
+|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.
Files or executables in all other folders are automatically remediated, if needed.|
+|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders.
Files or executables in temporary folders, such as the user's download folder or the user's temp folder, are automatically be remediated (if needed).|
+|**Semi - require approval for any remediation** | An approval is needed for any remediation action.
*This option is selected by default for Microsoft Defender ATP tenants created before August 16, 2020.*|
+|**No automated response** | Devices do not get any automated investigations run on them.
*This option is not recommended, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
-> [!TIP]
-> For more information on how to configure these automation levels, see [Create and manage device groups](machine-groups.md).
+### A few points to keep in mind
-The default device group is configured for semi-automatic remediation. This means that any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** section. This can be changed to fully automatic so that no user approval is needed.
+- Your level of automation is determined by your device group settings. See [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
-When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
+- If your Microsoft Defender ATP tenant was created before August 16, 2020, you have a default device group that is configured for semi-automatic remediation. Any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can configure your device groups to use full automation so that no user approval is needed.
-## Next step
+- If your Microsoft Defender ATP tenant was created on or after August 16, 2020, you have a default device group that is configured for full automation. Remediation actions are taken automatically for entities that are considered to be malicious. Remediation actions that were taken can be viewed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center).
+
+## Next steps
- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+
## Related articles
- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
index 04569f6785..4fc887a605 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
@@ -90,7 +90,7 @@ While the attack was detected and stopped, alerts, such as an "initial access al
This example shows how behavior-based device learning models in the cloud add new layers of protection against attacks, even after they have started running.
-### Example 2: NTML relay - Juicy Potato malware variant
+### Example 2: NTLM relay - Juicy Potato malware variant
As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Microsoft Defender ATP detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
index cf9bede7a1..558f93dfb9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
@@ -39,19 +39,28 @@ The following OS versions are supported:
>[!NOTE]
>A patch must be deployed before device onboarding in order to configure Microsoft Defender ATP to the correct environment.
-The following OS versions are not supported:
+The following OS versions are supported via Azure Security Center:
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
+
+The following OS versions are not supported:
+- Windows Server 2008 R2 SP1 (standalone, not via ASC)
+- Windows Server 2012 R2 (standalone, not via ASC)
+- Windows Server 2016 (standalone, not via ASC)
- Windows Server, version 1803
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro
- Windows 8 Pro
- Windows 8.1 Enterprise
- macOS
+- Linux
The initial release of Microsoft Defender ATP will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2019:
+## Threat Analytics
+Not currently available.
+
## Threat & Vulnerability Management
Not currently available.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
deleted file mode 100644
index 83e2b43c79..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-title: Configure Threat & Vulnerability Management in Microsoft Defender ATP
-ms.reviewer:
-description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft Endpoint Configuration Manager integrations.
-keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM
-search.product: Windows 10
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-# Configure Threat & Vulnerability Management
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft Endpoint Configuration Manager for a seamless collaboration of issue remediation.
-
-### Before you begin
-> [!IMPORTANT]
-> Threat & Vulnerability Management data currently supports Windows 10 devices. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.
-
-Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft Endpoint Configuration Manager.
-
->[!WARNING]
->Only Intune and Microsoft Endpoint Configuration Manager enrolled devices are supported in this scenario.
->Use any of the following options to enroll devices in Intune:
->- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
->- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
->- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup).
-
-## Related topics
-
-- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
-- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation and exception](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
index 3f0a7dcdd7..413259ce26 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
@@ -101,6 +101,75 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
> If you don't set a value, the default value is to enable sample collection.
+## Other recommended configuration settings
+
+### Update endpoint protection configuration
+
+After configuring the onboarding script, continue editing the same group policy to add endpoint protection configurations. Perform group policy edits from a system running Windows 10 or Server 2019 to ensure you have all of the required Microsoft Defender Antivirus capabilities. You may need to close and reopen the group policy object to register the Defender ATP configuration settings.
+
+All policies are located under `Computer Configuration\Policies\Administrative Templates`.
+
+**Policy location:** \Windows Components\Windows Defender ATP
+
+Policy | Setting
+:---|:---
+Enable\Disable Sample collection| Enabled - "Enable sample collection on machines" checked
+
+
+**Policy location:** \Windows Components\Windows Defender Antivirus
+
+Policy | Setting
+:---|:---
+Configure detection for potentially unwanted applications | Enabled, Block
+
+**Policy location:** \Windows Components\Windows Defender Antivirus\MAPS
+
+Policy | Setting
+:---|:---
+Join Microsoft MAPS | Enabled, Advanced MAPS
+Send file samples when further analysis is required | Enabled, Send safe samples
+
+**Policy location:** \Windows Components\Windows Defender Antivirus\Real-time Protection
+
+Policy | Setting
+:---|:---
+Turn off real-time protection|Disabled
+Turn on behavior monitoring|Enabled
+Scan all downloaded files and attachments|Enabled
+Monitor file and program activity on your computer|Enabled
+
+
+**Policy location:** \Windows Components\Windows Defender Antivirus\Scan
+
+These settings configure periodic scans of the endpoint. We recommend performing a weekly quick scan, performance permitting.
+
+Policy | Setting
+:---|:---
+Check for the latest virus and spyware security intelligence before running a scheduled scan |Enabled
+
+
+
+**Policy location:** \Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction
+
+Get the current list of attack surface reduction GUIDs from [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
+
+1. Open the **Configure Attack Surface Reduction** policy.
+2. Select **Enabled**.
+3. Select the **Show…** button.
+4. Add each GUID in the **Value Name** field with a Value of 2.
+
+This will set each up for audit only.
+
+
+
+
+
+Policy | Setting
+:---|:---
+Configure Controlled folder access| Enabled, Audit Mode
+
+
+
## Offboard devices using Group Policy
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
index b06ae2ef0e..50e1369d5f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
@@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 12/06/2018
---
# Onboard Windows 10 devices using Mobile Device Management tools
@@ -51,6 +50,8 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh
>[!TIP]
> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md).
+
+
## Offboard and monitor devices using Mobile Device Management tools
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
index 5ad42ec668..4536ced3cc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
@@ -28,17 +28,24 @@ ms.date: 02/07/2020
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
-
+## Supported client operating systems
-## Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager current branch
+Based on the version of Configuration Manager you're running, the following client operating systems can be onboarded:
-Configuration Manager current branch has integrated support to configure and manage Microsoft Defender ATP on managed devices. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection).
+#### Configuration Manager version 1910 and prior
-
+- Clients computers running Windows 10, version 1607 and later
-## Onboard Windows 10 devices using earlier versions of System Center Configuration Manager
+#### Configuration Manager version 2002 and later
-You can use existing Configuration Manager functionality to create a policy to configure your devices. This action is supported in System Center 2012 R2 Configuration Manager.
+Starting in Configuration Manager version 2002, you can onboard the following operating systems:
+
+- Windows 8.1
+- Windows 10, version 1607 or later
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Server 2016, version 1803 or later
+- Windows Server 2019
### Onboard devices using System Center Configuration Manager
@@ -50,7 +57,7 @@ You can use existing Configuration Manager functionality to create a policy to c
c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
- d. Click **Download package**, and save the .zip file.
+ d. Select **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
@@ -75,7 +82,11 @@ For more information, see [Configure Detection Methods in System Center 2012 R2
For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
-You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a device.
+>[!NOTE]
+>These configuration settings are typically done through Configuration Manager.
+
+You can set a compliance rule for configuration item in Configuration Manager to change the sample share setting on a device.
+
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted devices to make sure they’re complaint.
The configuration is set through the following registry key entry:
@@ -93,13 +104,49 @@ Possible values are:
The default value in case the registry key doesn’t exist is 1.
-For more information about System Center Configuration Manager Compliance see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
+For more information about System Center Configuration Manager Compliance, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
+## Other recommended configuration settings
+After onboarding devices to the service, it's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.
+
+### Device collection configuration
+If you're using Endpoint Configuration Manager, version 2002 or later, you can choose to broaden the deployment to include servers or down-level clients.
+
+
+### Next generation protection configuration
+The following configuration settings are recommended:
+
+**Scan**
+- Scan removable storage devices such as USB drives: Yes
+
+**Real-time Protection**
+- Enable Behavioral Monitoring: Yes
+- Enable protection against Potentially Unwanted Applications at download and prior to installation: Yes
+
+**Cloud Protection Service**
+- Cloud Protection Service membership type: Advanced membership
+
+**Attack surface reduction**
+Configure all available rules to Audit.
+
+>[!NOTE]
+> Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections.
+
+
+**Network protection**
+Prior to enabling network protection in audit or block mode, ensure that you've installed the antimalware platform update, which can be obtained from the [support page](https://support.microsoft.com/en-us/help/4560203/windows-defender-anti-malware-platform-binaries-are-missing).
+
+
+**Controlled folder access**
+Enable the feature in audit mode for at least 30 days. After this period, review detections and create a list of applications that are allowed to write to protected directories.
+
+For more information, see [Evaluate controlled folder access](evaluate-controlled-folder-access.md).
+
## Offboard devices using Configuration Manager
-For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
+For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
@@ -118,7 +165,7 @@ If you use Microsoft Endpoint Configuration Manager current branch, see [Create
c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
- d. Click **Download package**, and save the .zip file.
+ d. Select **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
@@ -144,13 +191,13 @@ If you're using System Center 2012 R2 Configuration Manager, monitoring consists
1. In the Configuration Manager console, click **Monitoring** at the bottom of the navigation pane.
-2. Click **Overview** and then **Deployments**.
+2. Select **Overview** and then **Deployments**.
-3. Click on the deployment with the package name.
+3. Select on the deployment with the package name.
4. Review the status indicators under **Completion Statistics** and **Content Status**.
- If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
+ If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index e8ace77542..32e7e448f6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -33,7 +33,7 @@ ms.date: 04/16/2020
Microsoft Defender ATP supports non-persistent VDI session onboarding.
>[!Note]
->To onboard non-persistent VDI sessions, VDI machines must be on Windows 10.
+>To onboard non-persistent VDI sessions, VDI devices must be on Windows 10.
>
>While other Windows versions might work, only Windows 10 is supported.
@@ -55,13 +55,13 @@ The following steps will guide you through onboarding VDI devices and will highl
1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
- a. In the navigation pane, select **Settings** > **Onboarding**.
+ 1. In the navigation pane, select **Settings** > **Onboarding**.
- b. Select Windows 10 as the operating system.
+ 1. Select Windows 10 as the operating system.
- c. In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
+ 1. In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
- d. Click **Download package** and save the .zip file.
+ 1. Click **Download package** and save the .zip file.
2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`.
@@ -69,35 +69,39 @@ The following steps will guide you through onboarding VDI devices and will highl
>If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
3. The following step is only applicable if you're implementing a single entry for each device:
- **For single entry for each device**:
- a. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
+ **For single entry for each device**:
+
+ 1. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` and `WindowsDefenderATPOnboardingScript.cmd` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
- >[!NOTE]
- >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
+ > [!NOTE]
+ > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
- >[!NOTE]
- >Domain Group Policy may also be used for onboarding non-persistent VDI devices.
+ > [!NOTE]
+ > Domain Group Policy may also be used for onboarding non-persistent VDI devices.
5. Depending on the method you'd like to implement, follow the appropriate steps:
- **For single entry for each device**:
- Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`.
- **For multiple entries for each device**:
- Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
+ **For single entry for each device**:
+
+ Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`.
+
+ **For multiple entries for each device**:
+
+ Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
6. Test your solution:
- a. Create a pool with one device.
+ 1. Create a pool with one device.
- b. Logon to device.
+ 1. Logon to device.
- c. Logoff from device.
+ 1. Logoff from device.
- d. Logon to device with another user.
+ 1. Logon to device with another user.
- e. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.
- **For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center.
+ 1. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.
+ **For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center.
7. Click **Devices list** on the Navigation pane.
@@ -107,7 +111,7 @@ The following steps will guide you through onboarding VDI devices and will highl
As a best practice, we recommend using offline servicing tools to patch golden/master images.
For example, you can use the below commands to install an update while the image remains offline:
-```
+```console
DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"
DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"
DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit
@@ -124,15 +128,15 @@ If offline servicing is not a viable option for your non-persistent VDI environm
2. Ensure the sensor is stopped by running the command below in a CMD window:
- ```
- sc query sense
- ```
+ ```console
+ sc query sense
+ ```
3. Service the image as needed.
4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:
- ```
+ ```console
PsExec.exe -s cmd.exe
cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
del *.* /f /s /q
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
index bde1047764..867e457571 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
@@ -23,8 +23,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
+- [Microsoft 365 Endpoint data loss prevention (DLP)](/microsoft-365/compliance/endpoint-dlp-learn-about)
Devices in your organization must be configured so that the Microsoft Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
new file mode 100644
index 0000000000..b7c4bf19d6
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
@@ -0,0 +1,46 @@
+---
+title: Configure alert notifications that are sent to MSSPs
+description: Configure alert notifications that are sent to MSSPs
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Configure alert notifications that are sent to MSSPs
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+
+>[!NOTE]
+>This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
+
+After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
+
+
+For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
+
+
+These check boxes must be checked:
+- **Include organization name** - The customer name will be added to email notifications
+- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
+
+
+## Related topics
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
index 852f5ff3b8..98599b9d18 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
@@ -1,8 +1,6 @@
---
title: Configure managed security service provider support
-
description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
-
keywords: managed security service provider, mssp, configure, integration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 09/03/2018
---
# Configure managed security service provider integration
@@ -67,249 +64,11 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
-## Grant the MSSP access to the portal
->[!NOTE]
-> These set of steps are directed towards the MSSP customer.
-> Access to the portal can only be done by the MSSP customer.
-
-As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center.
-
-
-Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality.
-
-You'll need to take the following 2 steps:
-- Add MSSP user to your tenant as a guest user
-
-- Grant MSSP user access to Microsoft Defender Security Center
-
-
-### Add MSSP user to your tenant as a guest user
-Add a user who is a member of the MSSP tenant to your tenant as a guest user.
-
-To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator).
-
-### Grant MSSP user access to Microsoft Defender Security Center
-Grant the guest user access and permissions to your Microsoft Defender Security Center tenant.
-
-Granting access to guest user is done the same way as granting access to a user who is a member of your tenant.
-
-If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md).
-
-If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md).
-
-
->[!NOTE]
->There is no difference between the Member user and Guest user roles from RBAC perspective.
-
-It is recommended that groups are created for MSSPs to make authorization access more manageable.
-
-As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups.
-
-
-## Access the Microsoft Defender Security Center MSSP customer portal
-
->[!NOTE]
->These set of steps are directed towards the MSSP.
-
-By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
-
-
-MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
-
-In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
-
-
-Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
-
-1. As an MSSP, login to Azure AD with your credentials.
-
-2. Switch directory to the MSSP customer's tenant.
-
-3. Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field.
-
-4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`.
-
-## Configure alert notifications that are sent to MSSPs
-
->[!NOTE]
->This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
-
-After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
-
-
-For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
-
-
-These check boxes must be checked:
-- **Include organization name** - The customer name will be added to email notifications
-- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
-
-
-## Fetch alerts from MSSP customer's tenant into the SIEM system
-
->[!NOTE]
->This action is taken by the MSSP.
-
-
-To fetch alerts into your SIEM system you'll need to take the following steps:
-
-Step 1: Create a third-party application
-
-Step 2: Get access and refresh tokens from your customer's tenant
-
-Step 3: allow your application on Microsoft Defender Security Center
-
-
-
-
-### Step 1: Create an application in Azure Active Directory (Azure AD)
-
-You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
-
-
-1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
-
-2. Select **Azure Active Directory** > **App registrations**.
-
-
-3. Click **New registration**.
-
-
-4. Specify the following values:
-
- - Name: \ SIEM MSSP Connector (replace Tenant_name with the tenant display name)
-
- - Supported account types: Account in this organizational directory only
- - Redirect URI: Select Web and type `https:///SiemMsspConnector`(replace with the tenant name)
-
-5. Click **Register**. The application is displayed in the list of applications you own.
-
-6. Select the application, then click **Overview**.
-
-7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.
-
-8. Select **Certificate & secrets** in the new application panel.
-
-9. Click **New client secret**.
-
-
- - Description: Enter a description for the key.
- - Expires: Select **In 1 year**
-
-
-10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.
-
-
-### Step 2: Get access and refresh tokens from your customer's tenant
-This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
-
-After providing your credentials, you'll need to grant consent to the application so that the application is provisioned in the customer's tenant.
-
-
-1. Create a new folder and name it: `MsspTokensAcquisition`.
-
-2. Download the [LoginBrowser.psm1 module](https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL/blob/master/Authorization%20Code%20Grant%20Flow/LoginBrowser.psm1) and save it in the `MsspTokensAcquisition` folder.
-
- >[!NOTE]
- >In line 30, replace `authorzationUrl` with `authorizationUrl`.
-
-3. Create a file with the following content and save it with the name `MsspTokensAcquisition.ps1` in the folder:
- ```
- param (
- [Parameter(Mandatory=$true)][string]$clientId,
- [Parameter(Mandatory=$true)][string]$secret,
- [Parameter(Mandatory=$true)][string]$tenantId
- )
- [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-
- # Load our Login Browser Function
- Import-Module .\LoginBrowser.psm1
-
- # Configuration parameters
- $login = "https://login.microsoftonline.com"
- $redirectUri = "https://SiemMsspConnector"
- $resourceId = "https://graph.windows.net"
-
- Write-Host 'Prompt the user for his credentials, to get an authorization code'
- $authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id={2}&redirect_uri={3}&resource={4}" -f
- $login, $tenantId, $clientId, $redirectUri, $resourceId)
- Write-Host "authorzationUrl: $authorizationUrl"
-
- # Fake a proper endpoint for the Redirect URI
- $code = LoginBrowser $authorizationUrl $redirectUri
-
- # Acquire token using the authorization code
-
- $Body = @{
- grant_type = 'authorization_code'
- client_id = $clientId
- code = $code
- redirect_uri = $redirectUri
- resource = $resourceId
- client_secret = $secret
- }
-
- $tokenEndpoint = "$login/$tenantId/oauth2/token?"
- $Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
- $token = $Response.access_token
- $refreshToken= $Response.refresh_token
-
- Write-Host " ----------------------------------- TOKEN ---------------------------------- "
- Write-Host $token
-
- Write-Host " ----------------------------------- REFRESH TOKEN ---------------------------------- "
- Write-Host $refreshToken
- ```
-4. Open an elevated PowerShell command prompt in the `MsspTokensAcquisition` folder.
-
-5. Run the following command:
- `Set-ExecutionPolicy -ExecutionPolicy Bypass`
-
-6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId -secret -tenantId `
-
- - Replace \ with the **Application (client) ID** you got from the previous step.
- - Replace \ with the **Client Secret** you created from the previous step.
- - Replace \ with your customer's **Tenant ID**.
-
-
-7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
-
-8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
-
-
-### Step 3: Allow your application on Microsoft Defender Security Center
-You'll need to allow the application you created in Microsoft Defender Security Center.
-
-
-You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you.
-
-1. Go to `https://securitycenter.windows.com?tid=` (replace \ with the customer's tenant ID.
-
-2. Click **Settings** > **SIEM**.
-
-3. Select the **MSSP** tab.
-
-4. Enter the **Application ID** from the first step and your **Tenant ID**.
-
-5. Click **Authorize application**.
-
-
-You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
-
-
-- In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application key manually by settings the secret value.
-- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
-
-## Fetch alerts from MSSP customer's tenant using APIs
-
-For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
-
## Related topics
-- [Use basic permissions to access the portal](basic-permissions.md)
-- [Manage portal access using RBAC](rbac.md)
-- [Pull alerts to your SIEM tools](configure-siem.md)
-- [Pull alerts using REST API](pull-alerts-using-rest-api.md)
-
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Configure alert notifications](configure-mssp-notifications.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index 94f58cc685..18707f606c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -102,19 +102,24 @@ See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/
## Enable access to Microsoft Defender ATP service URLs in the proxy server
-If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed below to the allowed domains list.
+If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list.
+
+
+
+|**Item**|**Description**|
+|:-----|:-----|
+|[](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
+
+
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning.
> [!NOTE]
> settings-win.data.microsoft.com is only needed if you have Windows 10 devices running version 1803 or earlier.
+
+
+> [!NOTE]
> URLs that include v20 in them are only needed if you have Windows 10 devices running version 1803 or later. For example, ```us-v20.events.data.microsoft.com``` is needed for a Windows 10 device running version 1803 or later and onboarded to US Data Storage region.
- Service location | Microsoft.com DNS record
--|-
-Common URLs for all locations | ```crl.microsoft.com/pki/crl/*``` ```ctldl.windowsupdate.com``` ```www.microsoft.com/pkiops/*``` ```events.data.microsoft.com``` ```notify.windows.com``` ```settings-win.data.microsoft.com```
-European Union | ```eu.vortex-win.data.microsoft.com``` ```eu-v20.events.data.microsoft.com``` ```usseu1northprod.blob.core.windows.net``` ```usseu1westprod.blob.core.windows.net``` ```winatp-gw-neu.microsoft.com``` ```winatp-gw-weu.microsoft.com``` ```wseu1northprod.blob.core.windows.net``` ```wseu1westprod.blob.core.windows.net``` ```automatedirstrprdweu.blob.core.windows.net``` ```automatedirstrprdneu.blob.core.windows.net```
-United Kingdom | ```uk.vortex-win.data.microsoft.com``` ```uk-v20.events.data.microsoft.com``` ```ussuk1southprod.blob.core.windows.net``` ```ussuk1westprod.blob.core.windows.net``` ```winatp-gw-uks.microsoft.com``` ```winatp-gw-ukw.microsoft.com``` ```wsuk1southprod.blob.core.windows.net``` ```wsuk1westprod.blob.core.windows.net``` ```automatedirstrprduks.blob.core.windows.net``` ```automatedirstrprdukw.blob.core.windows.net```
-United States | ```us.vortex-win.data.microsoft.com``` ```ussus1eastprod.blob.core.windows.net``` ```ussus1westprod.blob.core.windows.net``` ```ussus2eastprod.blob.core.windows.net``` ```ussus2westprod.blob.core.windows.net``` ```ussus3eastprod.blob.core.windows.net``` ```ussus3westprod.blob.core.windows.net``` ```ussus4eastprod.blob.core.windows.net``` ```ussus4westprod.blob.core.windows.net``` ```us-v20.events.data.microsoft.com``` ```winatp-gw-cus.microsoft.com``` ```winatp-gw-eus.microsoft.com``` ```wsus1eastprod.blob.core.windows.net``` ```wsus1westprod.blob.core.windows.net``` ```wsus2eastprod.blob.core.windows.net``` ```wsus2westprod.blob.core.windows.net``` ```automatedirstrprdcus.blob.core.windows.net``` ```automatedirstrprdeus.blob.core.windows.net```
> [!NOTE]
> If you are using Microsoft Defender Antivirus in your environment, please refer to the following article for details on allowing connections to the Microsoft Defender Antivirus cloud service: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus
@@ -196,6 +201,9 @@ However, if the connectivity check results indicate a failure, an HTTP error is
> [!NOTE]
> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
+
+
+> [!NOTE]
> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 5066055f55..ed06fd8042 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -1,6 +1,6 @@
---
-title: Onboard servers to the Microsoft Defender ATP service
-description: Onboard servers so that they can send sensor data to the Microsoft Defender ATP sensor.
+title: Onboard Windows servers to the Microsoft Defender ATP service
+description: Onboard Windows servers so that they can send sensor data to the Microsoft Defender ATP sensor.
keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Onboard servers to the Microsoft Defender ATP service
+# Onboard Windows servers to the Microsoft Defender ATP service
**Applies to:**
@@ -34,7 +34,7 @@ ms.topic: article
Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console.
-The service supports the onboarding of the following servers:
+The service supports the onboarding of the following Windows servers:
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
@@ -44,38 +44,41 @@ The service supports the onboarding of the following servers:
For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
+For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines).
-## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016
-There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP:
+## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016
-- **Option 1**: Onboard through Microsoft Defender Security Center
-- **Option 2**: Onboard through Azure Security Center
+You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Microsoft Defender ATP by using any of the following options:
+
+- **Option 1**: [Onboard through Microsoft Defender Security Center](#option-1-onboard-windows-servers-through-microsoft-defender-security-center)
+- **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center)
+- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later (only for Windows Server 2012 R2 and Windows Server 2016)](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later)
> [!NOTE]
-> Microsoft defender ATP standalone server license is required, per node, in order to onboard the server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
+> Microsoft defender ATP standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
-### Option 1: Onboard servers through Microsoft Defender Security Center
-You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center.
+### Option 1: Onboard Windows servers through Microsoft Defender Security Center
+Perform the following steps to onboard Windows servers through Microsoft Defender Security Center:
- For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix:
- - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+ - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
- In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
- - Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598)
+ - Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
- Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
- - For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
+ - For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
> [!NOTE]
> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
- - Turn on server monitoring from Microsoft Defender Security Center.
+ - [Turn on server monitoring from Microsoft Defender Security Center](#turn-on-server-monitoring-from-the-microsoft-defender-security-center-portal).
- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support.
- Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
+ Otherwise, [install and configure MMA to report sensor data to Microsoft Defender ATP](#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp). For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
> [!TIP]
> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
@@ -94,7 +97,7 @@ The following steps are required to enable this integration:
1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**.
-2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system.
+2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system.
3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
@@ -104,52 +107,50 @@ The following steps are required to enable this integration:
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
-2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
+2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server:
- [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md).
-Once completed, you should see onboarded servers in the portal within an hour.
+Once completed, you should see onboarded Windows servers in the portal within an hour.
-### Configure server proxy and Internet connectivity settings
+### Configure Windows server proxy and Internet connectivity settings
- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway.
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
+### Option 2: Onboard Windows servers through Azure Security Center
+1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Device management** > **Onboarding**.
-
-### Option 2: Onboard servers through Azure Security Center
-1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**.
-
-2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system.
+2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system.
3. Click **Onboard Servers in Azure Security Center**.
4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
+### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later
+You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection).
## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition
-To onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition, refer to the supported methods and versions below.
+You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods:
+
+- [Local script](configure-endpoints-script.md)
+- [Group Policy](configure-endpoints-gp.md)
+- [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
+- [System Center Configuration Manager 2012 / 2012 R2 1511 / 1602](configure-endpoints-sccm.md#onboard-devices-using-system-center-configuration-manager)
+- [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md)
> [!NOTE]
-> The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
+> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
+> - A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune.
-Supported tools include:
-- Local script
-- Group Policy
-- Microsoft Endpoint Configuration Manager
-- System Center Configuration Manager 2012 / 2012 R2 1511 / 1602
-- VDI onboarding scripts for non-persistent devices
+Support for Windows Server, provide deeper insight into activities happening on the Windows server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
-For more information, see [Onboard Windows 10 devices](configure-endpoints.md).
-
-Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
-
-1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md).
+1. Configure Microsoft Defender ATP onboarding settings on the Windows server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md).
2. If you're running a third-party antimalware solution, you'll need to apply the following Microsoft Defender AV passive mode settings. Verify that it was configured correctly:
@@ -174,10 +175,11 @@ Support for Windows Server, provide deeper insight into activities happening on
```sc.exe query Windefend```
If the result is 'The specified service does not exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
-
+
+ For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus).
## Integration with Azure Security Center
-Microsoft Defender ATP can integrate with Azure Security Center to provide a comprehensive server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
+Microsoft Defender ATP can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
The following capabilities are included in this integration:
- Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
@@ -185,31 +187,33 @@ The following capabilities are included in this integration:
> [!NOTE]
> Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016.
-- Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
+- Windows servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.
> [!IMPORTANT]
-> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created (in the US for US users, in the EU for European and UK users).
+> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created (in the US for US users, in the EU for European and UK users).
+Data collected by Microsoft Defender ATP is stored in the geo-location of the tenant as identified during provisioning.
> - If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
-> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created and the Microsoft Defender ATP data is stored in Europe by default. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
+> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
+Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
-## Offboard servers
+## Offboard Windows servers
You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.
-For other server versions, you have two options to offboard servers from the service:
+For other Windows server versions, you have two options to offboard Windows servers from the service:
- Uninstall the MMA agent
- Remove the Microsoft Defender ATP workspace configuration
> [!NOTE]
-> Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months.
+> Offboarding causes the Windows server to stop sending sensor data to the portal but data from the Windows server, including reference to any alerts it has had will be retained for up to 6 months.
-### Uninstall servers by uninstalling the MMA agent
-To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Microsoft Defender ATP.
+### Uninstall Windows servers by uninstalling the MMA agent
+To offboard the Windows server, you can uninstall the MMA agent from the Windows server or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the Windows server will no longer send sensor data to Microsoft Defender ATP.
For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
### Remove the Microsoft Defender ATP workspace configuration
-To offboard the server, you can use either of the following methods:
+To offboard the Windows server, you can use either of the following methods:
- Remove the Microsoft Defender ATP workspace configuration from the MMA agent
- Run a PowerShell command to remove the configuration
@@ -230,7 +234,7 @@ To offboard the server, you can use either of the following methods:
1. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system and get your Workspace ID:
- 
+ 
2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
@@ -242,7 +246,6 @@ To offboard the server, you can use either of the following methods:
# Reload the configuration and apply changes
$AgentCfg.ReloadConfiguration()
```
-
## Related topics
- [Onboard Windows 10 devices](configure-endpoints.md)
- [Onboard non-Windows devices](configure-endpoints-non-windows.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index 6efcb63fd5..d48749b987 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -3,13 +3,11 @@ title: Prevent ransomware and threats from encrypting and changing files
description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware from encrypting your files.
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: denisebmsft
ms.author: deniseb
audience: ITPro
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 7481a4362e..6021933e52 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -1,7 +1,7 @@
---
-title: Create and manage custom detection rules in Microsoft Defender ATP
+title: Create custom detection rules in Microsoft Defender ATP
ms.reviewer:
-description: Learn how to create and manage custom detection rules based on advanced hunting queries
+description: Learn how to create custom detection rules based on advanced hunting queries
keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -18,22 +18,27 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-
-# Create and manage custom detection rules
+# Create custom detection rules
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
+Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
-> [!NOTE]
-> To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md).
-## Create a custom detection rule
-### 1. Prepare the query.
+## 1. Check required permissions
-In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
+To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-#### Required columns in the query results
+## 2. Prepare the query
+
+In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
+
+>[!IMPORTANT]
+>To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
+
+
+### Required columns in the query results
To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
@@ -48,83 +53,60 @@ DeviceEvents
| where count_ > 5
```
-### 2. Create new rule and provide alert details.
+## 3. Create new rule and provide alert details
With the query in the query editor, select **Create detection rule** and specify the following alert details:
-- **Detection name** — name of the detection rule
-- **Frequency** — interval for running the query and taking action. [See additional guidance below](#rule-frequency)
-- **Alert title** — title displayed with alerts triggered by the rule
-- **Severity** — potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)
-- **Category** — type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
-- **Description** — more information about the component or activity identified by the rule
-- **Recommended actions** — additional actions that responders might take in response to an alert
+- **Detection name**—name of the detection rule
+- **Frequency**—interval for running the query and taking action. [See additional guidance below](#rule-frequency)
+- **Alert title**—title displayed with alerts triggered by the rule
+- **Severity**—potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)
+- **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
+- **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software
+- **Description**—more information about the component or activity identified by the rule
+- **Recommended actions**—additional actions that responders might take in response to an alert
For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
-#### Rule frequency
+### Rule frequency
When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
-- **Every 24 hours** — runs every 24 hours, checking data from the past 30 days
-- **Every 12 hours** — runs every 12 hours, checking data from the past 24 hours
-- **Every 3 hours** — runs every 3 hours, checking data from the past 6 hours
-- **Every hour** — runs hourly, checking data from the past 2 hours
+- **Every 24 hours**—runs every 24 hours, checking data from the past 30 days
+- **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours
+- **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours
+- **Every hour**—runs hourly, checking data from the past 2 hours
Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
-### 3. Specify actions on files or devices.
+## 4. Specify actions on files or devices
Your custom detection rule can automatically take actions on files or devices that are returned by the query.
-#### Actions on devices
+### Actions on devices
These actions are applied to devices in the `DeviceId` column of the query results:
-- **Isolate device** — applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
-- **Collect investigation package** — collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
-- **Run antivirus scan** — performs a full Microsoft Defender Antivirus scan on the device
-- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the device
+- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
+- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
+- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
+- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device
-#### Actions on files
+### Actions on files
These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
-- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
-- **Quarantine file** — deletes the file from its current location and places a copy in quarantine
+- **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
+- **Quarantine file**—deletes the file from its current location and places a copy in quarantine
-### 4. Click **Create** to save and turn on the rule.
-After reviewing the rule, click **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
+## 5. Set the rule scope
+Set the scope to specify which devices are covered by the rule:
-## Manage existing custom detection rules
-In **Settings** > **Custom detections**, you can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
+- All devices
+- Specific device groups
-### View existing rules
+Only data from devices in scope will be queried. Also, actions will be taken only on those devices.
-To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information:
+## 6. Review and turn on the rule
+After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
-- **Last run** — when a rule was last run to check for query matches and generate alerts
-- **Last run status** — whether a rule ran successfully
-- **Next run** — the next scheduled run
-- **Status** — whether a rule has been turned on or off
-### View rule details, modify rule, and run rule
-
-To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. This opens a page about the custom detection rule with the following information:
-
-- General information about the rule, including the details of the alert, run status, and scope
-- List of triggered alerts
-- List of triggered actions
-
-
-*Custom detection rule page*
-
-You can also take the following actions on the rule from this page:
-
-- **Run** — run the rule immediately. This also resets the interval for the next run.
-- **Edit** — modify the rule without changing the query
-- **Modify query** — edit the query in advanced hunting
-- **Turn on** / **Turn off** — enable the rule or stop it from running
-- **Delete** — turn off the rule and remove it
-
->[!TIP]
->To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
-
-## Related topic
+## Related topics
+- [View and manage detection rules](custom-detections-manage.md)
- [Custom detections overview](overview-custom-detections.md)
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the advanced hunting query language](advanced-hunting-query-language.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md
new file mode 100644
index 0000000000..bae067bcec
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md
@@ -0,0 +1,67 @@
+---
+title: View and manage custom detection rules in Microsoft Defender ATP
+ms.reviewer:
+description: Learn how to view and manage custom detection rules
+keywords: custom detections, view, manage, alerts, edit, run on demand, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+
+# View and manage custom detection rules
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions. Explore how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
+
+## Required permissions
+
+To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+
+## View existing rules
+
+To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information:
+
+- **Last run**—when a rule was last run to check for query matches and generate alerts
+- **Last run status**—whether a rule ran successfully
+- **Next run**—the next scheduled run
+- **Status**—whether a rule has been turned on or off
+
+## View rule details, modify rule, and run rule
+
+To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. A page about the selected rule displays the following information:
+
+- General information about the rule, including the details of the alert, run status, and scope
+- List of triggered alerts
+- List of triggered actions
+
+
+*Custom detection rule page*
+
+You can also take the following actions on the rule from this page:
+
+- **Run**—run the rule immediately. This action also resets the interval for the next run.
+- **Edit**—modify the rule without changing the query
+- **Modify query**—edit the query in advanced hunting
+- **Turn on** / **Turn off**—enable the rule or stop it from running
+- **Delete**—turn off the rule and remove it
+
+>[!TIP]
+>To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
+
+## Related topics
+- [Custom detections overview](overview-custom-detections.md)
+- [Create detection rules](custom-detection-rules.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [View and organize alerts](alerts-queue.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
index a7c6223e18..8a8bf44962 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
@@ -1,18 +1,15 @@
---
-title: Configure how attack surface reduction rules work to fine-tune protection in your network
-description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
+title: Customize attack surface reduction rules
+description: Individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from attack surface reduction rules
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/20/2020
ms.reviewer:
manager: dansimp
---
@@ -35,21 +32,21 @@ You can set attack surface reduction rules for devices running any of the follow
- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
+You can use Group Policy, PowerShell, and Mobile Device Management (MDM) configuration service providers (CSP) to configure these settings.
## Exclude files and folders
-You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running.
+You can choose to exclude files and folders from being evaluated by attack surface reduction rules. Once excluded, the file won't be blocked from running even if an attack surface reduction rule detects that the file contains malicious behavior.
> [!WARNING]
> This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
-An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to a specific rule.
+An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource. However, you cannot limit an exclusion to a specific rule.
An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
-If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
+Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+If you are encountering problems with rules detecting files that you believe should not be detected, [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
Rule description | GUID
-|-|-
@@ -73,20 +70,20 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail
### Use Group Policy to exclude files and folders
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
-4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
> [!WARNING]
> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
### Use PowerShell to exclude files and folders
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
@@ -104,7 +101,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusio
## Customize the notification
-See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+You can customize the notification for when a rule is triggered and blocks an app or file. See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) article.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
index 6a0da83f4f..0659908d5c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
@@ -1,18 +1,15 @@
---
-title: Add additional folders and apps to be protected
-description: Add additional folders that should be protected by Controlled folder access, or allow apps that are incorrectly blocking changes to important files.
+title: Customize controlled folder access
+description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files.
keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/13/2019
ms.reviewer:
manager: dansimp
---
@@ -23,9 +20,9 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients.
-This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
+This article describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
* [Add additional folders to be protected](#protect-additional-folders)
* [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
@@ -37,11 +34,9 @@ This topic describes how to customize the following settings of the controlled f
## Protect additional folders
-Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
+Controlled folder access applies to a number of system folders and default locations, such as Documents, Pictures, Movies, and Desktop. You can add additional folders to be protected, but you can't remove the default folders in the default list.
-You can add additional folders to be protected, but you cannot remove the default folders in the default list.
-
-Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
+Adding other folders to controlled folder access can be useful. Some use-cases include if you don't store files in the default Windows libraries, or you've changed the location of the libraries away from the defaults.
You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
@@ -49,27 +44,27 @@ You can use the Windows Security app or Group Policy to add and remove additiona
### Use the Windows Security app to protect additional folders
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**:
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
-3. Under the **Controlled folder access** section, click **Protected folders**
+3. Under the **Controlled folder access** section, select **Protected folders**.
-4. Click **Add a protected folder** and follow the prompts to add apps.
+4. Select **Add a protected folder** and follow the prompts to add apps.
### Use Group Policy to protect additional folders
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
-4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
+4. Double-click **Configured protected folders** and set the option to **Enabled**. Select **Show** and enter each folder.
### Use PowerShell to protect additional folders
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
@@ -89,41 +84,41 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m
## Allow specific apps to make changes to controlled folders
-You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.
+You can specify if certain apps are always considered safe and give write access to files in protected folders. Allowing apps can be useful if a particular app you know and trust is being blocked by the controlled folder access feature.
> [!IMPORTANT]
> By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
> You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
-When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.
+When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders. If the app (with the same name) is in a different location, it will not be added to the allow list and may be blocked by controlled folder access.
-An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
+An allowed application or service only has write access to a controlled folder after it starts. For example, an update service will continue to trigger events after it's allowed until it is stopped and restarted.
### Use the Windows Defender Security app to allow specific apps
-1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security by selecting the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**.
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
-3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access**
+3. Under the **Controlled folder access** section, select **Allow an app through Controlled folder access**
-4. Click **Add an allowed app** and follow the prompts to add apps.
+4. Select **Add an allowed app** and follow the prompts to add apps.
### Use Group Policy to allow specific apps
-1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
-4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
+4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Select **Show** and enter each app.
### Use PowerShell to allow specific apps
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
@@ -149,7 +144,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications]
## Customize the notification
-See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center).
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
index 13358eb288..55552af86b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
@@ -1,18 +1,15 @@
---
-title: Enable or disable specific mitigations used by Exploit protection
+title: Customize exploit protection
keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr
-description: You can enable individual mitigations using the Windows Security app or PowerShell. You can also audit mitigations and export configurations.
+description: You can enable or disable specific mitigations used by exploit protection using the Windows Security app or PowerShell. You can also audit mitigations and export configurations.
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 03/26/2019
ms.reviewer:
manager: dansimp
---
@@ -25,11 +22,11 @@ manager: dansimp
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
-You configure these settings using the Windows Security app on an individual device, and then export the configuration as an XML file that you can deploy to other devices. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
+Configure these settings using the Windows Security app on an individual device. Then, export the configuration as an XML file so you can deploy to other devices. Use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
-This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
+This article lists each of the mitigations available in exploit protection. It indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
-It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
+It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating, exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
> [!WARNING]
> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
@@ -38,20 +35,20 @@ It also describes how to enable or configure the mitigations using Windows Secur
All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
-You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
+You can set each of the mitigations on, off, or to their default value. Some mitigations have additional options that are indicated in the description in the table.
Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
-For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
+For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this article.
Mitigation | Description | Can be applied to | Audit mode available
-|-|-|-
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
@@ -61,14 +58,14 @@ Block untrusted fonts | Prevents loading any GDI-based fonts not installed in th
Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Don't allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
> [!IMPORTANT]
> If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
@@ -107,9 +104,9 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
### Configure system-level mitigations with the Windows Security app
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
+2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**.
3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
* **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
@@ -125,14 +122,14 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
5. Go to the **Program settings** section and choose the app you want to apply mitigations to:
- 1. If the app you want to configure is already listed, click it and then click **Edit**
- 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
+ 1. If the app you want to configure is already listed, select it and then select **Edit**
+ 2. If the app isn't listed, at the top of the list select **Add program to customize** and then choose how you want to add the app:
* Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
* Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
+6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, select the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
-7. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+7. Repeat these steps for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
@@ -204,7 +201,7 @@ Where:
You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below.
- For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
+ For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used previously, you'd use the following command:
```PowerShell
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
@@ -250,9 +247,9 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu
## Customize the notification
-See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center).
-## Related topics
+## See also
* [Protect devices from exploits](exploit-protection.md)
* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
index 5daf2b2aa2..3a379ea946 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
@@ -12,7 +12,10 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- M365-security-compliance
+- m365solution-endpointprotect
+- m365solution-overview
ms.topic: article
---
@@ -38,13 +41,15 @@ There are several methods you can use to onboard to the service. For information
## In Scope
The following is in scope for this deployment guide:
+
- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service
+
- Enabling Microsoft Defender ATP endpoint protection platform (EPP)
capabilities
- - Next Generation Protection
+ - Next-generation protection
- - Attack Surface Reduction
+ - Attack surface reduction
- Enabling Microsoft Defender ATP endpoint detection and response (EDR)
capabilities including automatic investigation and remediation
diff --git a/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md b/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md
new file mode 100644
index 0000000000..f972394dc4
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md
@@ -0,0 +1,45 @@
+---
+title: Microsoft Defender ATP device timeline event flags
+description: Use Microsoft Defender ATP device timeline event flags to
+keywords: Defender ATP device timeline, event flags
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Microsoft Defender ATP device timeline event flags
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Event flags in the Microsoft Defender ATP device timeline help you filter and organize specific events when you're investigate potential attacks.
+
+The Microsoft Defender ATP device timeline provides a chronological view of the events and associated alerts observed on a device. This list of events provides full visibility into any events, files, and IP addresses observed on the device. The list can sometimes be lengthy. Device timeline event flags help you track events that could be related.
+
+After you've gone through a device timeline, you can sort, filter, and export the specific events that you flagged.
+
+While navigating the device timeline, you can search and filter for specific events. You can set event flags by:
+
+- Highlighting the most important events
+- Marking events that requires deep dive
+- Building a clean breach timeline
+
+
+
+## Flag an event
+1. Find the event that you want to flag
+2. Click the flag icon in the Flag column.
+
+
+## View flagged events
+1. In the timeline **Filters** section, enable **Flagged events**.
+2. Click **Apply**. Only flagged events are displayed.
+You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx
new file mode 100644
index 0000000000..84b5f2a664
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
index 65f8212bc5..12436534f1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
@@ -29,7 +29,7 @@ ms.collection:
When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
> [!NOTE]
-> EDR in block mode is currently in preview. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
+> EDR in block mode is currently in private preview. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
## What happens when something is detected?
@@ -66,7 +66,7 @@ The following image shows an instance of unwanted software that was detected and
|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
> [!IMPORTANT]
-> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features.
+> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are defined.
## Frequently asked questions
diff --git a/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md
deleted file mode 100644
index 040f644860..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md
+++ /dev/null
@@ -1,87 +0,0 @@
----
-title: Compare the features in Exploit protection with EMET
-keywords: emet, enhanced mitigation experience toolkit, configuration, exploit, compare, difference between, versus, upgrade, convert
-description: Exploit protection in Microsoft Defender ATP is our successor to Enhanced Mitigation Experience Toolkit (EMET) and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: levinec
-ms.author: ellevin
-ms.date: 08/08/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender
-
-**Applies to:**
-
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> [!IMPORTANT]
-> If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP.
->
-> You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
-
-This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Microsoft Defender ATP.
-
-Exploit protection in Microsoft Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
-
-EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.
-
-After July 31, 2018, it will not be supported.
-
-For more information about the individual features and mitigations available in Microsoft Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
-
-* [Protect devices from exploits](exploit-protection.md)
-* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-
-## Mitigation comparison
-
-The mitigations available in EMET are included in Windows Defender, under the [exploit protection feature](exploit-protection.md).
-
-The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.
-
-Mitigation | Available in Windows Defender | Available in EMET
--|-|-
-Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Memory Protection Check"
-Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Load Library Check"
-Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)] Included natively in Windows 10 See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-
-> [!NOTE]
-> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender as part of enabling the anti-ROP mitigations for a process.
->
-> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
-
-## Related topics
-
-* [Protect devices from exploits with Windows Defender](exploit-protection.md)
-* [Evaluate exploit protection](evaluate-exploit-protection.md)
-* [Enable exploit protection](enable-exploit-protection.md)
-* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index 2506f2934b..a2eb19043d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -1,9 +1,8 @@
---
-title: Enable attack surface reduction rules individually to protect your organization
+title: Enable attack surface reduction rules
description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques.
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,7 +11,6 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 06/04/2020
ms.reviewer:
manager: dansimp
---
@@ -69,11 +67,11 @@ The following procedures for enabling ASR rules include instructions for how to
2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
-3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:
+3. Under **Attack Surface Reduction exceptions**, enter individual files and folders. You can also select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:
`C:\folder`, `%ProgramFiles%\folder\file`, `C:\path`
-4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
+4. Select **OK** on the three configuration panes. Then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
## MDM
@@ -104,32 +102,32 @@ Example:
## Microsoft Endpoint Configuration Manager
-1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-2. Click **Home** > **Create Exploit Guard Policy**.
+2. Select **Home** > **Create Exploit Guard Policy**.
-3. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
+3. Enter a name and a description, select **Attack Surface Reduction**, and select **Next**.
-4. Choose which rules will block or audit actions and click **Next**.
+4. Choose which rules will block or audit actions and select **Next**.
-5. Review the settings and click **Next** to create the policy.
+5. Review the settings and select **Next** to create the policy.
-6. After the policy is created, click **Close**.
+6. After the policy is created, **Close**.
## Group Policy
> [!WARNING]
> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section.
- Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
+ Select **Show...** and enter the rule ID in the **Value name** column and your chosen state in the **Value** column as follows:
- Disable = 0
- Block (enable ASR rule) = 1
@@ -137,7 +135,7 @@ Example:
-5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
> [!WARNING]
> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
@@ -147,7 +145,7 @@ Example:
> [!WARNING]
> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index 1fe945f148..8c811f809d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -1,9 +1,8 @@
---
-title: Turn on the protected folders feature in Windows 10
+title: Enable controlled folder access
keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use
description: Learn how to protect your important files by enabling Controlled folder access
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,7 +11,6 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/13/2019
ms.reviewer:
manager: dansimp
---
@@ -29,7 +27,7 @@ You can enable controlled folder access by using any of these methods:
* [Windows Security app](#windows-security-app)
* [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
+* [Mobile Device Management (MDM)](#mobile-device-management-mdm)
* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
@@ -45,64 +43,70 @@ For more information about disabling local list merging, see [Prevent or allow u
## Windows Security app
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar. You can also search the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**.
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
3. Set the switch for **Controlled folder access** to **On**.
> [!NOTE]
> If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
> If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
-
> If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive.
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-1. Click **Device configuration** > **Profiles** > **Create profile**.
-1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
-1. Click **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**.
-1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
- 
+2. Go to **Device configuration** > **Profiles** > **Create profile**.
+
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. 
+
+4. Go to **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**.
+
+5. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection. Select **Add**. 
> [!NOTE]
> Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
-1. Click **OK** to save each open blade and click **Create**.
-1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
+6. Select **OK** to save each open blade and **Create**.
-## MDM
+7. Select the profile **Assignments**, assign to **All Users & All Devices**, and **Save**.
+
+## Mobile Device Management (MDM)
Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Microsoft Endpoint Configuration Manager
-1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-2. Click **Home** > **Create Exploit Guard Policy**.
-3. Enter a name and a description, click **Controlled folder access**, and click **Next**.
-4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
+1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+
+2. Select **Home** > **Create Exploit Guard Policy**.
+
+3. Enter a name and a description, select **Controlled folder access**, and select **Next**.
+
+4. Choose whether block or audit changes, allow other apps, or add other folders, and select **Next**.
> [!NOTE]
> Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
-5. Review the settings and click **Next** to create the policy.
-6. After the policy is created, click **Close**.
+
+5. Review the settings and select **Next** to create the policy.
+
+6. After the policy is created, **Close**.
## Group Policy
-1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
-4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
- * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
- * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
+4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following options:
+ * **Enable** - Malicious and suspicious apps won't be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
+ * **Disable (Default)** - The Controlled folder access feature won't work. All apps can make changes to files in protected folders.
+ * **Audit Mode** - Changes will be allowed if a malicious or suspicious app attempts to make a change to a file in a protected folder. However, it will be recorded in the Windows event log where you can assess the impact on your organization.
* **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123.
- * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders will not be recorded.
+ * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders won't be recorded.
@@ -111,7 +115,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
## PowerShell
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:
@@ -121,9 +125,9 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
You can enable the feature in audit mode by specifying `AuditMode` instead of `Enabled`.
-Use `Disabled` to turn the feature off.
+Use `Disabled` to turn off the feature.
-## Related topics
+## See also
* [Protect important folders with controlled folder access](controlled-folders.md)
* [Customize controlled folder access](customize-controlled-folders.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index b0cad379e8..c611445181 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -3,16 +3,13 @@ title: Turn on exploit protection to help mitigate against attacks
keywords: exploit, mitigation, attacks, vulnerability
description: Learn how to enable exploit protection in Windows 10. Exploit protection helps protect your device against malware.
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
-ms.date: 01/08/2020
ms.reviewer:
manager: dansimp
---
@@ -108,13 +105,18 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
+
2. Click **Device configuration** > **Profiles** > **Create profile**.
-3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
+
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+ 
+
4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
-5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
- 
+
+5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings: 
+
6. Click **OK** to save each open blade and click **Create**.
+
7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
## MDM
@@ -124,19 +126,26 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
## Microsoft Endpoint Configuration Manager
1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-1. Click **Home** > **Create Exploit Guard Policy**.
-1. Enter a name and a description, click **Exploit protection**, and click **Next**.
-1. Browse to the location of the exploit protection XML file and click **Next**.
-1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+
+2. Click **Home** > **Create Exploit Guard Policy**.
+
+3. Enter a name and a description, click **Exploit protection**, and click **Next**.
+
+4. Browse to the location of the exploit protection XML file and click **Next**.
+
+5. Review the settings and click **Next** to create the policy.
+
+6. After the policy is created, click **Close**.
## Group Policy
1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
-3. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
+
+4. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
## PowerShell
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
index 298ace459d..e737eb44d7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
@@ -1,19 +1,16 @@
---
-title: Turn on network protection
-description: Enable Network protection with Group Policy, PowerShell, or MDM CSPs
+title: Turning on network protection
+description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager
keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: levinec
ms.author: ellevin
ms.reviewer:
-audience: ITPro
manager: dansimp
---
@@ -23,12 +20,11 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
-You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.
+[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it.
## Check if network protection is enabled
-You can see if network protection has been enabled on a local device by using Registry editor.
+Check if network protection has been enabled on a local device by using Registry editor.
1. Select the **Start** button in the task bar and type **regedit** to open Registry editor
1. Choose **HKEY_LOCAL_MACHINE** from the side menu
@@ -41,87 +37,101 @@ You can see if network protection has been enabled on a local device by using Re
## Enable network protection
-You can enable network protection by using any of these methods:
+Enable network protection by using any of these methods:
* [PowerShell](#powershell)
* [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
+* [Mobile Device Management (MDM)](#mobile-device-management-mmd)
* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
### PowerShell
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
```
-You can enable the feature in audit mode using the following cmdlet:
+3. Optional: Enable the feature in audit mode using the following cmdlet:
-```PowerShell
-Set-MpPreference -EnableNetworkProtection AuditMode
-```
+ ```PowerShell
+ Set-MpPreference -EnableNetworkProtection AuditMode
+ ```
-Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off.
+ Use `Disabled` instead of `AuditMode` or `Enabled` to turn off the feature.
### Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-1. Click **Device configuration** > **Profiles** > **Create profile**.
-1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
-1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
- 
-1. Click **OK** to save each open blade and click **Create**.
-1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
-### MDM
+2. Go to **Device configuration** > **Profiles** > **Create profile**.
+
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+
+ 
+
+4. Select **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
+
+ 
+
+5. Select **OK** to save each open section and **Create**.
+
+6. Select the profile called **Assignments**, assign to **All Users & All Devices**, and **Save**.
+
+### Mobile Device Management (MMD)
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
## Microsoft Endpoint Configuration Manager
-1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-1. Click **Home** > **Create Exploit Guard Policy**.
-1. Enter a name and a description, click **Network protection**, and click **Next**.
-1. Choose whether to block or audit access to suspicious domains and click **Next**.
-1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+
+2. Then go to **Home** > **Create Exploit Guard Policy**.
+
+3. Enter a name and a description, select **Network protection**, and then **Next**.
+
+4. Choose whether to block or audit access to suspicious domains and select **Next**.
+
+5. Review the settings and select **Next** to create the policy.
+
+6. After the policy is created, **Close**.
### Group Policy
-You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
+Use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
-1. On a standalone computer, click **Start**, type and then click **Edit group policy**.
+1. On a standalone computer, go to **Start** and then type and select **Edit group policy**.
*-Or-*
- On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+ On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
-4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
- * **Block** - Users will not be able to access malicious IP addresses and domains
- * **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
- * **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
+4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options:
+ * **Block** - Users can't access malicious IP addresses and domains
+ * **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains
+ * **Audit Mode** - If a user visits a malicious IP address or domain, an event won't be recorded in the Windows event log. However, the user won't be blocked from visiting the address.
> [!IMPORTANT]
> To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
-You can confirm network protection is enabled on a local computer by using Registry editor:
+Confirm network protection is enabled on a local computer by using Registry editor:
+
+1. Select **Start** and type **regedit** to open **Registry Editor**.
-1. Click **Start** and type **regedit** to open **Registry Editor**.
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
-3. Click **EnableNetworkProtection** and confirm the value:
+
+3. Select **EnableNetworkProtection** and confirm the value:
* 0=Off
* 1=On
* 2=Audit
-## Related topics
+## See also
* [Network protection](network-protection.md)
* [Evaluate network protection](evaluate-network-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md
deleted file mode 100644
index 76c04110e7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-title: Enable Secure Score in Microsoft Defender ATP
-description: Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard.
-keywords: enable secure score, baseline, calculation, analytics, score, secure score dashboard, dashboard
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Enable Secure Score security controls
-
-**Applies to:**
-
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
-Set the baselines for calculating the score of security controls on the Secure Score dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
-
- >[!NOTE]
- >Changes might take up to a few hours to reflect on the dashboard.
-
-1. In the navigation pane, select **Settings** > **Secure Score**.
-
-2. Select the security control, then toggle the setting between **On** and **Off**.
-
-3. Click **Save preferences**.
-
-## Related topics
-- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
-- [Update data retention settings for Microsoft Defender ATP](data-retention-settings.md)
-- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md)
-- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-- [Configure advanced features in Microsoft Defender ATP](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
index bbcbd77dcc..e78e648ca5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
@@ -37,7 +37,7 @@ These capabilities help prevent attacks and exploitations from infecting your or
- [Evaluate application guard](../microsoft-defender-application-guard/test-scenarios-md-app-guard.md)
- [Evaluate network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
-## Evaluate next generation protection
+## Evaluate next-generation protection
Next gen protections help detect and block the latest threats.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
index 980238995f..32432b5025 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@@ -1,18 +1,15 @@
---
-title: Use a demo to see how ASR rules can help protect your devices
-description: The custom demo tool lets you create sample malware infection scenarios so you can see how ASR would block and prevent attacks
+title: Evaluate attack surface reduction rules
+description: See how attack surface reduction would block and prevent attacks with the custom demo tool.
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/20/2020
ms.reviewer:
manager: dansimp
---
@@ -23,22 +20,21 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
+Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. Set attack surface reduction rules for devices running any of the following editions and versions of Windows:
+
- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-Learn how to evaluate attack surface reduction rules, by enabling audit mode to test the feature directly in your organization.
+Learn how to evaluate attack surface reduction rules by enabling audit mode to test the feature directly in your organization.
> [!TIP]
-> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> You can also visit the Microsoft Defender ATP demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use audit mode to measure impact
-You can enable attack surface reduction rules in audit mode. This lets you see a record of what apps would have been blocked if you had enabled attack surface reduction rules.
-
-You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
+Enable attack surface reduction rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how often the rules will fire during normal use.
To enable all attack surface reduction rules in audit mode, use the following PowerShell cmdlet:
@@ -49,13 +45,13 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
> [!TIP]
> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).
-You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md).
+You can also use Group Policy, Intune, or mobile device management (MDM) configuration service providers (CSPs) to configure and deploy the setting. Learn more in the main [Attack surface reduction rules](attack-surface-reduction.md) article.
## Review attack surface reduction events in Windows Event Viewer
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events.
- Event ID | Description
+Event ID | Description
-|-
5007 | Event when settings are changed
1121 | Event when an attack surface reduction rule fires in block mode
@@ -65,9 +61,9 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev
During your evaluation, you may wish to configure each rule individually or exclude certain files and processes from being evaluated by the feature.
-See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
+See [Customize attack surface reduction rules](customize-attack-surface-reduction.md) for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
-## Related topics
+## See also
* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
* [Use audit mode to evaluate Windows Defender](audit-windows-defender.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
index ae0a15fe7f..1df853c6ba 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
@@ -1,18 +1,15 @@
---
-title: See how controlled folder access can help protect files from being changed by malicious apps
-description: Use a custom tool to see how Controlled folder access works in Windows 10.
+title: Evaluate controlled folder access
+description: See how controlled folder access can help protect files from being changed by malicious apps.
keywords: Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
---
@@ -23,20 +20,18 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients.
-It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
+It is especially useful in helping protect against [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that attempts to encrypt your files and hold them hostage.
-This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
+This article helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
> [!TIP]
-> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> You can also visit the Microsoft Defender ATP demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use audit mode to measure impact
-You can enable the controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
-
-You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
+Enable the controlled folder access in audit mode to see a record of what *would* have happened if it was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how many suspicious file modification attempts generally occur over a certain period of time.
To enable audit mode, use the following PowerShell cmdlet:
@@ -46,7 +41,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
> [!TIP]
> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).
-You can also use Group Policy, Intune, MDM, or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
+You can also use Group Policy, Intune, mobile device management (MDM), or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
## Review controlled folder access events in Windows Event Viewer
@@ -65,9 +60,9 @@ Event ID | Description
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
-See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
+See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM configuration service providers (CSPs).
-## Related topics
+## See also
* [Protect important folders with controlled folder access](controlled-folders.md)
* [Evaluate Microsoft Defender ATP]../(microsoft-defender-atp/evaluate-atp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
index d0ad0448da..dabee673ee 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
@@ -3,7 +3,6 @@ title: See how exploit protection works in a demo
description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps.
keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
index 6e3840831e..1e08e42942 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
@@ -1,18 +1,15 @@
---
-title: Conduct a demo to see how network protection works
-description: Quickly see how Network protection works by performing common scenarios that it protects against
+title: Evaluate network protection
+description: See how network protection works by testing common scenarios that it protects against.
keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/10/2019
ms.reviewer:
manager: dansimp
---
@@ -25,18 +22,16 @@ manager: dansimp
[Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
-This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.
+This article helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The sites in this evaluation article aren't malicious. They're specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.
> [!TIP]
> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work.
## Enable network protection in audit mode
-You can enable network protection in audit mode to see which IP addresses and domains would have been blocked if it was enabled.
+Enable network protection in audit mode to see which IP addresses and domains would have been blocked. You can make sure it doesn't affect line-of-business apps, or get an idea of how often blocks occur.
-You might want to do this to make sure it doesn't affect line-of-business apps or to get an idea of how often blocks occur.
-
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
@@ -63,7 +58,7 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev
|1125 | Windows Defender (Operational) | Event when a network connection is audited |
|1126 | Windows Defender (Operational) | Event when a network connection is blocked |
-## Related topics
+## See also
* [Network protection](network-protection.md)
* [Enable network protection](enable-network-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index f85dc02558..dd21e36602 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -12,7 +12,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- M365-security-compliance
+- m365solution-evalutatemtp
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-views.md b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
index 2fe08915a1..dc67d5ddd2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-views.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
@@ -1,20 +1,16 @@
---
-ms.reviewer:
-title: Import custom views to see attack surface reduction events
-description: Use Windows Event Viewer to import individual views for each of the features.
+title: View attack surface reduction events
+description: Import custom views to see attack surface reduction events.
keywords: event view, exploit guard, audit, review, events
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
-ms.date: 04/16/2018
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 03/26/2019
+ms.reviewer:
manager: dansimp
---
@@ -131,7 +127,7 @@ You can also manually navigate to the event area that corresponds to the feature
## List of attack surface reduction events
-All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
+All attack surface reduction events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
You can access these events in Windows Event viewer:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
index bab625f913..354df454ab 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
@@ -3,7 +3,6 @@ title: Apply mitigations to help prevent attacks through vulnerabilities
keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
description: Protect devices against exploits with Windows 10. Windows 10 has advanced exploit protection capabilities, building upon and improving the settings available in Enhanced Mitigation Experience Toolkit (EMET).
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index 908028109d..37e873ced5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -29,98 +29,172 @@ Not all properties are filterable.
## Properties that supports $filter:
-- [Alert](alerts.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category.
-- [Machine](machine.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId.
-- [MachineAction](machineaction.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc.
+- [Alert](alerts.md): ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category```.
+- [Machine](machine.md): ```ComputerDnsName```, ```LastSeen```, ```HealthStatus```, ```OsPlatform```, ```RiskScore``` and ```RbacGroupId```.
+- [MachineAction](machineaction.md): ```Status```, ```MachineId```, ```Type```, ```Requestor``` and ```CreationDateTimeUtc```.
+- [Indicator](ti-indicator.md): ```indicatorValue```, ```indicatorType```, ```creationTimeDateTimeUtc```, ```createdBy```, ```severity ``` and ```action ```.
### Example 1
-Get all the devices with the tag 'ExampleTag'
+Get 10 latest Alerts with related Evidence
```
-HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
+HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
```
**Response:**
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
"value": [
- {
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
- "osPlatform": "Windows10",
- "version": "1709",
- "osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "Active",
- "rbacGroupId": 140,
- "rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "ExampleTag" ]
- },
- ...
- ]
+ {
+ "id": "da637306396589640224_1753239473",
+ "incidentId": 875832,
+ "investigationId": 478434,
+ "assignedTo": null,
+ "severity": "Low",
+ "status": "New",
+ "classification": null,
+ "determination": null,
+ "investigationState": "PendingApproval",
+ "detectionSource": "WindowsDefenderAv",
+ "category": "UnwantedSoftware",
+ "threatFamilyName": "InstallCore",
+ "title": "An active 'InstallCore' unwanted software was detected",
+ "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
+ "alertCreationTime": "2020-07-18T03:27:38.9483995Z",
+ "firstEventTime": "2020-07-18T03:25:39.6124549Z",
+ "lastEventTime": "2020-07-18T03:26:18.4362304Z",
+ "lastUpdateTime": "2020-07-18T03:28:19.76Z",
+ "resolvedTime": null,
+ "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
+ "computerDnsName": "temp2.redmond.corp.microsoft.com",
+ "rbacGroupName": "Ring0",
+ "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+ "relatedUser": {
+ "userName": "temp2",
+ "domainName": "REDMOND"
+ },
+ "comments": [],
+ "evidence": [
+ {
+ "entityType": "File",
+ "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+ "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+ "fileName": "Your File Is Ready To Download_1911150169.exe",
+ "filePath": "C:\\Users\\temp2\\Downloads",
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "ipAddress": null,
+ "url": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null
+ },
+ {
+ "entityType": "Process",
+ "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+ "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+ "fileName": "Your File Is Ready To Download_1911150169.exe",
+ "filePath": "C:\\Users\\temp2\\Downloads",
+ "processId": 24348,
+ "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
+ "processCreationTime": "2020-07-18T03:25:38.5269993Z",
+ "parentProcessId": 16840,
+ "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
+ "ipAddress": null,
+ "url": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null
+ },
+ {
+ "entityType": "User",
+ "sha1": null,
+ "sha256": null,
+ "fileName": null,
+ "filePath": null,
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "ipAddress": null,
+ "url": null,
+ "accountName": "temp2",
+ "domainName": "REDMOND",
+ "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
+ "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
+ "userPrincipalName": "temp2@microsoft.com"
+ }
+ ]
+ },
+ ...
+ ]
}
```
### Example 2
-Get all the alerts that created after 2018-10-20 00:00:00
+Get all the alerts last updated after 2019-10-20 00:00:00
```
-HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime+gt+2018-11-22T00:00:00Z
+HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z
```
**Response:**
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
- "id": "da637084217856368682_-292920499",
- "incidentId": 66860,
- "investigationId": 4416234,
- "investigationState": "Running",
- "assignedTo": "secop@contoso.com",
- "severity": "Low",
- "status": "New",
- "classification": "TruePositive",
- "determination": null,
- "detectionSource": "WindowsDefenderAtp",
- "category": "CommandAndControl",
- "threatFamilyName": null,
- "title": "Network connection to a risky host",
- "description": "A network connection was made to a risky host which has exhibited malicious activity.",
- "alertCreationTime": "2019-11-03T23:49:45.3823185Z",
- "firstEventTime": "2019-11-03T23:47:16.2288822Z",
- "lastEventTime": "2019-11-03T23:47:51.2966758Z",
- "lastUpdateTime": "2019-11-03T23:55:52.6Z",
- "resolvedTime": null,
- "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
+ "id": "da637308392288907382_-880718168",
+ "incidentId": 7587,
+ "investigationId": 723156,
+ "assignedTo": "secop123@contoso.com",
+ "severity": "Low",
+ "status": "New",
+ "classification": "TruePositive",
+ "determination": null,
+ "investigationState": "Queued",
+ "detectionSource": "WindowsDefenderAv",
+ "category": "SuspiciousActivity",
+ "threatFamilyName": "Meterpreter",
+ "title": "Suspicious 'Meterpreter' behavior was detected",
+ "description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.",
+ "alertCreationTime": "2020-07-20T10:53:48.7657932Z",
+ "firstEventTime": "2020-07-20T10:52:17.6654369Z",
+ "lastEventTime": "2020-07-20T10:52:18.1362905Z",
+ "lastUpdateTime": "2020-07-20T10:53:50.19Z",
+ "resolvedTime": null,
+ "machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",
+ "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+ "rbacGroupName": "MiddleEast",
+ "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "relatedUser": {
+ "userName": "temp123",
+ "domainName": "MIDDLEEAST"
+ },
"comments": [
{
"comment": "test comment for docs",
- "createdBy": "secop@contoso.com",
- "createdTime": "2019-11-05T14:08:37.8404534Z"
+ "createdBy": "secop123@contoso.com",
+ "createdTime": "2020-07-21T01:00:37.8404534Z"
}
- ]
- },
- ...
- ]
+ ],
+ "evidence": []
+ }
+ ...
+ ]
}
```
@@ -134,9 +208,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+
**Response:**
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
@@ -175,9 +247,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStat
**Response:**
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
@@ -216,9 +286,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen g
**Response:**
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
@@ -257,10 +325,8 @@ HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requ
**Response:**
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
+```json
+json{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
"value": [
{
@@ -291,10 +357,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415
**Response:**
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-
+```json
4
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
new file mode 100644
index 0000000000..f0ccb1577e
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
@@ -0,0 +1,196 @@
+---
+title: Fetch alerts from MSSP customer tenant
+description: Learn how to fetch alerts from a customer tenant
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Fetch alerts from MSSP customer tenant
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+
+>[!NOTE]
+>This action is taken by the MSSP.
+
+
+There are two ways you can fetch alerts:
+- Using the SIEM method
+- Using APIs
+
+## Fetch alerts into your SIEM
+
+To fetch alerts into your SIEM system you'll need to take the following steps:
+
+Step 1: Create a third-party application
+
+Step 2: Get access and refresh tokens from your customer's tenant
+
+Step 3: allow your application on Microsoft Defender Security Center
+
+
+
+
+### Step 1: Create an application in Azure Active Directory (Azure AD)
+
+You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
+
+
+1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
+
+2. Select **Azure Active Directory** > **App registrations**.
+
+
+3. Click **New registration**.
+
+
+4. Specify the following values:
+
+ - Name: \ SIEM MSSP Connector (replace Tenant_name with the tenant display name)
+
+ - Supported account types: Account in this organizational directory only
+ - Redirect URI: Select Web and type `https:///SiemMsspConnector`(replace with the tenant name)
+
+5. Click **Register**. The application is displayed in the list of applications you own.
+
+6. Select the application, then click **Overview**.
+
+7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.
+
+8. Select **Certificate & secrets** in the new application panel.
+
+9. Click **New client secret**.
+
+
+ - Description: Enter a description for the key.
+ - Expires: Select **In 1 year**
+
+
+10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.
+
+
+### Step 2: Get access and refresh tokens from your customer's tenant
+This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
+
+After providing your credentials, you'll need to grant consent to the application so that the application is provisioned in the customer's tenant.
+
+
+1. Create a new folder and name it: `MsspTokensAcquisition`.
+
+2. Download the [LoginBrowser.psm1 module](https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL/blob/master/Authorization%20Code%20Grant%20Flow/LoginBrowser.psm1) and save it in the `MsspTokensAcquisition` folder.
+
+ >[!NOTE]
+ >In line 30, replace `authorzationUrl` with `authorizationUrl`.
+
+3. Create a file with the following content and save it with the name `MsspTokensAcquisition.ps1` in the folder:
+ ```
+ param (
+ [Parameter(Mandatory=$true)][string]$clientId,
+ [Parameter(Mandatory=$true)][string]$secret,
+ [Parameter(Mandatory=$true)][string]$tenantId
+ )
+ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+
+ # Load our Login Browser Function
+ Import-Module .\LoginBrowser.psm1
+
+ # Configuration parameters
+ $login = "https://login.microsoftonline.com"
+ $redirectUri = "https://SiemMsspConnector"
+ $resourceId = "https://graph.windows.net"
+
+ Write-Host 'Prompt the user for his credentials, to get an authorization code'
+ $authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id={2}&redirect_uri={3}&resource={4}" -f
+ $login, $tenantId, $clientId, $redirectUri, $resourceId)
+ Write-Host "authorzationUrl: $authorizationUrl"
+
+ # Fake a proper endpoint for the Redirect URI
+ $code = LoginBrowser $authorizationUrl $redirectUri
+
+ # Acquire token using the authorization code
+
+ $Body = @{
+ grant_type = 'authorization_code'
+ client_id = $clientId
+ code = $code
+ redirect_uri = $redirectUri
+ resource = $resourceId
+ client_secret = $secret
+ }
+
+ $tokenEndpoint = "$login/$tenantId/oauth2/token?"
+ $Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
+ $token = $Response.access_token
+ $refreshToken= $Response.refresh_token
+
+ Write-Host " ----------------------------------- TOKEN ---------------------------------- "
+ Write-Host $token
+
+ Write-Host " ----------------------------------- REFRESH TOKEN ---------------------------------- "
+ Write-Host $refreshToken
+ ```
+4. Open an elevated PowerShell command prompt in the `MsspTokensAcquisition` folder.
+
+5. Run the following command:
+ `Set-ExecutionPolicy -ExecutionPolicy Bypass`
+
+6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId -secret -tenantId `
+
+ - Replace \ with the **Application (client) ID** you got from the previous step.
+ - Replace \ with the **Client Secret** you created from the previous step.
+ - Replace \ with your customer's **Tenant ID**.
+
+
+7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
+
+8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
+
+
+### Step 3: Allow your application on Microsoft Defender Security Center
+You'll need to allow the application you created in Microsoft Defender Security Center.
+
+
+You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you.
+
+1. Go to `https://securitycenter.windows.com?tid=` (replace \ with the customer's tenant ID.
+
+2. Click **Settings** > **SIEM**.
+
+3. Select the **MSSP** tab.
+
+4. Enter the **Application ID** from the first step and your **Tenant ID**.
+
+5. Click **Authorize application**.
+
+
+You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
+
+
+- In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application key manually by settings the secret value.
+- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
+
+## Fetch alerts from MSSP customer's tenant using APIs
+
+For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
+
+
+## Related topics
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Configure alert notifications](configure-mssp-notifications.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
index 2f61ccb373..e4ecad3ffa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
@@ -28,7 +28,7 @@ Retrieves specific [Alert](alerts.md) by its ID.
## Limitations
-1. You can get alerts last updated in the past 30 days.
+1. You can get alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
index c9c257c1e1..ac7cf2410a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
@@ -28,7 +28,7 @@ Retrieves all domains related to a specific alert.
## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
index d99712033f..519afaa0e3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
@@ -28,7 +28,7 @@ Retrieves all files related to a specific alert.
## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
index 812e285986..cf783ffeda 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
@@ -28,7 +28,7 @@ Retrieves all IPs related to a specific alert.
## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
index b3e69abaa7..2b030497a2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
@@ -28,7 +28,7 @@ Retrieves [Device](machine.md) related to a specific alert.
## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
index f51040eab2..982e2a2585 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
@@ -28,7 +28,7 @@ Retrieves the User related to a specific alert.
## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
index dc8f29bd61..f13f6270fd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
@@ -26,12 +26,16 @@ ms.topic: article
## API description
Retrieves a collection of Alerts.
Supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
+ OData supported operators:
+ ```$filter``` on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
+ ```$top``` with max value of 10,000
+ ```$skip```
+ ```$expand``` of ```evidence```
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
## Limitations
-1. You can get alerts last updated in the past 30 days.
+1. You can get alerts last updated according to your configured retention period.
2. Maximum page size is 10,000.
3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -70,14 +74,14 @@ Empty
If successful, this method returns 200 OK, and a list of [alert](alerts.md) objects in the response body.
-## Example
+## Example 1 - Default
**Request**
Here is an example of the request.
```
-GET https://api.securitycenter.windows.com/api/alerts
+GET https://api.securitycenter.microsoft.com/api/alerts
```
[!include[Improve request performance](../../includes/improve-request-performance.md)]
@@ -93,41 +97,167 @@ Here is an example of the response.
```json
{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
"value": [
{
- "id": "da637084217856368682_-292920499",
- "incidentId": 66860,
- "investigationId": 4416234,
- "assignedTo": "secop@contoso.com",
- "severity": "Low",
- "status": "New",
- "classification": "TruePositive",
- "determination": null,
- "investigationState": "Running",
- "detectionSource": "WindowsDefenderAtp",
- "category": "CommandAndControl",
- "threatFamilyName": null,
- "title": "Network connection to a risky host",
- "description": "A network connection was made to a risky host which has exhibited malicious activity.",
- "alertCreationTime": "2019-11-03T23:49:45.3823185Z",
- "firstEventTime": "2019-11-03T23:47:16.2288822Z",
- "lastEventTime": "2019-11-03T23:47:51.2966758Z",
- "lastUpdateTime": "2019-11-03T23:55:52.6Z",
- "resolvedTime": null,
- "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
+ "id": "da637308392288907382_-880718168",
+ "incidentId": 7587,
+ "investigationId": 723156,
+ "assignedTo": "secop123@contoso.com",
+ "severity": "Low",
+ "status": "New",
+ "classification": "TruePositive",
+ "determination": null,
+ "investigationState": "Queued",
+ "detectionSource": "WindowsDefenderAv",
+ "category": "SuspiciousActivity",
+ "threatFamilyName": "Meterpreter",
+ "title": "Suspicious 'Meterpreter' behavior was detected",
+ "description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.",
+ "alertCreationTime": "2020-07-20T10:53:48.7657932Z",
+ "firstEventTime": "2020-07-20T10:52:17.6654369Z",
+ "lastEventTime": "2020-07-20T10:52:18.1362905Z",
+ "lastUpdateTime": "2020-07-20T10:53:50.19Z",
+ "resolvedTime": null,
+ "machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",
+ "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+ "rbacGroupName": "MiddleEast",
+ "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "relatedUser": {
+ "userName": "temp123",
+ "domainName": "MIDDLEEAST"
+ },
"comments": [
{
"comment": "test comment for docs",
- "createdBy": "secop@contoso.com",
- "createdTime": "2019-11-05T14:08:37.8404534Z"
+ "createdBy": "secop123@contoso.com",
+ "createdTime": "2020-07-21T01:00:37.8404534Z"
}
- ]
+ ],
+ "evidence": []
}
...
]
}
```
+## Example 2 - Get 10 latest Alerts with related Evidence
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
+```
+
+
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity. All alerts will be returned from an actual call.
+
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
+ "value": [
+ {
+ "id": "da637306396589640224_1753239473",
+ "incidentId": 875832,
+ "investigationId": 478434,
+ "assignedTo": null,
+ "severity": "Low",
+ "status": "New",
+ "classification": null,
+ "determination": null,
+ "investigationState": "PendingApproval",
+ "detectionSource": "WindowsDefenderAv",
+ "category": "UnwantedSoftware",
+ "threatFamilyName": "InstallCore",
+ "title": "An active 'InstallCore' unwanted software was detected",
+ "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
+ "alertCreationTime": "2020-07-18T03:27:38.9483995Z",
+ "firstEventTime": "2020-07-18T03:25:39.6124549Z",
+ "lastEventTime": "2020-07-18T03:26:18.4362304Z",
+ "lastUpdateTime": "2020-07-18T03:28:19.76Z",
+ "resolvedTime": null,
+ "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
+ "computerDnsName": "temp2.redmond.corp.microsoft.com",
+ "rbacGroupName": "Ring0",
+ "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+ "relatedUser": {
+ "userName": "temp2",
+ "domainName": "REDMOND"
+ },
+ "comments": [],
+ "evidence": [
+ {
+ "entityType": "File",
+ "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+ "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+ "fileName": "Your File Is Ready To Download_1911150169.exe",
+ "filePath": "C:\\Users\\temp2\\Downloads",
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "ipAddress": null,
+ "url": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null
+ },
+ {
+ "entityType": "Process",
+ "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+ "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+ "fileName": "Your File Is Ready To Download_1911150169.exe",
+ "filePath": "C:\\Users\\temp2\\Downloads",
+ "processId": 24348,
+ "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
+ "processCreationTime": "2020-07-18T03:25:38.5269993Z",
+ "parentProcessId": 16840,
+ "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
+ "ipAddress": null,
+ "url": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null
+ },
+ {
+ "entityType": "User",
+ "sha1": null,
+ "sha256": null,
+ "fileName": null,
+ "filePath": null,
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "ipAddress": null,
+ "url": null,
+ "accountName": "temp2",
+ "domainName": "REDMOND",
+ "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
+ "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
+ "userPrincipalName": "temp2@microsoft.com"
+ }
+ ]
+ },
+ ...
+ ]
+}
+```
+
+
## Related topics
- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
index 5f0bb3386d..94487dd4ff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
@@ -1,108 +1,108 @@
----
-title: List all recommendations
-description: Retrieves a list of all security recommendations affecting the organization.
-keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List all recommendations
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of all security recommendations affecting the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
- "value": [
- {
- "id": "va-_-microsoft-_-windows_10",
- "productName": "windows_10",
- "recommendationName": "Update Windows 10",
- "weaknesses": 397,
- "vendor": "microsoft",
- "recommendedVersion": "",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": true,
- "activeAlert": false,
- "associatedThreats": [
- "3098b8ef-23b1-46b3-aed4-499e1928f9ed",
- "40c189d5-0330-4654-a816-e48c2b7f9c4b",
- "4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
- "e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
- "94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
- ],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 7.674418604651163,
- "totalMachineCount": 37,
- "exposedMachinesCount": 7,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Windows 10"
- }
- ...
- ]
-}
-```
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
-
+---
+title: List all recommendations
+description: Retrieves a list of all security recommendations affecting the organization.
+keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List all recommendations
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of all security recommendations affecting the organization.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
+ "value": [
+ {
+ "id": "va-_-microsoft-_-windows_10",
+ "productName": "windows_10",
+ "recommendationName": "Update Windows 10",
+ "weaknesses": 397,
+ "vendor": "microsoft",
+ "recommendedVersion": "",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": true,
+ "activeAlert": false,
+ "associatedThreats": [
+ "3098b8ef-23b1-46b3-aed4-499e1928f9ed",
+ "40c189d5-0330-4654-a816-e48c2b7f9c4b",
+ "4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
+ "e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
+ "94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
+ ],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 7.674418604651163,
+ "totalMachineCount": 37,
+ "exposedMachinesCount": 7,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Windows 10"
+ }
+ ...
+ ]
+}
+```
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
new file mode 100644
index 0000000000..3ec0c82630
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
@@ -0,0 +1,106 @@
+---
+title: Get all vulnerabilities by machine and software
+description: Retrieves a list of all the vulnerabilities affecting the organization by Machine and Software
+keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List vulnerabilities by machine and software
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Retrieves a list of all the vulnerabilities affecting the organization per [machine](machine.md) and [software](software.md).
+- If the vulnerability has a fixing KB, it will appear in the response.
+- Supports [OData V4 queries](https://www.odata.org/documentation/).
+- The OData ```$filter``` is supported on all properties.
+
+>[!Tip]
+>This is great API for [Power BI integration](api-power-bi.md).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities/machinesVulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of vulnerabilities in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/vulnerabilities/machinesVulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicAssetVulnerabilityDto)",
+ "value": [
+ {
+ "id": "5afa3afc92a7c63d4b70129e0a6f33f63a427e21-_-CVE-2020-6494-_-microsoft-_-edge_chromium-based-_-81.0.416.77-_-",
+ "cveId": "CVE-2020-6494",
+ "machineId": "5afa3afc92a7c63d4b70129e0a6f33f63a427e21",
+ "fixingKbId": null,
+ "productName": "edge_chromium-based",
+ "productVendor": "microsoft",
+ "productVersion": "81.0.416.77",
+ "severity": "Low"
+ },
+ {
+ "id": "7a704e17d1c2977c0e7b665fb18ae6e1fe7f3283-_-CVE-2016-3348-_-microsoft-_-windows_server_2012_r2-_-6.3.9600.19728-_-3185911",
+ "cveId": "CVE-2016-3348",
+ "machineId": "7a704e17d1c2977c0e7b665fb18ae6e1fe7f3283",
+ "fixingKbId": "3185911",
+ "productName": "windows_server_2012_r2",
+ "productVendor": "microsoft",
+ "productVersion": "6.3.9600.19728",
+ "severity": "Low"
+ },
+ ...
+ ]
+
+}
+```
+
+## Related topics
+
+- [Risk-based threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
index 4114015c39..8b61f18cfc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
@@ -1,96 +1,96 @@
----
-title: Get all vulnerabilities
-description: Retrieves a list of all the vulnerabilities affecting the organization
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of all the vulnerabilities affecting the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of vulnerabilities in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities",
- "value": [
- {
- "id": "CVE-2019-0608",
- "name": "CVE-2019-0608",
- "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 4,
- "publishedOn": "2019-10-08T00:00:00Z",
- "updatedOn": "2019-12-16T16:20:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: Get all vulnerabilities
+description: Retrieves a list of all the vulnerabilities affecting the organization
+keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List vulnerabilities
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of all the vulnerabilities affecting the organization.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of vulnerabilities in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities",
+ "value": [
+ {
+ "id": "CVE-2019-0608",
+ "name": "CVE-2019-0608",
+ "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 4,
+ "publishedOn": "2019-10-08T00:00:00Z",
+ "updatedOn": "2019-12-16T16:20:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ...
+ ]
+
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
index 6eb1d7d80c..c980ded177 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
@@ -1,83 +1,83 @@
----
-title: Get Machine Secure score
-description: Retrieves the organizational device secure score.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get Machine Secure score
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves the organizational device secure score.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-## HTTP request
-```
-GET /api/configurationScore
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, with the with device secure score data in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/configurationScore
-```
-
-**Response**
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity",
- "time": "2019-12-03T09:15:58.1665846Z",
- "score": 340
-}
-```
-
-## Related topics
-- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
+---
+title: Get Machine Secure score
+description: Retrieves the organizational device secure score.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get Machine Secure score
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves the organizational device secure score.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+## HTTP request
+```
+GET /api/configurationScore
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, with the device secure score data in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/configurationScore
+```
+
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity.
+
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity",
+ "time": "2019-12-03T09:15:58.1665846Z",
+ "score": 340
+}
+```
+
+## Related topics
+- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
index d93e999a34..f8f57249dc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
@@ -1,93 +1,93 @@
----
-title: Get discovered vulnerabilities
-description: Retrieves a collection of discovered vulnerabilities related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get discovered vulnerabilities
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of discovered vulnerabilities related to a given device ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the discovered vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2019-1348",
- "name": "CVE-2019-1348",
- "description": "Git could allow a remote attacker to bypass security restrictions, caused by a flaw in the --export-marks option of git fast-import. By persuading a victim to import specially-crafted content, an attacker could exploit this vulnerability to overwrite arbitrary paths.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 1,
- "publishedOn": "2019-12-13T00:00:00Z",
- "updatedOn": "2019-12-13T00:00:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: Get discovered vulnerabilities
+description: Retrieves a collection of discovered vulnerabilities related to a given device ID.
+keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get discovered vulnerabilities
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of discovered vulnerabilities related to a given device ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/machines/{machineId}/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the discovered vulnerability information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2019-1348",
+ "name": "CVE-2019-1348",
+ "description": "Git could allow a remote attacker to bypass security restrictions, caused by a flaw in the --export-marks option of git fast-import. By persuading a victim to import specially-crafted content, an attacker could exploit this vulnerability to overwrite arbitrary paths.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 1,
+ "publishedOn": "2019-12-13T00:00:00Z",
+ "updatedOn": "2019-12-13T00:00:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
index bdb1c4b423..0aa06444da 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
@@ -28,7 +28,7 @@ Retrieves a collection of [Alerts](alerts.md) related to a given domain address.
## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -48,7 +48,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+```http
GET /api/domains/{domain}/alerts
```
@@ -73,6 +73,6 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-```
+```http
GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
index 8413a10a82..6b4dee50f5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
@@ -28,7 +28,7 @@ Retrieves a collection of [Machines](machine.md) that have communicated to or fr
## Limitations
-1. You can query on devices last seen in the past 30 days.
+1. You can query on devices last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -48,7 +48,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>- Response will include only devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+```http
GET /api/domains/{domain}/machines
```
@@ -75,6 +75,6 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-```
+```http
GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
index 794272d101..0fb4dd5ba6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
@@ -1,88 +1,88 @@
----
-title: Get exposure score
-description: Retrieves the organizational exposure score.
-keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get exposure score
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves the organizational exposure score.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-
-## HTTP request
-```
-GET /api/exposureScore
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, with the exposure data in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/exposureScore
-```
-
-**Response**
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity",
- "time": "2019-12-03T07:23:53.280499Z",
- "score": 33.491554051195706
-}
-
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
-
-
+---
+title: Get exposure score
+description: Retrieves the organizational exposure score.
+keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get exposure score
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves the organizational exposure score.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+
+## HTTP request
+```
+GET /api/exposureScore
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, with the exposure data in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/exposureScore
+```
+
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity.
+
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity",
+ "time": "2019-12-03T07:23:53.280499Z",
+ "score": 33.491554051195706
+}
+
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
index 2521e0a16b..4ae4475d50 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
@@ -1,89 +1,89 @@
----
-title: Get installed software
-description: Retrieves a collection of installed software related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get installed software
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of installed software related to a given device ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the installed software information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
-"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software",
-"value": [
- {
-"id": "microsoft-_-internet_explorer",
-"name": "internet_explorer",
-"vendor": "microsoft",
-"weaknesses": 67,
-"publicExploit": true,
-"activeAlert": false,
-"exposedMachines": 42115,
-"impactScore": 46.2037163
- }
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: Get installed software
+description: Retrieves a collection of installed software related to a given device ID.
+keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get installed software
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of installed software related to a given device ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/machines/{machineId}/software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the installed software information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software",
+"value": [
+ {
+"id": "microsoft-_-internet_explorer",
+"name": "internet_explorer",
+"vendor": "microsoft",
+"weaknesses": 67,
+"publicExploit": true,
+"activeAlert": false,
+"exposedMachines": 42115,
+"impactScore": 46.2037163
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
index 0348f58dbf..91b44caf50 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
@@ -28,7 +28,7 @@ Retrieves specific [Machine](machine.md) by its device ID or computer name.
## Limitations
-1. You can get devices last seen in the past 30 days.
+1. You can get devices last seen according to your configured retention policy.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -49,7 +49,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
## HTTP request
-```
+```http
GET /api/machines/{id}
```
@@ -65,7 +65,7 @@ Empty
## Response
If successful and device exists - 200 OK with the [machine](machine.md) entity in the body.
-If machine with the specified id was not found - 404 Not Found.
+If machine with the specified ID was not found - 404 Not Found.
## Example
@@ -76,7 +76,7 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-```
+```http
GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07
```
@@ -85,7 +85,7 @@ GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932
Here is an example of the response.
-```
+```http
HTTP/1.1 200 OK
Content-type: application/json
{
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
index 10f886e0d1..9b9287e938 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
@@ -1,91 +1,91 @@
----
-title: List exposure score by device group
-description: Retrieves a list of exposure scores by device group.
-keywords: apis, graph api, supported apis, get, exposure score, device group, device group exposure score
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List exposure score by device group
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of alerts related to a given domain address.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-## HTTP request
-```
-GET /api/exposureScore/ByMachineGroups
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/exposureScore/ByMachineGroups
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore",
- "value": [
- {
- "time": "2019-12-03T09:51:28.214338Z",
- "score": 41.38041766305988,
- "rbacGroupName": "GroupOne"
- },
- {
- "time": "2019-12-03T09:51:28.2143399Z",
- "score": 37.403726933165366,
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
+---
+title: List exposure score by device group
+description: Retrieves a list of exposure scores by device group.
+keywords: apis, graph api, supported apis, get, exposure score, device group, device group exposure score
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List exposure score by device group
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of alerts related to a given domain address.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+## HTTP request
+```
+GET /api/exposureScore/ByMachineGroups
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/exposureScore/ByMachineGroups
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore",
+ "value": [
+ {
+ "time": "2019-12-03T09:51:28.214338Z",
+ "score": 41.38041766305988,
+ "rbacGroupName": "GroupOne"
+ },
+ {
+ "time": "2019-12-03T09:51:28.2143399Z",
+ "score": 37.403726933165366,
+ "rbacGroupName": "GroupTwo"
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
index f5cb6a8948..fc56069b04 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
@@ -28,7 +28,7 @@ Retrieves a collection of logged on users on a specific device.
## Limitations
-1. You can query on devices last seen in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -46,7 +46,7 @@ Delegated (work or school account) | User.Read.All | 'Read user profiles'
>- Response will include users only if the device is visible to the user, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+```http
GET /api/machines/{id}/logonusers
```
@@ -72,7 +72,7 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-```
+```http
GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers
```
@@ -81,7 +81,7 @@ GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932
Here is an example of the response.
-```
+```http
HTTP/1.1 200 OK
Content-type: application/json
{
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
index 0d100248f0..e8fb105671 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
@@ -28,7 +28,7 @@ Retrieves all [Alerts](alerts.md) related to a specific device.
## Limitations
-1. You can query on devices last seen in the past 30 days.
+1. You can query on devices last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -45,7 +45,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>- User needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+```http
GET /api/machines/{id}/alerts
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
index ebf471edee..e066fab80a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
@@ -1,93 +1,93 @@
----
-title: List devices by software
-description: Retrieve a list of devices that has this software installed.
-keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List devices by software
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieve a list of device references that has this software installed.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/machineReferences
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK and a list of devices with the software installed in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
- "computerDnsName": "dave_desktop",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- },
- {
- "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
- "computerDnsName": "jane_PC",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: List devices by software
+description: Retrieve a list of devices that has this software installed.
+keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List devices by software
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieve a list of device references that has this software installed.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/machineReferences
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK and a list of devices with the software installed in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
+ "computerDnsName": "dave_desktop",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ },
+ {
+ "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
+ "computerDnsName": "jane_PC",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
index fddc82d5dd..71597be89f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
@@ -1,92 +1,92 @@
----
-title: List devices by vulnerability
-description: Retrieves a list of devices affected by a vulnerability.
-keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List devices by vulnerability
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of devices affected by a vulnerability.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities/{cveId}/machineReferences
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "235a2e6278c63fcf85bab9c370396972c58843de",
- "computerDnsName": "h1mkn_PC",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- },
- {
- "id": "afb3f807d1a185ac66668f493af028385bfca184",
- "computerDnsName": "chat_Desk ",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
- }
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: List devices by vulnerability
+description: Retrieves a list of devices affected by a vulnerability.
+keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List devices by vulnerability
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of devices affected by a vulnerability.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities/{cveId}/machineReferences
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the vulnerability information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "235a2e6278c63fcf85bab9c370396972c58843de",
+ "computerDnsName": "h1mkn_PC",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ },
+ {
+ "id": "afb3f807d1a185ac66668f493af028385bfca184",
+ "computerDnsName": "chat_Desk ",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ }
+ ...
+ ]
+ }
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
index e46fe6e5cd..93303b75fa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
@@ -24,14 +24,14 @@ ms.topic: article
## API description
-Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender ATP cloud on the last 30 days.
+Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender ATP cloud.
Supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's ```$filter``` query is supported on: ```computerDnsName```, ```lastSeen```, ```lastIpAddress```, ```healthStatus```, ```osPlatform```, ```riskScore```, ```rbacGroupId``` and ```machineTags``` properties.
+ The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
## Limitations
-1. You can get devices last seen in the past 30 days.
+1. You can get devices last seen according to your configured retention period.
2. Maximum page size is 10,000.
3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -51,7 +51,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
GET https://api.securitycenter.windows.com/api/machines
```
@@ -77,7 +78,8 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-```
+
+```http
GET https://api.securitycenter.windows.com/api/machines
```
@@ -85,8 +87,7 @@ GET https://api.securitycenter.windows.com/api/machines
Here is an example of the response.
-
-```
+```http
HTTP/1.1 200 OK
Content-type: application/json
{
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
index 9254f80562..5b5ce91ff1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
@@ -1,96 +1,96 @@
----
-title: Get recommendation by Id
-description: Retrieves a security recommendation by its ID.
-keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get recommendation by ID
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a security recommendation by its ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity",
- "id": "va-_-google-_-chrome",
- "productName": "chrome",
- "recommendationName": "Update Chrome",
- "weaknesses": 38,
- "vendor": "google",
- "recommendedVersion": "",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": false,
- "activeAlert": false,
- "associatedThreats": [],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 3.9441860465116285,
- "totalMachineCount": 6,
- "exposedMachinesCount": 5,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Chrome"
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: Get recommendation by Id
+description: Retrieves a security recommendation by its ID.
+keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by ID
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a security recommendation by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity",
+ "id": "va-_-google-_-chrome",
+ "productName": "chrome",
+ "recommendationName": "Update Chrome",
+ "weaknesses": 38,
+ "vendor": "google",
+ "recommendedVersion": "",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": false,
+ "activeAlert": false,
+ "associatedThreats": [],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 3.9441860465116285,
+ "totalMachineCount": 6,
+ "exposedMachinesCount": 5,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Chrome"
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
index 9c2965fd9c..fd557b7129 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
@@ -1,85 +1,85 @@
----
-title: List devices by recommendation
-description: Retrieves a list of devices associated with the security recommendation.
-keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List devices by recommendation
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of devices associated with the security recommendation.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/machineReferences
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of devices associated with the security recommendation.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
- "computerDnsName": "niw_pc",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: List devices by recommendation
+description: Retrieves a list of devices associated with the security recommendation.
+keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List devices by recommendation
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of devices associated with the security recommendation.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/machineReferences
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of devices associated with the security recommendation.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
+ "computerDnsName": "niw_pc",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
index d4e5a895ef..c4654ccd11 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
@@ -1,84 +1,84 @@
----
-title: Get recommendation by software
-description: Retrieves a security recommendation related to a specific software.
-keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get recommendation by software
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a security recommendation related to a specific software.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/software
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
- "id": "google-_-chrome",
- "name": "chrome",
- "vendor": "google",
- "weaknesses": 38,
- "publicExploit": false,
- "activeAlert": false,
- "exposedMachines": 5,
- "impactScore": 3.94418621
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: Get recommendation by software
+description: Retrieves a security recommendation related to a specific software.
+keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by software
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a security recommendation related to a specific software.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/software
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
+ "id": "google-_-chrome",
+ "name": "chrome",
+ "vendor": "google",
+ "weaknesses": 38,
+ "publicExploit": false,
+ "activeAlert": false,
+ "exposedMachines": 5,
+ "impactScore": 3.94418621
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
index e7e5725b8a..a7218907c7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
@@ -1,94 +1,94 @@
----
-title: List vulnerabilities by recommendation
-description: Retrieves a list of vulnerabilities associated with the security recommendation.
-keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities by recommendation
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of vulnerabilities associated with the security recommendation.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2019-13748",
- "name": "CVE-2019-13748",
- "description": "Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
- "severity": "Medium",
- "cvssV3": 6.5,
- "exposedMachines": 0,
- "publishedOn": "2019-12-10T00:00:00Z",
- "updatedOn": "2019-12-16T12:15:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: List vulnerabilities by recommendation
+description: Retrieves a list of vulnerabilities associated with the security recommendation.
+keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List vulnerabilities by recommendation
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of vulnerabilities associated with the security recommendation.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2019-13748",
+ "name": "CVE-2019-13748",
+ "description": "Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
+ "severity": "Medium",
+ "cvssV3": 6.5,
+ "exposedMachines": 0,
+ "publishedOn": "2019-12-10T00:00:00Z",
+ "updatedOn": "2019-12-16T12:15:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
index 67e29e0532..e071070fba 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
@@ -1,101 +1,101 @@
----
-title: Get security recommendations
-description: Retrieves a collection of security recommendations related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get security recommendations
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of security recommendations related to a given device ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/recommendations
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
- "value": [
- {
- "id": "va-_-git-scm-_-git",
- "productName": "git",
- "recommendationName": "Update Git to version 2.24.1.2",
- "weaknesses": 3,
- "vendor": "git-scm",
- "recommendedVersion": "2.24.1.2",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": false,
- "activeAlert": false,
- "associatedThreats": [],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 0,
- "totalMachineCount": 0,
- "exposedMachinesCount": 1,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Git"
- },
-…
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: Get security recommendations
+description: Retrieves a collection of security recommendations related to a given device ID.
+keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get security recommendations
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of security recommendations related to a given device ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/machines/{machineId}/recommendations
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
+ "value": [
+ {
+ "id": "va-_-git-scm-_-git",
+ "productName": "git",
+ "recommendationName": "Update Git to version 2.24.1.2",
+ "weaknesses": 3,
+ "vendor": "git-scm",
+ "recommendedVersion": "2.24.1.2",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": false,
+ "activeAlert": false,
+ "associatedThreats": [],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 0,
+ "totalMachineCount": 0,
+ "exposedMachinesCount": 1,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Git"
+ },
+…
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
index 2276c784bf..a596b5e16e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
@@ -1,86 +1,86 @@
----
-title: Get software by Id
-description: Retrieves a list of exposure scores by device group.
-keywords: apis, graph api, supported apis, get, software, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get software by Id
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves software details by ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the specified software data in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software/$entity",
- "id": "microsoft-_-edge",
- "name": "edge",
- "vendor": "microsoft",
- "weaknesses": 467,
- "publicExploit": true,
- "activeAlert": false,
- "exposedMachines": 172,
- "impactScore": 2.39947438
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: Get software by Id
+description: Retrieves a list of exposure scores by device group.
+keywords: apis, graph api, supported apis, get, software, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get software by Id
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves software details by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the specified software data in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software/$entity",
+ "id": "microsoft-_-edge",
+ "name": "edge",
+ "vendor": "microsoft",
+ "weaknesses": 467,
+ "publicExploit": true,
+ "activeAlert": false,
+ "exposedMachines": 172,
+ "impactScore": 2.39947438
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
index 159f48e08e..8263dd34d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
@@ -1,91 +1,91 @@
----
-title: List software version distribution
-description: Retrieves a list of your organization's software version distribution
-keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List software version distribution
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of your organization's software version distribution.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/distributions
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with a list of software distributions data in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distributions
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Distributions",
- "value": [
- {
- "version": "11.0.17134.1039",
- "installations": 1,
- "vulnerabilities": 11
- },
- {
- "version": "11.0.18363.535",
- "installations": 750,
- "vulnerabilities": 0
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: List software version distribution
+description: Retrieves a list of your organization's software version distribution
+keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List software version distribution
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of your organization's software version distribution.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/distributions
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with a list of software distributions data in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distributions
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Distributions",
+ "value": [
+ {
+ "version": "11.0.17134.1039",
+ "installations": 1,
+ "vulnerabilities": 11
+ },
+ {
+ "version": "11.0.18363.535",
+ "installations": 750,
+ "vulnerabilities": 0
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
index 883c240d11..5e97985a54 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
@@ -1,90 +1,90 @@
----
-title: List software
-description: Retrieves a list of software inventory
-keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List software inventory API
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-Retrieves the organization software inventory.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the software inventory in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software",
- "value": [
- {
- "id": "microsoft-_-edge",
- "name": "edge",
- "vendor": "microsoft",
- "weaknesses": 467,
- "publicExploit": true,
- "activeAlert": false,
- "exposedMachines": 172,
- "impactScore": 2.39947438
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: List software
+description: Retrieves a list of software inventory
+keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List software inventory API
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Retrieves the organization software inventory.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the software inventory in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software",
+ "value": [
+ {
+ "id": "microsoft-_-edge",
+ "name": "edge",
+ "vendor": "microsoft",
+ "weaknesses": 467,
+ "publicExploit": true,
+ "activeAlert": false,
+ "exposedMachines": 172,
+ "impactScore": 2.39947438
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
index 42147bc353..056f883007 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
@@ -1,93 +1,93 @@
----
-title: List vulnerabilities by software
-description: Retrieve a list of vulnerabilities in the installed software.
-keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities by software
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieve a list of vulnerabilities in the installed software.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/vulnerabilities
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2017-0140",
- "name": "CVE-2017-0140",
- "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
- "severity": "Medium",
- "cvssV3": 4.2,
- "exposedMachines": 1,
- "publishedOn": "2017-03-14T00:00:00Z",
- "updatedOn": "2019-10-03T00:03:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-}
-```
-
+---
+title: List vulnerabilities by software
+description: Retrieve a list of vulnerabilities in the installed software.
+keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List vulnerabilities by software
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieve a list of vulnerabilities in the installed software.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/vulnerabilities
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2017-0140",
+ "name": "CVE-2017-0140",
+ "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
+ "severity": "Medium",
+ "cvssV3": 4.2,
+ "exposedMachines": 1,
+ "publishedOn": "2017-03-14T00:00:00Z",
+ "updatedOn": "2019-10-03T00:03:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ...
+ ]
+}
+```
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
index a7ec42d80f..4dd3118f79 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
@@ -1,88 +1,88 @@
----
-title: Get vulnerability by Id
-description: Retrieves vulnerability information by its ID.
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get vulnerability by ID
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves vulnerability information by its ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities/{cveId}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity",
- "id": "CVE-2019-0608",
- "name": "CVE-2019-0608",
- "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 4,
- "publishedOn": "2019-10-08T00:00:00Z",
- "updatedOn": "2019-12-16T16:20:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
-}
-```
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: Get vulnerability by Id
+description: Retrieves vulnerability information by its ID.
+keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get vulnerability by ID
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves vulnerability information by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities/{cveId}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the vulnerability information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity",
+ "id": "CVE-2019-0608",
+ "name": "CVE-2019-0608",
+ "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 4,
+ "publishedOn": "2019-10-08T00:00:00Z",
+ "updatedOn": "2019-12-16T16:20:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+}
+```
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
new file mode 100644
index 0000000000..fc801373b0
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
@@ -0,0 +1,136 @@
+---
+title: Grant access to managed security service provider (MSSP)
+description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Grant managed security service provider (MSSP) access (preview)
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+To implement a multi-tenant delegated access solution, take the following steps:
+
+1. Enable [role-based access control](rbac.md) in Microsoft Defender ATP and connect with Active Directory (AD) groups.
+
+2. Configure [Governance Access Packages](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) for access request and provisioning.
+
+3. Manage access requests and audits in [Microsoft Myaccess](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-request-approve).
+
+## Enable role-based access controls in Microsoft Defender ATP
+
+1. **Create access groups for MSSP resources in Customer AAD: Groups**
+
+ These groups will be linked to the Roles you create in Microsoft Defender ATP. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:
+
+ - Tier 1 Analyst
+ - Tier 2 Analyst
+ - MSSP Analyst Approvers
+
+
+2. Create Microsoft Defender ATP roles for appropriate access levels in Customer Microsoft Defender ATP.
+
+ To enable RBAC in the customer Microsoft Defender Security Center, access **Settings > Permissions > Roles** and "Turn on roles", from a user account with Global Administrator or Security Administrator rights.
+
+ 
+
+ Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via “Assigned user groups”.
+
+ Two possible roles:
+
+ - **Tier 1 Analysts**
+ Perform all actions except for live response and manage security settings.
+
+ - **Tier 2 Analysts**
+ Tier 1 capabilities with the addition to [live response](live-response.md)
+
+ For more information, see [Use role-based access control](rbac.md).
+
+
+
+## Configure Governance Access Packages
+
+1. **Add MSSP as Connected Organization in Customer AAD: Identity Governance**
+
+ Adding the MSSP as a connected organization will allow the MSSP to request and have accesses provisioned.
+
+ To do so, in the customer AD tenant, access Identity Governance: Connected organization. Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. We suggest creating a separate AD tenant for your MSSP Analysts.
+
+2. **Create a resource catalog in Customer AAD: Identity Governance**
+
+ Resource catalogs are a logical collection of access packages, created in the customer AD tenant.
+
+ To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, we will call it **MSSP Accesses**.
+
+ 
+
+ Further more information, see [Create a catalog of resources](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-catalog-create).
+
+
+3. **Create access packages for MSSP resources Customer AAD: Identity Governance**
+
+ Access packages are the collection of rights and accesses that a requestor will be granted upon approval.
+
+ To do so, in the customer AD tenant, access Identity Governance: Access Packages, and add **New Access Package**. Create an access package for the MSSP approvers and each analyst tier. For example, the following Tier 1 Analyst configuration creates an access package that:
+
+ - Requires a member of the AD group **MSSP Analyst Approvers** to authorize new requests
+ - Has annual access reviews, where the SOC analysts can request an access extension
+ - Can only be requested by users in the MSSP SOC Tenant
+ - Access auto expires after 365 days
+
+ 
+
+ For more information, see [Create a new access package](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-access-package-create).
+
+
+4. **Provide access request link to MSSP resources from Customer AAD: Identity Governance**
+
+ The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link may be used over time for new analysts. The analyst request goes into a queue for approval by the **MSSP Analyst Approvers**.
+
+
+ 
+
+ The link is located on the overview page of each access package.
+
+## Manage access
+
+1. Review and authorize access requests in Customer and/or MSSP myaccess.
+
+ Access requests are managed in the customer My Access, by members of the MSSP Analyst Approvers group.
+
+ To do so, access the customer’s myaccess using:
+ `https://myaccess.microsoft.com/@`.
+
+ Example: `https://myaccess.microsoft.com/@M365x440XXX.onmicrosoft.com#/`
+2. Approve or deny requests in the **Approvals** section of the UI.
+
+ At this point, analyst access has been provisioned, and each analyst should be able to access the customer’s Microsoft Defender Security Center: `https://securitycenter.Microsoft.com/?tid=`
+
+## Related topics
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Configure alert notifications](configure-mssp-notifications.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
+
+
+
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/access-properties.png b/windows/security/threat-protection/microsoft-defender-atp/images/access-properties.png
new file mode 100644
index 0000000000..aa284279f9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/access-properties.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/asr-guid.png b/windows/security/threat-protection/microsoft-defender-atp/images/asr-guid.png
new file mode 100644
index 0000000000..d8a8570fb0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/asr-guid.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-updated.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-updated.png
new file mode 100644
index 0000000000..0e2d2fd929
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-updated.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane-updated.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane-updated.png
new file mode 100644
index 0000000000..88d8fb23d2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane-updated.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-offboarding-workspaceid.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-offboarding-workspaceid.png
index 57e30708ab..c34cbb8b80 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-offboarding-workspaceid.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-offboarding-workspaceid.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/desktop.ini b/windows/security/threat-protection/microsoft-defender-atp/images/desktop.ini
deleted file mode 100644
index c6b68739d7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/images/desktop.ini
+++ /dev/null
@@ -1,4 +0,0 @@
-[LocalizedFileNames]
-atp-mapping7.png=@atp-mapping7,0
-atp-machine-health-details.PNG=@atp-machine-health-details,0
-email-notification.png=@email-notification,0
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/device-flag-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/device-flag-filter.png
new file mode 100644
index 0000000000..d2a5e26ce4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/device-flag-filter.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/device-flags.png b/windows/security/threat-protection/microsoft-defender-atp/images/device-flags.png
new file mode 100644
index 0000000000..082b367ad7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/device-flags.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/goverance-catalog.png b/windows/security/threat-protection/microsoft-defender-atp/images/goverance-catalog.png
new file mode 100644
index 0000000000..e670575f6d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/goverance-catalog.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-approved-system-extensions.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-approved-system-extensions.png
new file mode 100644
index 0000000000..3c9d841104
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-approved-system-extensions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune.png
new file mode 100644
index 0000000000..ee61f80008
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune2.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune2.png
new file mode 100644
index 0000000000..f4100cb60f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-privacy.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-privacy.png
new file mode 100644
index 0000000000..9ed9edc068
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-privacy.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-urls.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-urls.png
new file mode 100644
index 0000000000..217cc0d478
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-urls.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mssp-access.png b/windows/security/threat-protection/microsoft-defender-atp/images/mssp-access.png
new file mode 100644
index 0000000000..57dce4b5c1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mssp-access.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/new-access-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-access-package.png
new file mode 100644
index 0000000000..f2a7a81250
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/new-access-package.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-cve-detection-logic.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-cve-detection-logic.png
new file mode 100644
index 0000000000..6701a4521b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-cve-detection-logic.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-device-value-dropdown.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-device-value-dropdown.png
new file mode 100644
index 0000000000..2fe843f6ad
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-device-value-dropdown.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-device-value-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-device-value-flyout.png
new file mode 100644
index 0000000000..be50eefc3b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-device-value-flyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-software.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-software.png
new file mode 100644
index 0000000000..9f360f0b7e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-software.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-software2.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-software2.png
new file mode 100644
index 0000000000..cb98b850f9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-software2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weakness-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weakness-flyout.png
new file mode 100644
index 0000000000..0e81640cb2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weakness-flyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weakness-flyout400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weakness-flyout400.png
new file mode 100644
index 0000000000..302b4883b3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weakness-flyout400.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
index f5439add6d..d6cbe89a02 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
@@ -7,7 +7,6 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
index e0233b7ae1..a60e510583 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
@@ -18,7 +18,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Create indicators based on certificates (preview)
+# Create indicators based on certificates
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -69,4 +69,4 @@ It's important to understand the following requirements prior to creating indica
- [Create indicators](manage-indicators.md)
- [Create indicators for files](indicator-file.md)
- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
-- [Manage indicators](indicator-manage.md)
\ No newline at end of file
+- [Manage indicators](indicator-manage.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
index 5fd56526b0..bd6a081f9a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@@ -27,6 +27,9 @@ ms.topic: article
Investigate the details of an alert raised on a specific device to identify other behaviors or events that might be related to the alert or the potential scope of the breach.
+> [!NOTE]
+> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
+
You can click on affected devices whenever you see them in the portal to open a detailed report about that device. Affected devices are identified in the following areas:
- [Devices list](investigate-machines.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
index 3c07af2507..e69619e1d8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
@@ -43,7 +43,7 @@ Exclusion | Definition | Examples
---|---|---
File extension | All files with the extension, anywhere on the device | `.test`
File | A specific file identified by the full path | `/var/log/test.log` `/var/log/*.log` `/var/log/install.?.log`
-Folder | All files under the specified folder | `/var/log/` `/var/*/`
+Folder | All files under the specified folder (recursively) | `/var/log/` `/var/*/`
Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat` `cat` `c?t`
File, folder, and process exclusions support the following wildcards:
@@ -64,7 +64,7 @@ For more information on how to configure exclusions from Puppet, Ansible, or ano
Run the following command to see the available switches for managing exclusions:
```bash
-$ mdatp exclusion
+mdatp exclusion
```
Examples:
@@ -72,28 +72,36 @@ Examples:
- Add an exclusion for a file extension:
```bash
- $ mdatp exclusion extension add --name .txt
+ mdatp exclusion extension add --name .txt
+ ```
+ ```Output
Extension exclusion configured successfully
```
- Add an exclusion for a file:
```bash
- $ mdatp exclusion file add --path /var/log/dummy.log
+ mdatp exclusion file add --path /var/log/dummy.log
+ ```
+ ```Output
File exclusion configured successfully
```
- Add an exclusion for a folder:
```bash
- $ mdatp exclusion folder add --path /var/log/
+ mdatp exclusion folder add --path /var/log/
+ ```
+ ```Output
Folder exclusion configured successfully
```
- Add an exclusion for a process:
```bash
- $ mdatp exclusion process add --name cat
+ mdatp exclusion process add --name cat
+ ```
+ ```Output
Process exclusion configured successfully
```
@@ -104,7 +112,7 @@ You can validate that your exclusion lists are working by using `curl` to downlo
In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
```bash
-$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
+curl -o test.txt https://www.eicar.org/download/eicar.com.txt
```
If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
@@ -116,3 +124,25 @@ echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > te
```
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
+
+## Allow threats
+
+In addition to excluding certain content from being scanned, you can also configure the product not to detect some classes of threats (identified by the threat name). You should exercise caution when using this functionality, as it can leave your device unprotected.
+
+To add a threat name to the allowed list, execute the following command:
+
+```bash
+mdatp threat allowed add --name [threat-name]
+```
+
+The threat name associated with a detection on your device can be obtained using the following command:
+
+```bash
+mdatp threat list
+```
+
+For example, to add `EICAR-Test-File (not a virus)` (the threat name associated with the EICAR detection) to the allowed list, execute the following command:
+
+```bash
+mdatp threat allowed add --name "EICAR-Test-File (not a virus)"
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index 0ac4cc8574..1746f4fcb3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -71,7 +71,7 @@ In order to preview new features and provide early feedback, it is recommended t
sudo rpm --import http://packages.microsoft.com/keys/microsoft.asc
```
-- Install `yum-utils` if it is not already installed:
+- Install `yum-utils` if it isn't installed yet:
```bash
sudo yum install yum-utils
@@ -107,13 +107,13 @@ In order to preview new features and provide early feedback, it is recommended t
### Ubuntu and Debian systems
-- Install `curl` if it is not already installed:
+- Install `curl` if it isn't installed yet:
```bash
sudo apt-get install curl
```
-- Install `libplist-utils` if it is not already installed:
+- Install `libplist-utils` if it isn't installed yet:
```bash
sudo apt-get install libplist-utils
@@ -177,14 +177,17 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
# list all repositories
- $ yum repolist
+ yum repolist
+ ```
+ ```Output
...
packages-microsoft-com-prod packages-microsoft-com-prod 316
packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2
...
-
+ ```
+ ```bash
# install the package from the production repository
- $ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
+ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
```
- SLES and variants:
@@ -196,16 +199,18 @@ In order to preview new features and provide early feedback, it is recommended t
If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
```bash
- # list all repositories
- $ zypper repos
+ zypper repos
+ ```
+
+ ```Output
...
# | Alias | Name | ...
XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ...
XX | packages-microsoft-com-prod | microsoft-prod | ...
...
-
- # install the package from the production repository
- $ sudo zypper install packages-microsoft-com-prod:mdatp
+ ```
+ ```bash
+ sudo zypper install packages-microsoft-com-prod:mdatp
```
- Ubuntu and Debian system:
@@ -217,13 +222,14 @@ In order to preview new features and provide early feedback, it is recommended t
If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
```bash
- # list all repositories
- $ cat /etc/apt/sources.list.d/*
+ cat /etc/apt/sources.list.d/*
+ ```
+ ```Output
deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main
deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main
-
- # install the package from the production repository
- $ sudo apt -t bionic install mdatp
+ ```
+ ```bash
+ sudo apt -t bionic install mdatp
```
## Download the onboarding package
@@ -243,17 +249,19 @@ Download the onboarding package from Microsoft Defender Security Center:
ls -l
```
- `total 8`
- `-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip`
+ ```Output
+ total 8
+ -rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
+ ```
```bash
unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+ ```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: MicrosoftDefenderATPOnboardingLinuxServer.py
```
- `Archive: WindowsDefenderATPOnboardingPackage.zip`
- `inflating: WindowsDefenderATPOnboarding.py`
## Client configuration
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
index 709b03a5e2..52f85ffb99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-This topic describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
+This article describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
- [Download the onboarding package](#download-the-onboarding-package)
- [Create Ansible YAML files](#create-ansible-yaml-files)
@@ -33,12 +33,12 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Ansibl
## Prerequisites and system requirements
-Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
-In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Please refer to the [Ansible documentation](https://docs.ansible.com/) for details.
+In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Refer to the [Ansible documentation](https://docs.ansible.com/) for details.
-- Ansible needs to be installed on at least on one computer (we will call it the master).
-- SSH must be configured for an administrator account between the master and all clients, and it is recommended be configured with public key authentication.
+- Ansible needs to be installed on at least one computer (we will call it the primary computer).
+- SSH must be configured for an administrator account between the primary computer and all clients, and it is recommended be configured with public key authentication.
- The following software must be installed on all clients:
- curl
- python-apt
@@ -54,7 +54,7 @@ In addition, for Ansible deployment, you need to be familiar with Ansible admini
- Ping test:
```bash
- $ ansible -m ping all
+ ansible -m ping all
```
## Download the onboarding package
@@ -70,10 +70,16 @@ Download the onboarding package from Microsoft Defender Security Center:
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
```bash
- $ ls -l
+ ls -l
+ ```
+ ```Output
total 8
-rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
- $ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+ ```bash
+ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+ ```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: mdatp_onboard.json
```
@@ -158,7 +164,9 @@ Create a subtask or role files that contribute to an playbook or task.
- For apt-based distributions use the following YAML file:
```bash
- $ cat install_mdatp.yml
+ cat install_mdatp.yml
+ ```
+ ```Output
- hosts: servers
tasks:
- include: ../roles/onboarding_setup.yml
@@ -170,7 +178,9 @@ Create a subtask or role files that contribute to an playbook or task.
```
```bash
- $ cat uninstall_mdatp.yml
+ cat uninstall_mdatp.yml
+ ```
+ ```Output
- hosts: servers
tasks:
- apt:
@@ -181,7 +191,9 @@ Create a subtask or role files that contribute to an playbook or task.
- For yum-based distributions use the following YAML file:
```bash
- $ cat install_mdatp_yum.yml
+ cat install_mdatp_yum.yml
+ ```
+ ```Output
- hosts: servers
tasks:
- include: ../roles/onboarding_setup.yml
@@ -193,7 +205,9 @@ Create a subtask or role files that contribute to an playbook or task.
```
```bash
- $ cat uninstall_mdatp_yum.yml
+ cat uninstall_mdatp_yum.yml
+ ```
+ ```Output
- hosts: servers
tasks:
- yum:
@@ -208,7 +222,7 @@ Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory.
- Installation:
```bash
- $ ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
+ ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
```
> [!IMPORTANT]
@@ -217,14 +231,16 @@ Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory.
- Validation/configuration:
```bash
- $ ansible -m shell -a 'mdatp connectivity test' all
- $ ansible -m shell -a 'mdatp health' all
+ ansible -m shell -a 'mdatp connectivity test' all
+ ```
+ ```bash
+ ansible -m shell -a 'mdatp health' all
```
- Uninstallation:
```bash
- $ ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts
+ ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts
```
## Log installation issues
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
index ef1aa769a6..14677aa8a3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
+This article describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
- [Download the onboarding package](#download-the-onboarding-package)
- [Create Puppet manifest](#create-a-puppet-manifest)
@@ -35,7 +35,7 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet
For a description of prerequisites and system requirements for the current software version, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md).
-In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Please refer to the [Puppet documentation](https://puppet.com/docs) for details.
+In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Refer to the [Puppet documentation](https://puppet.com/docs) for details.
## Download the onboarding package
@@ -47,13 +47,20 @@ Download the onboarding package from Microsoft Defender Security Center:
-4. From a command prompt, verify that you have the file. Extract the contents of the archive:
+4. From a command prompt, verify that you have the file.
```bash
- $ ls -l
+ ls -l
+ ```
+ ```Output
total 8
-rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
- $ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+5. Extract the contents of the archive.
+ ```bash
+ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+ ```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: mdatp_onboard.json
```
@@ -62,13 +69,19 @@ Download the onboarding package from Microsoft Defender Security Center:
You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server.
-Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
+Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This folder is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
```bash
-$ pwd
+pwd
+```
+```Output
/etc/puppetlabs/code/environments/production/modules
+```
-$ tree install_mdatp
+```bash
+tree install_mdatp
+```
+```Output
install_mdatp
├── files
│ └── mdatp_onboard.json
@@ -161,20 +174,24 @@ $version = undef
Include the above manifest in your site.pp file:
```bash
-$ cat /etc/puppetlabs/code/environments/production/manifests/site.pp
+cat /etc/puppetlabs/code/environments/production/manifests/site.pp
+```
+```Output
node "default" {
include install_mdatp
}
```
-Enrolled agent devices periodically poll the Puppet Server, and install new configuration profiles and policies as soon as they are detected.
+Enrolled agent devices periodically poll the Puppet Server and install new configuration profiles and policies as soon as they are detected.
## Monitor Puppet deployment
On the agent device, you can also check the onboarding status by running:
```bash
-$ mdatp health
+mdatp health
+```
+```Output
...
licensed : true
org_id : "[your organization identifier]"
@@ -200,7 +217,7 @@ The above command prints `1` if the product is onboarded and functioning as expe
If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
-- 1 if the device is not yet onboarded.
+- 1 if the device isn't onboarded yet.
- 3 if the connection to the daemon cannot be established.
## Log installation issues
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
index 4e59ea8aad..bc9ddc57fc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
@@ -29,7 +29,7 @@ ms.topic: conceptual
In enterprise environments, Microsoft Defender ATP for Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
-This topic describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
+This article describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
## Configuration profile structure
@@ -141,7 +141,7 @@ Used to exclude content from the scan by file extension.
**Process excluded from the scan**
-Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (e.g. `cat`) or full path (e.g. `/bin/cat`).
+Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (for example, `cat`) or full path (for example, `/bin/cat`).
|||
|:---|:---|
@@ -373,7 +373,7 @@ The following configuration profile contains entries for all settings described
The configuration profile must be a valid JSON-formatted file. There are a number of tools that can be used to verify this. For example, if you have `python` installed on your device:
```bash
-$ python -m json.tool mdatp_managed.json
+python -m json.tool mdatp_managed.json
```
If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
index 415341d721..50067c7547 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
@@ -53,13 +53,13 @@ You can configure how PUA files are handled from the command line or from the ma
In Terminal, execute the following command to configure PUA protection:
```bash
-$ mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
+mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
```
### Use the management console to configure PUA protection:
-In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) topic.
+In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) article.
-## Related topics
+## Related articles
- [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
index 22e71176b4..5065d7b5be 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
@@ -26,28 +26,35 @@ ms.topic: conceptual
## Collect diagnostic information
-If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
+If you can reproduce a problem, first increase the logging level, run the system for some time, and then restore the logging level to the default.
1. Increase logging level:
```bash
- $ mdatp log level set --level verbose
+ mdatp log level set --level verbose
+ ```
+ ```Output
Log level configured successfully
```
2. Reproduce the problem.
-3. Run `sudo mdatp diagnostic create` to back up Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds:
+3. Run the following command to back up Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive.
```bash
- $ sudo mdatp diagnostic create
+ sudo mdatp diagnostic create
+ ```
+ This command will also print out the file path to the backup after the operation succeeds:
+ ```Output
Diagnostic file created:
```
4. Restore logging level:
```bash
- $ mdatp log level set --level info
+ mdatp log level set --level info
+ ```
+ ```Output
Log level configured successfully
```
@@ -59,7 +66,7 @@ The detailed log will be saved to `/var/log/microsoft/mdatp_install.log`. If you
## Uninstall
-There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, please follow the package uninstallation instructions for the configuration tool.
+There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, follow the package uninstallation instructions for the configuration tool.
### Manual uninstallation
@@ -73,7 +80,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
### Global options
-By default, the command-line tool outputs the result in human-readable format. In addition to this, the tool also supports outputting the result as JSON, which is useful for automation scenarios. To change the output to JSON, pass `--output json` to any of the below commands.
+By default, the command-line tool outputs the result in human-readable format. In addition, the tool also supports outputting the result as JSON, which is useful for automation scenarios. To change the output to JSON, pass `--output json` to any of the below commands.
### Supported commands
@@ -86,11 +93,14 @@ The following table lists commands for some of the most common scenarios. Run `m
|Configuration |Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled|disabled]` |
|Configuration |Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission [enabled|disabled]` |
|Configuration |Turn on/off AV passive mode |`mdatp config passive-mode [enabled|disabled]` |
-|Configuration |Add/remove an antivirus exclusion for a file extension |`mdatp exclusion extension [add|remove] --name ` |
-|Configuration |Add/remove an antivirus exclusion for a file |`mdatp exclusion file [add|remove] --path ` |
-|Configuration |Add/remove an antivirus exclusion for a directory |`mdatp exclusion folder [add|remove] --path ` |
-|Configuration |Add/remove an antivirus exclusion for a process |`mdatp exclusion process [add|remove] --path ` `mdatp exclusion process [add|remove] --name ` |
+|Configuration |Add/remove an antivirus exclusion for a file extension |`mdatp exclusion extension [add|remove] --name [extension]` |
+|Configuration |Add/remove an antivirus exclusion for a file |`mdatp exclusion file [add|remove] --path [path-to-file]` |
+|Configuration |Add/remove an antivirus exclusion for a directory |`mdatp exclusion folder [add|remove] --path [path-to-directory]` |
+|Configuration |Add/remove an antivirus exclusion for a process |`mdatp exclusion process [add|remove] --path [path-to-process]` `mdatp exclusion process [add|remove] --name [process-name]` |
|Configuration |List all antivirus exclusions |`mdatp exclusion list` |
+|Configuration |Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` |
+|Configuration |Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` |
+|Configuration |List all allowed threat names |`mdatp threat allowed list` |
|Configuration |Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action block` |
|Configuration |Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action off` |
|Configuration |Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action audit` |
@@ -103,12 +113,12 @@ The following table lists commands for some of the most common scenarios. Run `m
|Protection |Cancel an ongoing on-demand scan |`mdatp scan cancel` |
|Protection |Request a security intelligence update |`mdatp definitions update` |
|Protection history |Print the full protection history |`mdatp threat list` |
-|Protection history |Get threat details |`mdatp threat get --id ` |
+|Protection history |Get threat details |`mdatp threat get --id [threat-id]` |
|Quarantine management |List all quarantined files |`mdatp threat quarantine list` |
|Quarantine management |Remove all files from the quarantine |`mdatp threat quarantine remove-all` |
-|Quarantine management |Add a file detected as a threat to the quarantine |`mdatp threat quarantine add --id ` |
-|Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine add --id ` |
-|Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine add --id ` |
+|Quarantine management |Add a file detected as a threat to the quarantine |`mdatp threat quarantine add --id [threat-id]` |
+|Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine add --id [threat-id]` |
+|Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine add --id [threat-id]` |
## Microsoft Defender ATP portal information
@@ -138,5 +148,5 @@ In the Microsoft Defender ATP portal, you'll see two categories of information:
- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
```bash
- $ sudo SUSEConnect --status-text
+ sudo SUSEConnect --status-text
```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
index 0ac647a0b9..04ec1f7937 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
@@ -48,7 +48,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP:
```bash
- $ HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
+ HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
```
> [!NOTE]
@@ -56,7 +56,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
The `HTTPS_PROXY` environment variable may similarly be defined during uninstallation.
-Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take significantly longer due to network timeouts.
+Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take much longer due to network timeouts.
## Post installation configuration
@@ -73,5 +73,5 @@ After installation, the `HTTPS_PROXY` environment variable must be defined in th
After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands:
```bash
-$ systemctl daemon-reload; systemctl restart mdatp
+systemctl daemon-reload; systemctl restart mdatp
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
index f48ac979fd..86e2b4f38e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
@@ -29,7 +29,7 @@ ms.topic: conceptual
To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
```bash
-$ mdatp connectivity test
+mdatp connectivity test
```
If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
@@ -44,7 +44,7 @@ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https:
The output from this command should be similar to:
-```bash
+```Output
OK https://x.cp.wd.microsoft.com/api/report
OK https://cdn.x.cp.wd.microsoft.com/ping
```
@@ -59,7 +59,7 @@ OK https://cdn.x.cp.wd.microsoft.com/ping
If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:
```bash
-$ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands.
@@ -78,13 +78,13 @@ Also ensure that the correct static proxy address is filled in to replace `addre
If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting:
```bash
-$ sudo systemctl daemon-reload; sudo systemctl restart mdatp
+sudo systemctl daemon-reload; sudo systemctl restart mdatp
```
Upon success, attempt another connectivity test from the command line:
```bash
-$ mdatp connectivity test
+mdatp connectivity test
```
If the problem persists, contact customer support.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
index d89a6593f9..67c96c9bdf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
@@ -26,12 +26,15 @@ ms.topic: conceptual
## Verify if installation succeeded
-An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, one can obtain and check the installation logs using:
+An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, obtain and check the installation logs using:
```bash
- $ sudo journalctl | grep 'microsoft-mdatp' > installation.log
- $ grep 'postinstall end' installation.log
-
+ sudo journalctl | grep 'microsoft-mdatp' > installation.log
+```
+```bash
+ grep 'postinstall end' installation.log
+```
+```Output
microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
```
@@ -44,8 +47,9 @@ Also check the [Client configuration](linux-install-manually.md#client-configura
Check if the mdatp service is running:
```bash
- $ systemctl status mdatp
-
+systemctl status mdatp
+```
+```Output
● mdatp.service - Microsoft Defender ATP
Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago
@@ -61,41 +65,43 @@ Check if the mdatp service is running:
1. Check if "mdatp" user exists:
```bash
- $ id "mdatp"
+ id "mdatp"
```
If there’s no output, run
```bash
- $ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
+ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
```
2. Try enabling and restarting the service using:
```bash
- $ sudo systemctl enable mdatp
- $ sudo systemctl restart mdatp
+ sudo systemctl enable mdatp
```
-
-3. If mdatp.service isn't found upon running the previous command, run
```bash
- $ sudo cp /opt/microsoft/mdatp/conf/mdatp.service
-
- where is
- /lib/systemd/system for Ubuntu and Debian distributions
- /usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES
+ sudo systemctl restart mdatp
```
- and then rerun step 2.
+
+3. If mdatp.service isn't found upon running the previous command, run:
+ ```bash
+ sudo cp /opt/microsoft/mdatp/conf/mdatp.service
+ ```
+ where `````` is
+ ```/lib/systemd/system``` for Ubuntu and Debian distributions and
+ ```/usr/lib/systemd/system``` for Rhel, CentOS, Oracle and SLES.
+Then rerun step 2.
4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot.
5. Ensure that the daemon has executable permission.
```bash
- $ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
-
+ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
+ ```
+ ```Output
-rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
```
If the daemon doesn't have executable permissions, make it executable using:
```bash
- $ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
+ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
```
and retry running step 2.
@@ -105,7 +111,7 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan
1. Check the file system type using:
```bash
- $ findmnt -T
+ findmnt -T
```
Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned.
@@ -113,13 +119,15 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan
1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command:
```bash
- $ sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
+ sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
```
and try again.
If none of the above steps help, collect the diagnostic logs:
```bash
- $ sudo mdatp diagnostic create
+ sudo mdatp diagnostic create
+ ```
+ ```Output
Diagnostic file created:
```
Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
index 5119c3afc3..a4c54a9aa4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
@@ -23,7 +23,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
+This article provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
@@ -36,7 +36,9 @@ The following steps can be used to troubleshoot and mitigate these issues:
If your device is not managed by your organization, real-time protection can be disabled from the command line:
```bash
- $ mdatp config real-time-protection --value disabled
+ mdatp config real-time-protection --value disabled
+ ```
+ ```Output
Configuration property updated
```
@@ -50,26 +52,28 @@ The following steps can be used to troubleshoot and mitigate these issues:
This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:
```bash
- $ mdatp config real-time-protection-statistics --value enabled
+ mdatp config real-time-protection-statistics --value enabled
```
This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
```bash
- $ mdatp health --field real_time_protection_enabled
+ mdatp health --field real_time_protection_enabled
```
Verify that the `real_time_protection_enabled` entry is `true`. Otherwise, run the following command to enable it:
```bash
- $ mdatp config real-time-protection --value enabled
+ mdatp config real-time-protection --value enabled
+ ```
+ ```Output
Configuration property updated
```
To collect current statistics, run:
```bash
- $ mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file
+ mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file
```
The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
index d2a63d964c..a35d6e6d1a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
@@ -19,6 +19,10 @@ ms.topic: conceptual
# What's new in Microsoft Defender Advanced Threat Protection for Linux
+## 101.03.48
+
+- Bug fixes
+
## 101.02.55
- Fixed an issue where the product sometimes does not start following a reboot / upgrade
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
index d96e6da0ab..4e97dc6960 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
@@ -43,7 +43,7 @@ Exclusion | Definition | Examples
---|---|---
File extension | All files with the extension, anywhere on the machine | `.test`
File | A specific file identified by the full path | `/var/log/test.log` `/var/log/*.log` `/var/log/install.?.log`
-Folder | All files under the specified folder | `/var/log/` `/var/*/`
+Folder | All files under the specified folder (recursively) | `/var/log/` `/var/*/`
Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat` `cat` `c?t`
File, folder, and process exclusions support the following wildcards:
@@ -74,7 +74,7 @@ You can validate that your exclusion lists are working by using `curl` to downlo
In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
```bash
-$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
+curl -o test.txt https://www.eicar.org/download/eicar.com.txt
```
If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
@@ -86,3 +86,25 @@ echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > te
```
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
+
+## Allow threats
+
+In addition to excluding certain content from being scanned, you can also configure the product not to detect some classes of threats (identified by the threat name). You should exercise caution when using this functionality, as it can leave your device unprotected.
+
+To add a threat name to the allowed list, execute the following command:
+
+```bash
+mdatp threat allowed add --name [threat-name]
+```
+
+The threat name associated with a detection on your device can be obtained using the following command:
+
+```bash
+mdatp threat list
+```
+
+For example, to add `EICAR-Test-File (not a virus)` (the threat name associated with the EICAR detection) to the allowed list, execute the following command:
+
+```bash
+mdatp threat allowed add --name "EICAR-Test-File (not a virus)"
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
index ff78248097..2dd67831b1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
@@ -20,10 +20,8 @@ ms.topic: conceptual
# Intune-based deployment for Microsoft Defender ATP for Mac
> [!NOTE]
-> This documentation explains the legacy method for deploying and configuring Microsoft Defender ATP on macOS devices. The native experience is now available in the MEM console. The release of the native UI in the MEM console provide admins with a much simpler way to configure and dfeploy the application and send it down to macOS devices.
-> This blog post explains the new features: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-simplifies-deployment-of-microsoft/ba-p/1322995
-> To configure the app go here: https://docs.microsoft.com/mem/intune/protect/antivirus-microsoft-defender-settings-macos
-> To deploy the app go here: https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos
+> This documentation explains the legacy method for deploying and configuring Microsoft Defender ATP on macOS devices. The native experience is now available in the MEM console. The release of the native UI in the MEM console provide admins with a much simpler way to configure and deploy the application and send it down to macOS devices.
+>The blog post [MEM simplifies deployment of Microsoft Defender ATP for macOS](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-simplifies-deployment-of-microsoft/ba-p/1322995) explains the new features. To configure the app, go to [Settings for Microsoft Defender ATP for Mac in Microsoft InTune](https://docs.microsoft.com/mem/intune/protect/antivirus-microsoft-defender-settings-macos). To deploy the app, go to [Add Microsoft Defender ATP to macOS devices using Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos).
**Applies to:**
@@ -50,7 +48,7 @@ The following table summarizes the steps you would need to take to deploy and ma
| [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A |
| [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
-| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)
**Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
+| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)
**Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
## Download installation and onboarding packages
@@ -66,15 +64,24 @@ Download the installation and onboarding packages from Microsoft Defender Securi
4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
6. From a command prompt, verify that you have the three files.
- Extract the contents of the .zip files:
+
```bash
- $ ls -l
+ ls -l
+ ```
+
+ ```Output
total 721688
-rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil
-rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
- $ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+7. Extract the contents of the .zip files:
+
+ ```bash
+ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+ ```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
inflating: intune/kext.xml
@@ -82,16 +89,18 @@ Download the installation and onboarding packages from Microsoft Defender Securi
inflating: jamf/WindowsDefenderATPOnboarding.plist
```
-7. Make IntuneAppUtil an executable:
+8. Make IntuneAppUtil an executable:
```bash
- $ chmod +x IntuneAppUtil
+ chmod +x IntuneAppUtil
```
-8. Create the wdav.pkg.intunemac package from wdav.pkg:
+9. Create the wdav.pkg.intunemac package from wdav.pkg:
```bash
- $ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
+ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
+ ```
+ ```Output
Microsoft Intune Application Utility for Mac OS X
Version: 1.0.0.0
Copyright 2018 Microsoft Corporation
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
index 4cb0f6f707..da1f94c851 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
@@ -24,7 +24,7 @@ ms.date: 04/10/2020
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
-This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps:
+This article describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps:
1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
1. [Create JAMF policies](#create-jamf-policies)
@@ -34,7 +34,7 @@ This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF.
## Prerequisites and system requirements
-Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow.
@@ -45,7 +45,7 @@ The following table summarizes the steps you would need to take to deploy and ma
| Step | Sample file names | BundleIdentifier |
|-|-|-|
| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
-| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1)
**Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.plist | com.microsoft.wdav |
+| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1)
**Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.plist | com.microsoft.wdav |
| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#notification-settings) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.wdav.tray |
| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#jamf) | MDATP_Microsoft_AutoUpdate.mobileconfig | com.microsoft.autoupdate2 |
| [Grant Full Disk Access to Microsoft Defender ATP](#privacy-preferences-policy-control) | Note: If there was one, MDATP_tcc_Catalina_or_newer.plist | com.microsoft.wdav.tcc |
@@ -64,17 +64,25 @@ Download the installation and onboarding packages from Microsoft Defender Securi
3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
-5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
+5. From the command prompt, verify that you have the two files.
```bash
- $ ls -l
+ ls -l
+ ```
+ ```Output
total 721160
-rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
- $ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+6. Extract the contents of the .zip files like so:
+
+ ```bash
+ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+ ```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
- inflating: intune/kext.xml
+ inflating: intune/kext.xml
inflating: intune/WindowsDefenderATPOnboarding.xml
inflating: jamf/WindowsDefenderATPOnboarding.plist
```
@@ -140,9 +148,83 @@ Use the **Logs** tab to monitor deployment status for each enrolled device.
Starting in macOS 10.15 (Catalina) a user must manually allow to display notifications in UI. To auto-enable notifications from Defender and Auto Update, you can import the .mobileconfig below into a separate configuration profile and assign it to all devices with Defender:
```xml
-
-
- PayloadContentNotificationSettingsAlertType2BadgesEnabledBundleIdentifiercom.microsoft.autoupdate2CriticalAlertEnabledGroupingType0NotificationsEnabledShowInLockScreenShowInNotificationCenterSoundsEnabledAlertType2BadgesEnabledBundleIdentifiercom.microsoft.wdav.trayCriticalAlertEnabledGroupingType0NotificationsEnabledShowInLockScreenShowInNotificationCenterSoundsEnabledPayloadDescriptionPayloadDisplayNamenotificationsPayloadEnabledPayloadIdentifierBB977315-E4CB-4915-90C7-8334C75A7C64PayloadOrganizationMicrosoftPayloadTypecom.apple.notificationsettingsPayloadUUIDBB977315-E4CB-4915-90C7-8334C75A7C64PayloadVersion1PayloadDescriptionPayloadDisplayNamemdatp - allow notificationsPayloadEnabledPayloadIdentifier85F6805B-0106-4D23-9101-7F1DFD5EA6D6PayloadOrganizationMicrosoftPayloadRemovalDisallowedPayloadScopeSystemPayloadTypeConfigurationPayloadUUID85F6805B-0106-4D23-9101-7F1DFD5EA6D6PayloadVersion1
+
+
+
+ PayloadContent
+
+
+ NotificationSettings
+
+
+ AlertType
+ 2
+ BadgesEnabled
+
+ BundleIdentifier
+ com.microsoft.autoupdate2
+ CriticalAlertEnabled
+ GroupingType
+ 0
+ NotificationsEnabled
+
+ ShowInLockScreen
+
+ ShowInNotificationCenter
+
+ SoundsEnabled
+
+
+
+ AlertType
+ 2BadgesEnabled
+ BundleIdentifier
+ com.microsoft.wdav.tray
+ CriticalAlertEnabled
+ GroupingType
+ 0
+ NotificationsEnabled
+ ShowInLockScreen
+ ShowInNotificationCenter
+ SoundsEnabled
+
+
+
+ PayloadDescription
+ PayloadDisplayName
+ notifications
+ PayloadEnabled
+ PayloadIdentifier
+ BB977315-E4CB-4915-90C7-8334C75A7C64
+ PayloadOrganization
+ Microsoft
+ PayloadType
+ com.apple.notificationsettings
+ PayloadUUID
+ BB977315-E4CB-4915-90C7-8334C75A7C64
+ PayloadVersion
+ 1
+
+
+ PayloadDescription
+ PayloadDisplayName
+ mdatp - allow notifications
+ PayloadEnabled
+ PayloadIdentifier
+ 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
+ PayloadOrganization
+ Microsoft
+ PayloadRemovalDisallowed
+ PayloadScope
+ System
+ PayloadType
+ Configuration
+ PayloadUUID
+ 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
+ PayloadVersion
+ 1
+
+
```
### Package
@@ -208,7 +290,10 @@ Once the policy is applied, you'll see the Microsoft Defender ATP icon in the ma
You can monitor policy installation on a device by following the JAMF log file:
```bash
- $ tail -f /var/log/jamf.log
+ tail -f /var/log/jamf.log
+```
+
+```Output
Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found.
Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"...
Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV
@@ -221,7 +306,10 @@ You can monitor policy installation on a device by following the JAMF log file:
You can also check the onboarding status:
```bash
-$ mdatp --health
+mdatp --health
+```
+
+```Output
...
licensed : true
orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"
@@ -237,7 +325,7 @@ orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"
You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status:
```bash
-$ mdatp --health healthy
+mdatp --health healthy
```
The above command prints "1" if the product is onboarded and functioning as expected.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
index 018c229b01..e2f79e5846 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@@ -747,7 +747,9 @@ The following templates contain entries for all settings described in this docum
The property list must be a valid *.plist* file. This can be checked by executing:
```bash
-$ plutil -lint com.microsoft.wdav.plist
+plutil -lint com.microsoft.wdav.plist
+```
+```Output
com.microsoft.wdav.plist: OK
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
index 0f63486ad1..5fbcec859f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
@@ -53,7 +53,7 @@ You can configure how PUA files are handled from the command line or from the ma
In Terminal, execute the following command to configure PUA protection:
```bash
-$ mdatp --threat --type-handling potentially_unwanted_application [off|audit|block]
+mdatp --threat --type-handling potentially_unwanted_application [off|audit|block]
```
### Use the management console to configure PUA protection:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index a4780aaea9..7367f5ccb6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -25,12 +25,15 @@ ms.topic: conceptual
## Collecting diagnostic information
-If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
+If you can reproduce a problem, increase the logging level, run the system for some time, and restore the logging level to the default.
1. Increase logging level:
```bash
- $ mdatp --log-level verbose
+ mdatp --log-level verbose
+ ```
+
+ ```Output
Creating connection to daemon
Connection established
Operation succeeded
@@ -38,10 +41,12 @@ If you can reproduce a problem, please increase the logging level, run the syste
2. Reproduce the problem
-3. Run `sudo mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
+3. Run `sudo mdatp --diagnostic --create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
```bash
- $ sudo mdatp --diagnostic --create
+ sudo mdatp --diagnostic --create
+ ```
+ ```Output
Creating connection to daemon
Connection established
```
@@ -49,7 +54,9 @@ If you can reproduce a problem, please increase the logging level, run the syste
4. Restore logging level:
```bash
- $ mdatp --log-level info
+ mdatp --log-level info
+ ```
+ ```Output
Creating connection to daemon
Connection established
Operation succeeded
@@ -63,7 +70,7 @@ The detailed log will be saved to `/Library/Logs/Microsoft/mdatp/install.log`. I
## Uninstalling
-There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune.
+There are several ways to uninstall Microsoft Defender ATP for Mac. Note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune.
### Interactive uninstallation
@@ -82,14 +89,17 @@ Important tasks, such as controlling product settings and triggering on-demand s
|-------------|-------------------------------------------|-----------------------------------------------------------------------|
|Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` |
|Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` |
-|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` |
+|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` |
|Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` |
+|Configuration|Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` |
+|Configuration|Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` |
+|Configuration|List all allowed threat names |`mdatp threat allowed list` |
|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`|
|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` |
|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`|
|Configuration|Turn on/off passiveMode |`mdatp --config passiveMode [on/off]` |
|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` |
-|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
+|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
|Health |Check the product's health |`mdatp --health` |
|Protection |Scan a path |`mdatp --scan --path [path]` |
|Protection |Do a quick scan |`mdatp --scan --quick` |
@@ -100,6 +110,37 @@ Important tasks, such as controlling product settings and triggering on-demand s
|EDR |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` |
|EDR |Remove group tag from device |`mdatp --edr --remove-tag [name]` |
+### How to enable autocompletion
+
+To enable autocompletion in `Bash`, run the following command and restart the Terminal session:
+
+```bash
+echo "source /Applications/Microsoft\ Defender\ ATP.app/Contents/Resources/Tools/mdatp_completion.bash" >> ~/.bash_profile
+```
+
+To enable autocompletion in `zsh`:
+
+- Check whether autocompletion is enabled on your device:
+
+ ```zsh
+ cat ~/.zshrc | grep autoload
+ ```
+
+- If the above command does not produce any output, you can enable autocompletion using the following command:
+
+ ```zsh
+ echo "autoload -Uz compinit && compinit" >> ~/.zshrc
+ ```
+
+- Run the following commands to enable autocompletion for Microsoft Defender ATP for Mac and restart the Terminal session:
+
+ ```zsh
+ sudo mkdir -p /usr/local/share/zsh/site-functions
+ ```
+ ```zsh
+ sudo ln -svf "/Applications/Microsoft Defender ATP.app/Contents/Resources/Tools/mdatp_completion.zsh" /usr/local/share/zsh/site-functions/_mdatp
+ ```
+
## Client Microsoft Defender ATP quarantine directory
`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
index d7a913d13f..645b1ecce5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
@@ -19,7 +19,7 @@ ms.topic: conceptual
# Schedule scans with Microsoft Defender ATP for Mac
-While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. Create a scanning schedule using launchd on a macOS computer.
+While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. Create a scanning schedule using launchd on a macOS computer.
## Schedule a scan with launchd
@@ -36,12 +36,13 @@ While you can start a threat scan at any time with Microsoft Defender ATP, your
ProgramArgumentssh
- -c
- /usr/local/bin/mdatp --scan --quick
+ -c
+ /usr/local/bin/mdatp --scan --quickRunAtLoad
- StartCalendarInterval
+ StartCalendarInterval
+ Day3Hour
@@ -68,11 +69,13 @@ While you can start a threat scan at any time with Microsoft Defender ATP, your
4. To load your file into **launchd**, enter the following commands:
```bash
- `$ launchctl load /Library/LaunchDaemons/`
- `$ launchctl start `
+ launchctl load /Library/LaunchDaemons/
+ ```
+ ```bash
+ launchctl start
```
-5. Your scheduled scan runs at the date, time, and frequency you defined in your .plist file. In the example, the scan runs at 2:00 AM every 7 days on a Friday, with the StartInterval using 604800 seconds for one week.
+5. Your scheduled scan runs at the date, time, and frequency you defined in your .plist file. In the example, the scan runs at 2:00 AM every seven days on a Friday, with the StartInterval using 604,800 seconds for one week.
> [!NOTE]
> Agents executed with launchd will not run at the scheduled time if the computer is asleep, but will run once the computer is awake. If the computer is off, the scan will not run until the computer is on at the next scheduled time.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
index 4e380f4e2a..7c4e538f90 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
@@ -30,8 +30,9 @@ For manual installation, the Summary page of the installation wizard says, "An e
While we do not display an exact error to the end user, we keep a log file with installation progress in `/Library/Logs/Microsoft/mdatp/install.log`. Each installation session appends to this log file. You can use `sed` to output the last installation session only:
```bash
-$ sed -n 'H; /^preinstall com.microsoft.wdav begin/h; ${g;p;}' /Library/Logs/Microsoft/mdatp/install.log
-
+sed -n 'H; /^preinstall com.microsoft.wdav begin/h; ${g;p;}' /Library/Logs/Microsoft/mdatp/install.log
+```
+```Output
preinstall com.microsoft.wdav begin [2020-03-11 13:08:49 -0700] 804
INSTALLER_SECURE_TEMP=/Library/InstallerSandboxes/.PKInstallSandboxManager/CB509765-70FC-4679-866D-8A14AD3F13CC.activeSandbox/89FA879B-971B-42BF-B4EA-7F5BB7CB5695
correlation id=CB509765-70FC-4679-866D-8A14AD3F13CC
@@ -45,10 +46,11 @@ The installation failed because a downgrade between these versions is not suppor
## MDATP install log missing or not updated
In rare cases, installation leaves no trace in MDATP's /Library/Logs/Microsoft/mdatp/install.log file.
-You can verify that an installation happened and analyze possible errors by querying macOS logs (this is helpful in case of MDM deployment, when there is no client UI). We recommend that you use a narrow time window to run a query, and that you filter by the logging process name, as there will be a huge amount of information.
+You can verify that an installation happened and analyze possible errors by querying macOS logs (this is helpful in MDM deployment, when there is no client UI). We recommend that you use a narrow time window to run a query, and that you filter by the logging process name, as there will be a huge amount of information.
```bash
grep '^2020-03-11 13:08' /var/log/install.log
-
+```
+```Output
log show --start '2020-03-11 13:00:00' --end '2020-03-11 13:08:50' --info --debug --source --predicate 'processImagePath CONTAINS[C] "install"' --style syslog
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
index 04021812ac..e8edd981e3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
@@ -23,18 +23,20 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
-This topic provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender ATP for Mac.
+This article provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender ATP for Mac.
Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to be explicitly approved before they are allowed to run on the device.
-If you did not approve the kernel extension during the deployment / installation of Microsoft Defender ATP for Mac, then the application displays a banner prompting you to enable it:
+If you did not approve the kernel extension during the deployment/installation of Microsoft Defender ATP for Mac, the application displays a banner prompting you to enable it:
-You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This is an indication that the kernel extension is not approved to run on your device.
+You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device.
```bash
-$ mdatp --health
+mdatp --health
+```
+```Output
...
realTimeProtectionAvailable : false
realTimeProtectionEnabled : true
@@ -60,10 +62,13 @@ If you don't see this prompt, it means that 30 or more minutes have passed, and
In this case, you need to perform the following steps to trigger the approval flow again.
-1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was not approved to run on the device, however it will trigger the approval flow again.
+1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was not approved to run on the device. However, it will trigger the approval flow again.
```bash
- $ sudo kextutil /Library/Extensions/wdavkext.kext
+ sudo kextutil /Library/Extensions/wdavkext.kext
+ ```
+
+ ```Output
Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Diagnostics for /Library/Extensions/wdavkext.kext:
@@ -75,16 +80,19 @@ In this case, you need to perform the following steps to trigger the approval fl
4. In Terminal, install the driver again. This time the operation will succeed:
-```bash
-$ sudo kextutil /Library/Extensions/wdavkext.kext
-```
+ ```bash
+ sudo kextutil /Library/Extensions/wdavkext.kext
+ ```
-The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available:
+ The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available:
-```bash
-$ mdatp --health
-...
-realTimeProtectionAvailable : true
-realTimeProtectionEnabled : true
-...
-```
\ No newline at end of file
+ ```bash
+ mdatp --health
+ ```
+
+ ```Output
+ ...
+ realTimeProtectionAvailable : true
+ realTimeProtectionEnabled : true
+ ...
+ ```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
index fccc1b4442..4bdc6a325d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
@@ -42,7 +42,7 @@ The following steps can be used to troubleshoot and mitigate these issues:
- From the Terminal. For security purposes, this operation requires elevation.
```bash
- $ mdatp --config realTimeProtectionEnabled false
+ mdatp --config realTimeProtectionEnabled false
```
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
new file mode 100644
index 0000000000..3cd6ef23e7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
@@ -0,0 +1,281 @@
+---
+title: New configuration profiles for macOS Catalina and newer versions of macOS
+description: This topic describes the changes that are must be made in order to benefit from the system extensions, which are a replacement for kernel extensions on macOS Catalina and newer versions of macOS.
+keywords: microsoft, defender, atp, mac, kernel, system, extensions, catalina
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ROBOTS: noindex,nofollow
+---
+
+# New configuration profiles for macOS Catalina and newer versions of macOS
+
+In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS.
+
+If you have deployed Microsoft Defender ATP for Mac in a managed environment (through JAMF, Intune, or another MDM solution), you must deploy new configuration profiles. Failure to do these steps will result in users getting approval prompts to run these new components.
+
+## JAMF
+
+### System Extensions Policy
+
+To approve the system extensions, create the following payload:
+
+1. In **Computers > Configuration Profiles** select **Options > System Extensions**.
+2. Select **Allowed System Extensions** from the **System Extension Types** drop-down list.
+3. Use **UBF8T346G9** for Team Id.
+4. Add the following bundle identifiers to the **Allowed System Extensions** list:
+
+ - **com.microsoft.wdav.epsext**
+ - **com.microsoft.wdav.netext**
+
+ 
+
+### Privacy Preferences Policy Control
+
+Add the following JAMF payload to grant Full Disk Access to the Microsoft Defender ATP Endpoint Security Extension. This policy is a pre-requisite for running the extension on your device.
+
+1. Select **Options** > **Privacy Preferences Policy Control**.
+2. Use `com.microsoft.wdav.epsext` as the **Identifier** and `Bundle ID` as **Bundle type**.
+3. Set Code Requirement to `identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`
+4. Set **App or service** to **SystemPolicyAllFiles** and access to **Allow**.
+
+ 
+
+### Network Extension Policy
+
+As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
+
+>[!NOTE]
+>JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
+>As such, the following steps provide a workaround that involve signing the configuration profile.
+
+1. Save the following content to your device as `com.microsoft.network-extension.mobileconfig`
+
+ ```xml
+
+
+
+ PayloadUUID
+ DA2CC794-488B-4AFF-89F7-6686A7E7B8AB
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft Corporation
+ PayloadIdentifier
+ DA2CC794-488B-4AFF-89F7-6686A7E7B8AB
+ PayloadDisplayName
+ Microsoft Defender ATP Network Extension
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 2BA070D9-2233-4827-AFC1-1F44C8C8E527
+ PayloadType
+ com.apple.webcontent-filter
+ PayloadOrganization
+ Microsoft Corporation
+ PayloadIdentifier
+ CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A
+ PayloadDisplayName
+ Approved Network Extension
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ FilterType
+ Plugin
+ UserDefinedName
+ Microsoft Defender ATP Network Extension
+ PluginBundleID
+ com.microsoft.wdav
+ FilterSockets
+
+ FilterDataProviderBundleIdentifier
+ com.microsoft.wdav.netext
+ FilterDataProviderDesignatedRequirement
+ identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+
+
+
+
+ ```
+
+2. Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs `OK`:
+
+ ```bash
+ $ plutil -lint com.microsoft.network-extension.mobileconfig
+ com.microsoft.network-extension.mobileconfig: OK
+ ```
+
+3. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority
+
+4. After the certificate is created and installed to your device, run the following command from the Terminal:
+
+ ```bash
+ $ security cms -S -N "" -i com.microsoft.network-extension.mobileconfig -o com.microsoft.network-extension.signed.mobileconfig
+ ```
+
+5. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. Select `com.microsoft.network-extension.signed.mobileconfig` when prompted for the file.
+
+## Intune
+
+### System Extensions Policy
+
+To approve the system extensions:
+
+1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
+3. In the `Basics` tab, give a name to this new profile.
+4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
+
+ Bundle identifier | Team identifier
+ --------------------------|----------------
+ com.microsoft.wdav.epsext | UBF8T346G9
+ com.microsoft.wdav.netext | UBF8T346G9
+
+ 
+
+5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
+6. Review and create this configuration profile.
+
+### Create and deploy the Custom Configuration Profile
+
+The following configuration profile enables the network extension and grants Full Disk Access to the Endpoint Security system extension.
+
+Save the following content to a file named **sysext.xml**:
+
+```xml
+
+
+
+ PayloadUUID
+ 7E53AC50-B88D-4132-99B6-29F7974EAA3C
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft Corporation
+ PayloadIdentifier
+ 7E53AC50-B88D-4132-99B6-29F7974EAA3C
+ PayloadDisplayName
+ Microsoft Defender ATP System Extensions
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 2BA070D9-2233-4827-AFC1-1F44C8C8E527
+ PayloadType
+ com.apple.webcontent-filter
+ PayloadOrganization
+ Microsoft Corporation
+ PayloadIdentifier
+ CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A
+ PayloadDisplayName
+ Approved Network Extension
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ FilterType
+ Plugin
+ UserDefinedName
+ Microsoft Defender ATP Network Extension
+ PluginBundleID
+ com.microsoft.wdav
+ FilterSockets
+
+ FilterDataProviderBundleIdentifier
+ com.microsoft.wdav.netext
+ FilterDataProviderDesignatedRequirement
+ identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+
+
+ PayloadUUID
+ 56105E89-C7C8-4A95-AEE6-E11B8BEA0366
+ PayloadType
+ com.apple.TCC.configuration-profile-policy
+ PayloadOrganization
+ Microsoft Corporation
+ PayloadIdentifier
+ 56105E89-C7C8-4A95-AEE6-E11B8BEA0366
+ PayloadDisplayName
+ Privacy Preferences Policy Control
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ Services
+
+ SystemPolicyAllFiles
+
+
+ Identifier
+ com.microsoft.wdav.epsext
+ CodeRequirement
+ identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+ IdentifierType
+ bundleID
+ StaticCode
+ 0
+ Allowed
+ 1
+
+
+
+
+
+
+
+```
+
+Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs `OK`:
+
+```bash
+$ plutil -lint sysext.xml
+sysext.xml: OK
+```
+
+To deploy this custom configuration profile:
+
+1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create profile**.
+2. Choose a name for the profile. Change **Platform=macOS** and **Profile type=Custom**. Select **Configure**.
+3. Open the configuration profile and upload **sysext.xml**. This file was created in the preceding step.
+4. Select **OK**.
+
+ 
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
index 782c6a98e7..16b648b1c4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
@@ -64,7 +64,7 @@ The `Production` channel contains the most stable version of the product.
>[!WARNING]
>This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender ATP for Mac, execute the following command after replacing `[channel-name]` with the desired channel:
> ```bash
-> $ defaults write com.microsoft.autoupdate2 Applications -dict-add "/Applications/Microsoft Defender ATP.app" " { 'Application ID' = 'WDAV00' ; 'App Domain' = 'com.microsoft.wdav' ; LCID = 1033 ; ChannelName = '[channel-name]' ; }"
+> defaults write com.microsoft.autoupdate2 Applications -dict-add "/Applications/Microsoft Defender ATP.app" " { 'Application ID' = 'WDAV00' ; 'App Domain' = 'com.microsoft.wdav' ; LCID = 1033 ; ChannelName = '[channel-name]' ; }"
> ```
### Set update check frequency
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index 8e3150af35..4b48c8771f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -19,12 +19,34 @@ ms.topic: conceptual
# What's new in Microsoft Defender Advanced Threat Protection for Mac
-> [!NOTE]
-> In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions.
+> [!IMPORTANT]
+> In preparation for macOS 11 Big Sur, we are getting ready to release an update to Microsoft Defender ATP for Mac that will leverage new system extensions instead of kernel extensions. Apple will stop supporting kernel extensions starting macOS 11 Big Sur version. Therefore an update to the Microsoft Defender ATP for Mac agent is required on all eligible macOS devices prior to moving these devices to macOS 11.
>
-> In the meantime, starting with macOS Catalina update 10.15.4, Apple introduced a user facing *Legacy System Extension* warning to signal applications that rely on kernel extensions.
+> The update is applicable to devices running macOS version 10.15.4 or later.
>
-> If you have previously allowed the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to allow the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to allow the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
+> To ensure that the Microsoft Defender ATP for Mac update is delivered and applied seamlessly from an end-user experience perspective, a new remote configuration must be deployed to all eligible macOS devices before Microsoft publishes the new agent version. If the configuration is not deployed prior to the Microsoft Defender ATP for Mac agent update, end-users will be presented with a series of system dialogs asking to grant the agent all necessary permissions associated with the new system extensions.
+>
+> Timing:
+> - Organizations that previously opted into Microsoft Defender ATP preview features in Microsoft Defender Security Center, must be ready for Microsoft Defender ATP for Mac agent update **by August 10, 2020**.
+> - Organizations that do not participate in public previews for Microsoft Defender ATP features, must be ready **by September 07, 2020**.
+>
+> Action is needed by IT administrator. Review the steps below and assess the impact on your organization:
+>
+> 1. Deploy the specified remote configuration to eligible macOS devices before Microsoft publishes the new agent version.
+> Even though Microsoft Defender ATP for Mac new implementation based on system extensions is only applicable to devices running macOS version 10.15.4 or later, deploying configuration proactively across the entire macOS fleet will ensure that even down-level devices are prepared for the day when Apple releases macOS 11 Big Sur and will ensure that Microsoft Defender ATP for Mac continues protecting all macOS devices regardless OS version they were running prior to the Big Sur upgrade.
+>
+> 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md).
+> 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update.
+
+## 101.05.16
+
+- Improvements to quick scan logic to significantly reduce the number of scanned files
+- Added [autocompletion support](mac-resources.md#how-to-enable-autocompletion) for the command-line tool
+- Bug fixes
+
+## 101.03.12
+
+- Performance improvements & bug fixes
## 101.01.54
@@ -82,7 +104,7 @@ ms.topic: conceptual
- Fixed an issue where Microsoft Defender ATP for Mac was sometimes interfering with Time Machine
- Added a new switch to the command-line utility for testing the connectivity with the backend service
```bash
- $ mdatp --connectivity-test
+ mdatp --connectivity-test
```
- Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view)
- Performance improvements & bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
new file mode 100644
index 0000000000..022658e40b
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
@@ -0,0 +1,56 @@
+---
+title: Manage Microsoft Defender ATP using Configuration Manager
+description: Learn how to manage Microsoft Defender ATP with Configuration Manager
+keywords: post-migration, manage, operations, maintenance, utilization, Configuration Manager, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Manage Microsoft Defender Advanced Threat Protection with Configuration Manager
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+We recommend using We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) (Intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction) (Configuration Manager) to manage your organization's threat protection features for devices (also referred to as endpoints).
+- [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)
+- [Co-manage Microsoft Defender ATP on Windows 10 devices with Configuration Manager and Intune](manage-atp-post-migration-intune.md)
+
+## Configure Microsoft Defender ATP with Configuration Manager
+
+|Task |Resources to learn more |
+|---------|---------|
+|**Install the Configuration Manager console** if you don't already have it
*If you don't already have the Configuration Manger console, use these resources to get the bits and install it.* |[Get the installation media](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/install/get-install-media)
[Install the Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/install/install-consoles) |
+|**Use Configuration Manager to onboard devices** to Microsoft Defender ATP
*If you have devices (or endpoints) not already onboarded to Microsoft Defender ATP, you can do that with Configuration Manager.* |[Onboard to Microsoft Defender ATP with Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection#about-onboarding-to-atp-with-configuration-manager) |
+|**Manage antimalware policies and Windows Firewall security** for client computers (endpoints)
*Configure endpoint protection features, including Microsoft Defender ATP, exploit protection, application control, antimalware, firewall settings, and more.* |[Configuration Manager: Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection) |
+|**Choose methods for updating antimalware updates** on your organization's devices
*With Endpoint Protection in Configuration Manager, you can choose from several methods to keep antimalware definitions up to date on your organization's devices.* |[Configure definition updates for Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definition-updates)
[Use Configuration Manager to deliver definition updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-configmgr) |
+|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet
*We recommend using [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.* |[Turn on network protection with Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection#microsoft-endpoint-configuration-manager) |
+|**Configure controlled folder access** to protect against ransomware
*Controlled folder access is also referred to as antiransomware protection.* |[Endpoint protection: Controlled folder access](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access)
[Enable controlled folder access in Microsoft Endpoint Configuration Manage](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#microsoft-endpoint-configuration-manager) |
+
+## Configure your Microsoft Defender Security Center
+
+If you haven't already done so, **configure your Microsoft Defender Security Center** ([https://securitycenter.windows.com](https://securitycenter.windows.com)) to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.
+
+You can also configure whether and what features end users can see in the Microsoft Defender Security Center.
+
+- [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
+
+- [Endpoint protection: Microsoft Defender Security Center](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)
+
+## Next steps
+
+- [Get an overview of threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+
+- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
+
+- [Manage Microsoft Defender ATP with Intune](manage-atp-post-migration-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
new file mode 100644
index 0000000000..1e7317f3e8
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
@@ -0,0 +1,62 @@
+---
+title: Manage Microsoft Defender ATP using Group Policy Objects
+description: Learn how to manage Microsoft Defender ATP with Group Policy Objects
+keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Manage Microsoft Defender Advanced Threat Protection with Group Policy Objects
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> [!NOTE]
+> We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction). **[Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)**.
+
+You can use Group Policy Objects in Azure Active Directory Domain Services to manage some settings in Microsoft Defender ATP.
+
+## Configure Microsoft Defender ATP with Group Policy Objects
+
+The following table lists various tasks you can perform to configure Microsoft Defender ATP with Group Policy Objects.
+
+|Task |Resources to learn more |
+|---------|---------|
+|**Manage settings for user and computer objects**
*Customize built-in Group Policy Objects, or create custom Group Policy Objects and organizational units to suit your organizational needs.* |[Administer Group Policy in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) |
+|**Configure Microsoft Defender Antivirus**
*Configure antivirus features & capabilities, including policy settings, exclusions, remediation, and scheduled scans on your organization's devices (also referred to as endpoints).* |[Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus)
[Use Group Policy to enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-group-policy-to-enable-cloud-delivered-protection) |
+|**Manage your organization's attack surface reduction rules**
*Customize your attack surface reduction rules by excluding files & folders, or by adding custom text to notification alerts that appear on users' devices.* |[Customize attack surface reduction rules with Group Policy Objects](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction#use-group-policy-to-exclude-files-and-folders) |
+|**Manage exploit protection settings**
*You can customize your exploit protection settings, import a configuration file, and then use Group Policy to deploy that configuration file.* |[Customize exploit protection settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection)
[Import, export, and deploy exploit protection configurations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml)
[Use Group Policy to distribute the configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml#use-group-policy-to-distribute-the-configuration) |
+|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet
*We recommend using [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.* |[Turn on network protection using Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection#group-policy) |
+|**Configure controlled folder access** to protect against ransomware
*[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Enable controlled folder access using Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#group-policy) |
+|**Configure Microsoft Defender SmartScreen** to protect against malicious sites and files on the internet. |[Configure Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings using Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings#group-policy-settings) |
+|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) |
+|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks |[Enable Windows Defender Credential Guard by using Group Policy](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage#enable-windows-defender-credential-guard-by-using-group-policy) |
+
+## Configure your Microsoft Defender Security Center
+
+If you haven't already done so, **configure your Microsoft Defender Security Center** ([https://securitycenter.windows.com](https://securitycenter.windows.com)) to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.
+
+You can also configure whether and what features end users can see in the Microsoft Defender Security Center.
+
+- [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
+
+- [Endpoint protection: Microsoft Defender Security Center](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)
+
+## Next steps
+
+- [Get an overview of threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+
+- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
+
+- [Manage Microsoft Defender ATP with Intune](manage-atp-post-migration-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
new file mode 100644
index 0000000000..6801853a3f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
@@ -0,0 +1,81 @@
+---
+title: Manage Microsoft Defender ATP using Intune
+description: Learn how to manage Microsoft Defender ATP with Intune
+keywords: post-migration, manage, operations, maintenance, utilization, intune, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Manage Microsoft Defender Advanced Threat Protection with Intune
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem), which includes Microsoft Intune (Intune) to manage your organization's threat protection features for devices (also referred to as endpoints). [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview).
+
+This article describes how to find your Microsoft Defender ATP settings in Intune, and lists various tasks you can perform.
+
+## Find your Microsoft Defender ATP settings in Intune
+
+> [!IMPORTANT]
+> You must be a global administrator or service administrator in Intune to configure the settings described in this article. To learn more, see **[Types of administrators (Intune)](https://docs.microsoft.com/mem/intune/fundamentals/users-add#types-of-administrators)**.
+
+1. Go to the Azure portal ([https://portal.azure.com](https://portal.azure.com)) and sign in.
+
+2. Under **Azure Services**, choose **Intune**.
+
+3. In the navigation pane on the left, choose **Device configuration**, and then, under **Manage**, choose **Profiles**.
+
+4. Select an existing profile, or create a new one.
+
+> [!TIP]
+> Need help? See **[Using Microsoft Defender ATP with Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#example-of-using-microsoft-defender-atp-with-intune)**.
+
+## Configure Microsoft Defender ATP with Intune
+
+The following table lists various tasks you can perform to configure Microsoft Defender ATP with Intune. You don't have to configure everything all at once; choose a task, read the corresponding resources, and then proceed.
+
+|Task |Resources to learn more |
+|---------|---------|
+|**Manage your organization's devices using Intune** to protect those devices and data stored on them |[Protect devices with Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect) |
+|**Integrate Microsoft Defender ATP with Intune** as a Mobile Threat Defense solution *(for Android devices and devices running Windows 10 or later)* |[Enforce compliance for Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection) |
+|**Use Conditional Access** to control the devices and apps that can connect to your email and company resources |[Configure Conditional Access in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access) |
+|**Configure Microsoft Defender Antivirus settings** using the Policy configuration service provider ([Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)) |[Device restrictions: Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus)
[Policy CSP - Microsoft Defender ATP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) |
+|**If necessary, specify exclusions for Microsoft Defender Antivirus**
*Generally, you shouldn't need to apply exclusions. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios.* |[Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows](https://support.microsoft.com/help/822158/virus-scanning-recommendations-for-enterprise-computers)
[Device restrictions: Microsoft Defender Antivirus Exclusions for Windows 10 devices](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions)
[Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus)|
+|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers
*Configure your attack surface reduction rules in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.* |[Audit mode in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender)
[Learn more about attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
[Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) |
+|**Configure your network filtering** to block outbound connections from any app to IP addresses or domains with low reputations
*Network filtering is also referred to as [network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection).*
*Make sure that Windows 10 devices have the latest [antimalware platform updates](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform) installed.*|[Endpoint protection: Network filtering](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering)
[Review network protection events in Windows Event Viewer](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection#review-network-protection-events-in-windows-event-viewer) |
+|**Configure controlled folder access** to protect against ransomware
*[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Endpoint protection: Controlled folder access](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access)
[Enable controlled folder access in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#intune) |
+|**Configure exploit protection** to protect your organization's devices from malware that uses exploits to spread and infect other devices
*[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection) is also referred to as Exploit Guard.* |[Endpoint protection: Microsoft Defender Exploit Guard](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-exploit-guard)
[Enable exploit protection in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection#intune) |
+|**Configure Microsoft Defender SmartScreen** to protect against malicious sites and files on the internet.
*Microsoft Edge should be installed on your organization's devices. For protection on Google Chrome and FireFox browsers, configure exploit protection.* |[Microsoft Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
[Device restrictions: Microsoft Defender SmartScreen](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-smartscreen)
[Policy settings for managing SmartScreen in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings#mdm-settings) |
+|**Configure Microsoft Defender Firewall** to block unauthorized network traffic flowing into or out of your organization's devices |[Endpoint protection: Microsoft Defender Firewall](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-firewall)
[Microsoft Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security) |
+|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[Endpoint protection: Windows Encryption](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#windows-encryption)
[BitLocker for Windows 10 devices](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) |
+|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks |For Windows 10, Windows Server 2016, and Windows Server 2019, see [Endpoint protection: Microsoft Defender Credential Guard](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-credential-guard)
For Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, and Windows Server 2012 R2, see [Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Versions 1 and 2](https://www.microsoft.com/download/details.aspx?id=36036) |
+|**Configure Microsoft Defender Application Control** to choose whether to audit or trust apps on your organization's devices
*Microsoft Defender Application Control is also referred to as [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).*|[Deploy Microsoft Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune)
[Endpoint protection: Microsoft Defender Application Control](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-application-control)
[AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp)|
+|**Configure device control and USB peripherals access** to help prevent threats in unauthorized peripherals from compromising your devices |[Control USB devices and other removable media using Microsoft Defender ATP and Intune](https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune) |
+
+## Configure your Microsoft Defender Security Center
+
+If you haven't already done so, **configure your Microsoft Defender Security Center** ([https://securitycenter.windows.com](https://securitycenter.windows.com)) to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.
+
+You can also configure whether and what features end users can see in the Microsoft Defender Security Center.
+
+- [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
+
+- [Endpoint protection: Microsoft Defender Security Center](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)
+
+## Next steps
+
+- [Get an overview of threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+
+- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
new file mode 100644
index 0000000000..245b969459
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
@@ -0,0 +1,85 @@
+---
+title: Manage Microsoft Defender ATP using PowerShell, WMI, and MPCmdRun.exe
+description: Learn how to manage Microsoft Defender ATP with PowerShell, WMI, and MPCmdRun.exe
+keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, WMI, MPCmdRun.exe, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Manage Microsoft Defender Advanced Threat Protection with PowerShell, WMI, and MPCmdRun.exe
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> [!NOTE]
+> We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction).
+> - [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)
+> - [Co-manage Microsoft Defender ATP on Windows 10 devices with Configuration Manager and Intune](manage-atp-post-migration-intune.md)
+> - [Manage Microsoft Defender ATP with Intune](manage-atp-post-migration-intune.md)
+
+You can manage some Microsoft Defender Antivirus settings on devices with [PowerShell](#configure-microsoft-defender-atp-with-powershell), [Windows Management Instrumentation](#configure-microsoft-defender-atp-with-windows-management-instrumentation-wmi) (WMI), and the [Microsoft Malware Protection Command Line Utility](#configure-microsoft-defender-atp-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe) (MPCmdRun.exe). For example, you can manage some Microsoft Defender Antivirus settings. And, in some cases, you can customize your attack surface reduction rules and exploit protection settings.
+
+> [!IMPORTANT]
+> Threat protection features that you configure by using PowerShell, WMI, or MCPmdRun.exe can be overwritten by configuration settings that are deployed with Intune or Configuration Manager.
+
+## Configure Microsoft Defender ATP with PowerShell
+
+You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules.
+
+|Task |Resources to learn more |
+|---------|---------|
+|**Manage Microsoft Defender Antivirus**
*View status of antimalware protection, configure preferences for antivirus scans & updates, and make other changes to your antivirus protection.* |[Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus)
[Use PowerShell cmdlets to enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-powershell-cmdlets-to-enable-cloud-delivered-protection) |
+|**Configure exploit protection** to mitigate threats on your organization's devices
*We recommend using exploit protection in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection#powershell) at first. That way, you can see how exploit protection affects apps your organization is using.* | [Customize exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection)
[PowerShell cmdlets for exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection#powershell-reference) |
+|**Configure attack surface reduction rules** with PowerShell
*You can use PowerShell to exclude files and folders from attack surface reduction rules.* |[Customize attack surface reduction rules: Use PowerShell to exclude files & folders](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction#use-powershell-to-exclude-files-and-folders)
Also, see [António Vasconcelo's graphical user interface tool for setting attack surface reduction rules with PowerShell](https://github.com/anvascon/MDATP_PoSh_Scripts/tree/master/ASR%20GUI). |
+|**Enable Network Protection** with PowerShell
*You can use PowerShell to enable Network Protection.* |[Turn on Network Protection with PowerShell](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection#powershell) |
+|**Configure controlled folder access** to protect against ransomware
*[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Enable controlled folder access with PowerShell](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#powershell) |
+|**Configure Microsoft Defender Firewall** to block unauthorized network traffic flowing into or out of your organization's devices |[Microsoft Defender Firewall with Advanced Security Administration using Windows PowerShell](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell) |
+|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[BitLocker PowerShell reference guide](https://docs.microsoft.com/powershell/module/bitlocker/?view=win10-ps) |
+
+## Configure Microsoft Defender ATP with Windows Management Instrumentation (WMI)
+
+WMI is a scripting interface that allows you to retrieve, modify, and update settings. To learn more, see [Using WMI](https://docs.microsoft.com/windows/win32/wmisdk/using-wmi).
+
+|Task |Resources to learn more |
+|---------|---------|
+|**Enable cloud-delivered protection** on a device |[Use Windows Management Instruction (WMI) to enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-windows-management-instruction-wmi-to-enable-cloud-delivered-protection) |
+|**Retrieve, modify, and update settings** for Microsoft Defender Antivirus | [Use WMI to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus)
[Review the list of available WMI classes and example scripts](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
Also see the archived [Windows Defender WMIv2 Provider reference information](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal?redirectedfrom=MSDN) |
+
+
+## Configure Microsoft Defender ATP with Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe)
+
+On an individual device, you can run a scan, start diagnostic tracing, check for security intelligence updates, and more using the mpcmdrun.exe command-line tool. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. Run it from a command prompt.
+
+|Task |Resources to learn more |
+|---------|---------|
+|**Manage Microsoft Defender Antivirus** |[Configure and manage Microsoft Defender Antivirus with mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) |
+
+## Configure your Microsoft Defender Security Center
+
+If you haven't already done so, **configure your Microsoft Defender Security Center** ([https://securitycenter.windows.com](https://securitycenter.windows.com)) to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.
+
+You can also configure whether and what features end users can see in the Microsoft Defender Security Center.
+
+- [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
+
+- [Endpoint protection: Microsoft Defender Security Center](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)
+
+
+## Next steps
+
+- [Get an overview of threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+
+- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
+
+- [Manage Microsoft Defender ATP with Intune](manage-atp-post-migration-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
new file mode 100644
index 0000000000..f716c99579
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
@@ -0,0 +1,37 @@
+---
+title: Manage Microsoft Defender ATP post migration
+description: Now that you've made the switch to Microsoft Defender ATP, your next step is to manage your threat protection features
+keywords: post-migration, manage, operations, maintenance, utilization, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Manage Microsoft Defender Advanced Threat Protection, post migration
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+After you have moved from your previous endpoint protection and antivirus solution to Microsoft Defender ATP, your next step is to manage your features and capabilities. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction), to manage your organization's devices and security settings. However, you can use other tools/methods, such as [Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy).
+
+The following table lists various tools/methods you can use, with links to learn more.
+
+
+|Tool/Method |Description |
+|---------|---------|
+|**[Threat and vulnerability management dashboard insights](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights)** in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) |The threat & vulnerability management dashboard provides actionable information that your security operations team can use to reduce exposure and improve your organization's security posture.
See [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) and [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use). |
+|**[Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune)** (recommended) |Microsoft Intune (Intune), a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), focuses on mobile device management (MDM) and mobile application management (MAM). With Intune, you control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications.
See [Manage Microsoft Defender ATP using Intune](manage-atp-post-migration-intune.md). |
+|**[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction)** |Microsoft Endpoint Configuration Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software.
See [Manage Microsoft Defender ATP with Configuration Manager](manage-atp-post-migration-configuration-manager.md). |
+|**[Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs).
See [Manage Microsoft Defender ATP with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). |
+|**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.*
You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender ATP with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-atp-with-powershell).
You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender ATP with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-atp-with-windows-management-instrumentation-wmi).
You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender ATP with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-atp-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). |
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index d1823bc880..913a4d215c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -63,6 +63,8 @@ In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and
## Next steps
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+
- [View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center)
- [Get an overview of live response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/live-response)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
index a0dcdc9364..3512070e46 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
@@ -67,6 +67,9 @@ You can specify the file names that you want to be excluded in a specific direct
4. Click **Save**.
+>[!NOTE]
+> Live Response commands to collect or examine excluded files will fail with error: "File is excluded". In addition, automated investigations will ignore the excluded items.
+
## Edit an automation folder exclusion
1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
index 249d6de806..8ee9cd8e12 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
@@ -29,12 +29,20 @@ Managing incidents is an important part of every cybersecurity operation. You ca
Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
-
+
-You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
+You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
-
+> [!TIP]
+> For additional visibility at-a-glance, automatic incident naming, currently in public preview, generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident.
+>
+> For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
+>
+> Incidents that existed prior the rollout of automatic incident naming will not have their name changed.
+>
+> Learn more about [turning on preview features](preview.md#turn-on-preview-features).
+
## Assign incidents
If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index e17e4280c2..081eb65201 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -1,6 +1,6 @@
---
-title: Create indicators
-ms.reviewer:
+title: Create indicators
+ms.reviewer:
description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
keywords: manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
@@ -14,11 +14,11 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
---
-# Create indicators
+# Create indicators
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -40,10 +40,10 @@ The same list of indicators is honored by the prevention agent. Meaning, if Micr
**Automated investigation and remediation engine**
The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad".
-
+
The current supported actions are:
-- Allow
+- Allow
- Alert only
- Alert and block
@@ -55,7 +55,7 @@ You can create an indicator for:
>[!NOTE]
->There is a limit of 15,000 indicators per tenant.
+>There is a limit of 15,000 indicators per tenant.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index b20e6bfe22..d4d253fe83 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: Microsoft Defender Advanced Threat Protection
description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise endpoint security platform that helps defend against advanced persistent threats.
-keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
+keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -52,7 +52,7 @@ Microsoft Defender ATP uses the following combination of technology built into W
@@ -87,8 +87,8 @@ The attack surface reduction set of capabilities provide the first line of defen
-**[Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
+**[Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**
+To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats.
@@ -136,4 +136,4 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
## Related topic
-[Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats)
+[Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/en-us/itshowcase/microsoft-defender-atps-antivirus-capabilities-boost-malware-protection)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
index b2b8409121..12f56bc412 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
@@ -27,7 +27,7 @@ ms.topic: conceptual
>
> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
>
-> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Linux onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today.
+> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Android onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today.
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Android.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
index 425c0389da..b2b4bdcfae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@@ -65,7 +65,7 @@ If you experience any installation failures, refer to [Troubleshooting installat
> [!CAUTION]
> Running Microsoft Defender ATP for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
-- Disk space: 650 MB
+- Disk space: 1GB
- The solution currently provides real-time protection for the following file system types:
- `btrfs`
@@ -89,14 +89,15 @@ After you've enabled the service, you may need to configure your network or fire
### Network connections
-The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
+The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
+
+
+
+|**Item**|**Description**|
+|:-----|:-----|
+|[](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
+
-| Service location | DNS record |
-| ---------------------------------------- | ----------------------- |
-| Common URLs for all locations | x.cp.wd.microsoft.com cdn.x.cp.wd.microsoft.com eu-cdn.x.cp.wd.microsoft.com wu-cdn.x.cp.wd.microsoft.com officecdn-microsoft-com.akamaized.net crl.microsoft.com events.data.microsoft.com |
-| European Union | europe.x.cp.wd.microsoft.com eu-v20.events.data.microsoft.com usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net |
-| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com uk-v20.events.data.microsoft.com ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net |
-| United States | unitedstates.x.cp.wd.microsoft.com us-v20.events.data.microsoft.com ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net |
> [!NOTE]
> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index 5d2922bccc..62d68dcdee 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -61,7 +61,7 @@ There are several methods and deployment tools that you can use to install and c
The three most recent major releases of macOS are supported.
- 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
-- Disk space: 650 MB
+- Disk space: 1GB
Beta versions of macOS are not supported. macOS Sierra (10.12) support ended on January 1, 2020.
@@ -69,18 +69,19 @@ After you've enabled the service, you may need to configure your network or fire
### Network connections
-The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
+The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
+
+
+
+|**Item**|**Description**|
+|:-----|:-----|
+|[](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
+
-| Service location | DNS record |
-| ---------------------------------------- | ----------------------- |
-| Common URLs for all locations | x.cp.wd.microsoft.com cdn.x.cp.wd.microsoft.com eu-cdn.x.cp.wd.microsoft.com wu-cdn.x.cp.wd.microsoft.com officecdn-microsoft-com.akamaized.net crl.microsoft.com events.data.microsoft.com |
-| European Union | europe.x.cp.wd.microsoft.com eu-v20.events.data.microsoft.com usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net winatp-gw-weu.microsoft.com winatp-gw-neu.microsoft.com |
-| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com uk-v20.events.data.microsoft.com ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net winatp-gw-ukw.microsoft.com winatp-gw-uks.microsoft.com |
-| United States | unitedstates.x.cp.wd.microsoft.com us-v20.events.data.microsoft.com ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net winatp-gw-cus.microsoft.com winatp-gw-eus.microsoft.com |
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
-- Proxy auto-config (PAC)
-- Web Proxy Auto-discovery Protocol (WPAD)
+- Proxy autoconfig (PAC)
+- Web Proxy Autodiscovery Protocol (WPAD)
- Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.
@@ -95,7 +96,7 @@ To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/ap
If you prefer the command line, you can also check the connection by running the following command in Terminal:
```bash
-$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
The output from this command should be similar to the following:
@@ -109,7 +110,7 @@ The output from this command should be similar to the following:
Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal:
```bash
-$ mdatp --connectivity-test
+mdatp --connectivity-test
```
## How to update Microsoft Defender ATP for Mac
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index 0040889daa..b3d3eb3ef8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -28,7 +28,7 @@ There are some minimum requirements for onboarding devices to the service. Learn
> [!TIP]
-> - Learn about the latest enhancements in Microsoft Defender ATP:[Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced).
+> - Learn about the latest enhancements in Microsoft Defender ATP: [Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced).
> - Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
## Licensing requirements
@@ -42,6 +42,9 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
> [!NOTE]
> Eligible Licensed Users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices.
+> Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed.
+
+
Microsoft Defender Advanced Threat Protection, on Windows Server, requires one of the following licensing options:
@@ -51,7 +54,7 @@ Microsoft Defender Advanced Threat Protection, on Windows Server, requires one o
> [!NOTE]
> Customers with a combined minimum of 50 licenses for one or more of the following may acquire Server SLs for Microsoft Defender Advanced Threat Protection for Servers (one per covered Server OSE): Microsoft Defender Advanced Threat Protection, Windows E5/A5, Microsoft 365 E5/A5 and Microsoft 365 E5 Security User SLs. This license applies to Microsoft Defender ATP for Linux.
-For detailed licensing information, see the [Product terms page](https://www.microsoft.com/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product.
+For detailed licensing information, see the [Product Terms site](https://www.microsoft.com/licensing/terms/) and work with your account team to learn the detailed terms and conditions for the product.
For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
@@ -89,22 +92,23 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo
Devices on your network must be running one of these editions.
-The hardware requirements for Microsoft Defender ATP on devices is the same as those for the supported editions.
+The hardware requirements for Microsoft Defender ATP on devices are the same for the supported editions.
> [!NOTE]
> Machines running mobile versions of Windows are not supported.
>
-> Virtual Machines running Windows 10 Enterprise 2016 LTSC (which is based on Windows 10, version 1607) may encounter performance issues if run on non-Microsoft virtualization platforms.
+> Virtual Machines running Windows 10 Enterprise 2016 LTSB (which is based on Windows 10, version 1607) may encounter performance issues if run on non-Microsoft virtualization platforms.
>
> For virtual environments, we recommend using Windows 10 Enterprise LTSC 2019 (which is based on Windows 10, version 1809) or later.
### Other supported operating systems
-- macOSX
+- Android
- Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux)
+- macOS
> [!NOTE]
-> You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP for the integration to work.
+> You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Microsoft Defender ATP for the integration to work.
>
> Also note that Microsoft Defender ATP is currently only available in the Public Preview Edition for Linux.
@@ -122,47 +126,48 @@ When you run the onboarding wizard for the first time, you must choose where you
> [!NOTE]
> Microsoft Defender ATP doesn't require any specific diagnostic level as long as it's enabled.
-You must ensure that the diagnostic data service is enabled on all the devices in your organization.
-By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
+Make sure that the diagnostic data service is enabled on all the devices in your organization.
+By default, this service is enabled. It's good practice to check to ensure that you'll get sensor data from them.
**Use the command line to check the Windows 10 diagnostic data service startup type**:
1. Open an elevated command-line prompt on the device:
- a. Go to **Start** and type **cmd**.
+ 1. Go to **Start** and type **cmd**.
- b. Right-click **Command prompt** and select **Run as administrator**.
+ 1. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
- ```text
+ ```console
sc qc diagtrack
```
- If the service is enabled, then the result should look like the following screenshot:
+ If the service is enabled, then the result should look like the following screenshot:
- 
+ 
-If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
+
+You'll need to set the service to automatically start if the **START_TYPE** is not set to **AUTO_START**.
**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
1. Open an elevated command-line prompt on the endpoint:
- a. Go to **Start** and type **cmd**.
+ 1. Go to **Start** and type **cmd**.
- b. Right-click **Command prompt** and select **Run as administrator**.
+ 1. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
- ```text
+ ```console
sc config diagtrack start=auto
```
3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
- ```text
+ ```console
sc qc diagtrack
```
@@ -170,7 +175,7 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
#### Internet connectivity
Internet connectivity on devices is required either directly or through proxy.
-The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.
+The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5 MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.
For more information on additional proxy configuration settings, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
@@ -180,9 +185,11 @@ Before you onboard devices, the diagnostic data service must be enabled. The ser
## Microsoft Defender Antivirus configuration requirement
The Microsoft Defender ATP agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them.
-You must configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
+Configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
-When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Microsoft Defender Antivirus goes on passive mode. If your organization has disabled Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded to Microsoft Defender ATP must be excluded from this group policy.
+When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Microsoft Defender Antivirus goes on passive mode.
+
+If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy.
If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index eb56826c55..9453feda1e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -3,7 +3,6 @@ title: Use network protection to help prevent connections to bad sites
description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
keywords: Network protection, exploits, malicious website, ip, domain, domains
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 81a12f3806..3eb07ed66d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -1,5 +1,5 @@
---
-title: Threat & Vulnerability Management
+title: Threat and vulnerability management
description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, microsoft defender atp, microsoft defender atp, endpoint vulnerabilities, next generation
search.product: eADQiWindows 10XVcnh
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Threat & Vulnerability Management
+# Threat and vulnerability management
**Applies to:**
@@ -25,21 +25,21 @@ ms.topic: conceptual
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
+Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat and vulnerability management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
-It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
+Discover vulnerabilities and misconfigurations in real time with sensors, and without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
-Watch this video for a quick overview of Threat & Vulnerability Management.
+Watch this video for a quick overview of threat and vulnerability management.
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4mLsn]
-## Next-generation capabilities
+## Bridging the workflow gaps
-Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base.
+Threat and vulnerability management is built in, real time, and cloud powered. It's fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base.
-It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft Microsoft Endpoint Configuration Manager.
+Vulnerability management is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. Create a security task or ticket by integrating with Microsoft Intune and Microsoft Endpoint Configuration Manager.
-It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
+It provides the following solutions to frequently cited gaps across security operations, security administration, and IT administration workflows and communication:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Linked device vulnerability and security configuration assessment data in the context of exposure discovery
@@ -47,7 +47,9 @@ It provides the following solutions to frequently-cited gaps across security ope
### Real-time discovery
-To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides:
+To discover endpoint vulnerabilities and misconfiguration, threat and vulnerability management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead.
+
+It also provides:
- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
- Visibility into software and vulnerabilities. Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
@@ -56,20 +58,26 @@ To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerabilit
### Intelligence-driven prioritization
-Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context:
+Threat and vulnerability management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, threat and vulnerability management highlights the most critical weaknesses that need attention. It fuses security recommendations with dynamic threat and business context:
-- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
-- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
-- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed devices with business-critical applications, confidential data, or high-value users.
+- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, threat and vulnerability management dynamically aligns the prioritization of its security recommendations. It focuses on vulnerabilities currently being exploited in the wild and emerging threats that pose the highest risk.
+- Pinpointing active breaches. Microsoft Defender ATP correlates threat and vulnerability management and EDR insights to prioritize vulnerabilities being exploited in an active breach within the organization.
+- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows threat and vulnerability management to identify the exposed devices with business-critical applications, confidential data, or high-value users.
### Seamless remediation
-Microsoft Defender ATP's Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
+Microsoft Defender ATP's threat and vulnerability management capability allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
- Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
-- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
+- Alternate mitigations. Threat and vulnerability management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
+## Reduce organizational risk with threat and vulnerability management
+
+Watch this video for a comprehensive walk-through of threat and vulnerability management.
+
+>[!VIDEO https://aka.ms/MDATP-TVM-Interactive-Guide]
+
## Before you begin
Ensure that your devices:
@@ -78,7 +86,7 @@ Ensure that your devices:
- Run with Windows 10 1709 (Fall Creators Update) or later
>[!NOTE]
->Threat & Vulnerability Management can also scan devices that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
+>Threat and vulnerability management can also scan devices that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:
@@ -89,13 +97,14 @@ Ensure that your devices:
> Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
> Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
-- Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
+- Are onboarded to [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure). If you're using Configuration Manager, update your console to the latest version.
- Have at least one security recommendation that can be viewed in the device page
-- Are tagged or marked as co-managed
+- Are tagged or marked as co-managed
## APIs
-Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
+Run threat and vulnerability management-related API calls to automate vulnerability management workflows. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
+
See the following topics for related APIs:
- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
@@ -104,11 +113,12 @@ See the following topics for related APIs:
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)
+- [List vulnerabilities by machine and software](get-all-vulnerabilities-by-machines.md)
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
+- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
@@ -118,5 +128,5 @@ See the following topics for related APIs:
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
index 65e82f7f8a..9a0498b504 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
@@ -37,7 +37,12 @@ Follow the corresponding instructions depending on your preferred deployment met
- [Offboard devices using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-devices-using-mobile-device-management-tools)
## Offboard Servers
-- [Offboard servers](configure-server-endpoints.md#offboard-servers)
+- [Offboard servers](configure-server-endpoints.md#offboard-windows-servers)
## Offboard non-Windows devices
- [Offboard non-Windows devices](configure-endpoints-non-windows.md#offboard-non-windows-devices)
+
+>[!NOTE]
+> Offboarded devices will remain in the portal until [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) for the device's data expires. The status will be switched to ['Inactive'](fix-unhealthy-sensors.md#inactive-devices) 7 days after offboarding.
+> In addition, [Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's threat and vulnerability management exposure score and Microsoft Secure Score for Devices.](tvm-dashboard-insights.md)
+> To view only active devices, you can filter by [health state](machines-view-overview.md#health-state) or by [device tags](machine-tags.md) and [groups](machine-groups.md) etc.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
deleted file mode 100644
index b1e6285e7e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
+++ /dev/null
@@ -1,528 +0,0 @@
-# [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md)
-
-## [Overview]()
-### [Overview of Microsoft Defender ATP capabilities](overview.md)
-### [Threat & Vulnerability Management]()
-#### [Next-generation capabilities](next-gen-threat-and-vuln-mgt.md)
-#### [What's in the dashboard and what it means for my organization](tvm-dashboard-insights.md)
-#### [Exposure score](tvm-exposure-score.md)
-#### [Configuration score](configuration-score.md)
-#### [Security recommendation](tvm-security-recommendation.md)
-#### [Remediation](tvm-remediation.md)
-#### [Software inventory](tvm-software-inventory.md)
-#### [Weaknesses](tvm-weaknesses.md)
-#### [Scenarios](threat-and-vuln-mgt-scenarios.md)
-
-
-### [Attack surface reduction]()
-#### [Hardware-based isolation]()
-##### [Hardware-based isolation in Windows 10](overview-hardware-based-isolation.md)
-
-##### [Application isolation]()
-###### [Application guard overview](../windows-defender-application-guard/wd-app-guard-overview.md)
-###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md)
-
-##### [System integrity](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
-
-#### [Application control]()
-##### [Windows Defender Application Guard](../windows-defender-application-control/windows-defender-application-control.md)
-
-#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md)
-#### [Network protection](../windows-defender-exploit-guard/network-protection.md)
-#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders.md)
-#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction.md)
-#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md)
-
-
-### [Next generation protection](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)
-
-
-### [Endpoint detection and response]()
-#### [Endpoint detection and response overview](overview-endpoint-detection-response.md)
-#### [Security operations dashboard](security-operations-dashboard.md)
-
-#### [Incidents queue]()
-##### [View and organize the Incidents queue](view-incidents-queue.md)
-##### [Manage incidents](manage-incidents.md)
-##### [Investigate incidents](investigate-incidents.md)
-
-#### [Alerts queue]()
-##### [View and organize the Alerts queue](alerts-queue.md)
-##### [Manage alerts](manage-alerts.md)
-##### [Investigate alerts](investigate-alerts.md)
-##### [Investigate files](investigate-files.md)
-##### [Investigate machines](investigate-machines.md)
-##### [Investigate an IP address](investigate-ip.md)
-##### [Investigate a domain](investigate-domain.md)
-##### [Investigate a user account](investigate-user.md)
-
-#### [Machines list]()
-##### [View and organize the Machines list](machines-view-overview.md)
-
-##### [Investigate machines]()
-###### [Machine details](investigate-machines.md#machine-details)
-###### [Response actions](investigate-machines.md#response-actions)
-###### [Cards](investigate-machines.md#cards)
-###### [Tabs](investigate-machines.md#tabs)
-
-#### [Take response actions]()
-##### [Take response actions on a machine]()
-###### [Understand response actions](respond-machine-alerts.md)
-###### [Manage tags](respond-machine-alerts.md#manage-tags)
-###### [Initiate Automated Investigation](respond-machine-alerts.md#initiate-automated-investigation)
-###### [Initiate Live Response Session](respond-machine-alerts.md#initiate-live-response-session)
-###### [Collect investigation package from machines](respond-machine-alerts.md#collect-investigation-package-from-machines)
-###### [Run Microsoft Defender Antivirus scan on machines](respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-machines)
-###### [Restrict app execution](respond-machine-alerts.md#restrict-app-execution)
-###### [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network)
-###### [Check activity details in Action center](respond-machine-alerts.md#check-activity-details-in-action-center)
-
-##### [Take response actions on a file]()
-###### [Understand response actions](respond-file-alerts.md)
-###### [Stop and quarantine files in your network](respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
-###### [Restore file from quarantine](respond-file-alerts.md#restore-file-from-quarantine)
-###### [Add an indicator to block or allow a file](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
-###### [Deep analysis](respond-file-alerts.md#deep-analysis)
-
-##### [Live response]()
-###### [Investigate entities on machines](live-response.md)
-###### [Live response command examples](live-response-command-examples.md)
-
-
-### [Automated investigation and remediation]()
-#### [Understand Automated investigations](automated-investigations.md)
-#### [Learn about the automated investigation and remediation dashboard](manage-auto-investigation.md)
-#### [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md)
-
-
-### [Threat analytics](threat-analytics.md)
-
-
-### [Microsoft Threat Experts](microsoft-threat-experts.md)
-
-
-### [Advanced hunting]()
-#### [Advanced hunting overview](advanced-hunting-overview.md)
-
-#### [Query data using Advanced hunting]()
-##### [Data querying basics](advanced-hunting-query-language.md)
-##### [Advanced hunting reference](advanced-hunting-schema-reference.md)
-##### [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
-
-#### [Custom detections]()
-##### [Understand custom detection rules](overview-custom-detections.md)
-##### [Create custom detections rules](custom-detection-rules.md)
-
-### [Management and APIs]()
-#### [Overview of management and APIs](management-apis.md)
-#### [Understand threat intelligence concepts](threat-indicator-concepts.md)
-#### [Microsoft Defender ATP APIs](apis-intro.md)
-#### [Managed security service provider support](mssp-support.md)
-
-
-### [Integrations]()
-#### [Microsoft Defender ATP integrations](threat-protection-integration.md)
-#### [Conditional Access integration overview](conditional-access.md)
-#### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md)
-
-#### [Information protection in Windows overview]()
-##### [Windows integration](information-protection-in-windows-overview.md)
-##### [Use sensitivity labels to prioritize incident response](information-protection-investigation.md)
-
-
-### [Microsoft Threat Experts](microsoft-threat-experts.md)
-
-
-### [Portal overview](portal-overview.md)
-
-
-
-## [Get started]()
-### [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md)
-### [Preview features](preview.md)
-### [Evaluation lab](evaluation-lab.md)
-### [Minimum requirements](minimum-requirements.md)
-### [Validate licensing and complete setup](licensing.md)
-
-### [Data storage and privacy](data-storage-privacy.md)
-### [Assign user access to the portal](assign-portal-access.md)
-
-### [Evaluate Microsoft Defender ATP capabilities]()
-#### [Evaluate attack surface reduction]()
-
-##### [Evaluate attack surface reduction and next-generation capabilities](evaluate-atp.md)
-###### [Hardware-based isolation](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
-###### [Application control](../windows-defender-application-control/audit-windows-defender-application-control-policies.md)
-###### [Exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
-###### [Network Protection](../windows-defender-exploit-guard/evaluate-network-protection.md)
-###### [Controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
-###### [Attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
-###### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
-##### [Evaluate next generation protection](../microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md)
-
-### [Access the Microsoft Defender Security Center Community Center](community.md)
-
-## [Configure and manage capabilities]()
-
-### [Configure attack surface reduction](configure-attack-surface-reduction.md)
-
-### [Hardware-based isolation]()
-#### [System integrity](../windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
-
-#### [Application isolation]()
-##### [Install Windows Defender Application Guard](../windows-defender-application-guard/install-wd-app-guard.md)
-##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md)
-
-#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
-
-#### [Device control]()
-##### [Control USB devices](../device-control/control-usb-devices-using-intune.md)
-
-##### [Device Guard]()
-###### [Code integrity](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-
-###### [Memory integrity]()
-####### [Understand memory integrity](../windows-defender-exploit-guard/memory-integrity.md)
-####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
-
-#### [Exploit protection]()
-##### [Enable exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)
-##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
-
-#### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)
-
-#### [Controlled folder access]()
-##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders.md)
-##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders.md)
-
-#### [Attack surface reduction controls]()
-##### [Enable attack surface reduction rules](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
-##### [Customize attack surface reduction rules](../windows-defender-exploit-guard/customize-attack-surface-reduction.md)
-
-#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
-
-
-### [Configure next generation protection]()
-#### [Configure Microsoft Defender Antivirus features](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md)
-#### [Utilize Microsoft cloud-delivered protection]()
-##### [Understand cloud-delivered protection](../microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
-##### [Enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md)
-##### [Specify the cloud-delivered protection level](../microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md)
-##### [Configure and validate network connections](../microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md)
-##### [Enable Block at first sight](../microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md)
-##### [Configure the cloud block timeout period](../microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
-
-#### [Configure behavioral, heuristic, and real-time protection]()
-##### [Configuration overview](../microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md)
-##### [Detect and block potentially unwanted applications](../microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
-##### [Enable and configure always-on protection and monitoring](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md)
-
-#### [Antivirus on Windows Server 2016](../microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md)
-
-#### [Antivirus compatibility]()
-##### [Compatibility charts](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
-##### [Use limited periodic antivirus scanning](../microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md)
-
-#### [Deploy, manage updates, and report on antivirus]()
-##### [Using Microsoft Defender Antivirus](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
-
-##### [Deploy and enable antivirus]()
-###### [Preparing to deploy](../microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md)
-###### [Deployment guide for VDI environments](../microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md)
-
-##### [Report on antivirus protection]()
-###### [Review protection status and aqlerts](../microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
-###### [Troubleshoot antivirus reporting in Update Compliance](../microsoft-defender-antivirus/troubleshoot-reporting.md)
-
-##### [Manage updates and apply baselines]()
-###### [Learn about the different kinds of updates](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
-###### [Manage protection and Security intelligence updates](../microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
-###### [Manage when protection updates should be downloaded and applied](../microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
-###### [Manage updates for endpoints that are out of date](../microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)
-###### [Manage event-based forced updates](../microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md)
-###### [Manage updates for mobile devices and VMs](../microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
-
-#### [Customize, initiate, and review the results of scans and remediation]()
-##### [Configuration overview](../microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-
-##### [Configure and validate exclusions in antivirus scans]()
-###### [Exclusions overview](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
-###### [Configure and validate exclusions based on file name, extension, and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-###### [Configure and validate exclusions for files opened by processes](../microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-###### [Configure antivirus exclusions Windows Server 2016](../microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
-
-##### [Configure antivirus scanning options](../microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
-##### [Configure remediation for scans](../microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
-##### [Configure scheduled scans](../microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-##### [Configure and run scans](../microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
-##### [Review scan results](../microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
-##### [Run and review the results of an offline scan](../microsoft-defender-antivirus/windows-defender-offline.md)
-
-#### [Restore quarantined files](../microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
-
-#### [Manage antivirus in your business]()
-##### [Management overview](../microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
-##### [Use Group Policy settings to configure and manage antivirus](../microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
-##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](../microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
-##### [Use PowerShell cmdlets to configure and manage antivirus](../microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
-##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](../microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
-##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](../microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
-
-#### [Manage scans and remediation]()
-##### [Management overview](../microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-
-##### [Configure and validate exclusions in antivirus scans]()
-###### [Exclusions overview](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
-###### [Configure and validate exclusions based on file name, extension, and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-###### [Configure and validate exclusions for files opened by processes](../microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-###### [Configure antivirus exclusions on Windows Server 2016](../microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
-
-##### [Configure scanning options](../microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
-##### [Configure remediation for scans](../microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
-##### [Configure scheduled scans](../microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-##### [Configure and run scans](../microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
-##### [Review scan results](../microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
-##### [Run and review the results of an offline scan](../microsoft-defender-antivirus/windows-defender-offline.md)
-##### [Restore quarantined files](../microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
-
-#### [Manage next generation protection in your business]()
-##### [Management overview](../microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
-##### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](../microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
-##### [Use Group Policy settings to manage next generation protection](../microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
-##### [Use PowerShell cmdlets to manage next generation protection](../microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
-##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](../microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
-##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
-
-
-
-### [Configure and manage Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)
-
-
-### [Endpoint detection and response management and API support]()
-
-#### [Onboard machines]()
-##### [Onboarding overview](onboard-configure.md)
-##### [Onboard previous versions of Windows](onboard-downlevel.md)
-
-##### [Onboard Windows 10 machines]()
-###### [Ways to onboard](configure-endpoints.md)
-###### [Onboard machines using Group Policy](configure-endpoints-gp.md)
-###### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm.md)
-
-###### [Onboard machines using Mobile Device Management tools]()
-####### [Overview](configure-endpoints-mdm.md)
-####### [Onboard machines using Microsoft Intune](configure-endpoints-mdm.md#onboard-machines-using-microsoft-intune)
-###### [Onboard machines using a local script](configure-endpoints-script.md)
-###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
-
-##### [Onboard servers](configure-server-endpoints.md)
-##### [Onboard non-Windows machines](configure-endpoints-non-windows.md)
-##### [Onboard machines without Internet access](onboard-offline-machines.md)
-##### [Run a detection test on a newly onboarded machine](run-detection-test.md)
-##### [Run simulated attacks on machines](attack-simulations.md)
-##### [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
-
-##### [Troubleshoot onboarding issues]()
-###### [Troubleshooting basics](troubleshoot-onboarding.md)
-###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages.md)
-
-#### [Microsoft Defender ATP API]()
-##### [Understand Microsoft Defender ATP APIs](use-apis.md)
-##### [Microsoft Defender ATP API license and terms](api-terms-of-use.md)
-
-##### [Get started]()
-###### [Introduction](apis-intro.md)
-###### [Hello World](api-hello-world.md)
-###### [Get access with application context](exposed-apis-create-app-webapp.md)
-###### [Get access with user context](exposed-apis-create-app-nativeapp.md)
-###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
-
-##### [APIs]()
-###### [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
-###### [Common REST API error codes](common-errors.md)
-###### [Advanced Hunting](run-advanced-query-api.md)
-
-###### [Alert]()
-####### [Methods, properties, and JSON representation](alerts.md)
-####### [List alerts](get-alerts.md)
-####### [Create alert](create-alert-by-reference.md)
-####### [Update Alert](update-alert.md)
-####### [Get alert information by ID](get-alert-info-by-id.md)
-####### [Get alert related domains information](get-alert-related-domain-info.md)
-####### [Get alert related file information](get-alert-related-files-info.md)
-####### [Get alert related IPs information](get-alert-related-ip-info.md)
-####### [Get alert related machine information](get-alert-related-machine-info.md)
-####### [Get alert related user information](get-alert-related-user-info.md)
-
-###### [Machine]()
-####### [Methods and properties](machine.md)
-####### [List machines](get-machines.md)
-####### [Get machine by ID](get-machine-by-id.md)
-####### [Get machine log on users](get-machine-log-on-users.md)
-####### [Get machine related alerts](get-machine-related-alerts.md)
-####### [Add or Remove machine tags](add-or-remove-machine-tags.md)
-####### [Find machines by IP](find-machines-by-ip.md)
-
-###### [Machine Action]()
-####### [Methods and properties](machineaction.md)
-####### [List Machine Actions](get-machineactions-collection.md)
-####### [Get Machine Action](get-machineaction-object.md)
-####### [Collect investigation package](collect-investigation-package.md)
-####### [Get investigation package SAS URI](get-package-sas-uri.md)
-####### [Isolate machine](isolate-machine.md)
-####### [Release machine from isolation](unisolate-machine.md)
-####### [Restrict app execution](restrict-code-execution.md)
-####### [Remove app restriction](unrestrict-code-execution.md)
-####### [Run antivirus scan](run-av-scan.md)
-####### [Offboard machine](offboard-machine-api.md)
-####### [Stop and quarantine file](stop-and-quarantine-file.md)
-
-###### [Automated Investigation]()
-####### [Investigation methods and properties](microsoft-defender-atp/investigation.md)
-####### [List Investigation](microsoft-defender-atp/get-investigation-collection.md)
-####### [Get Investigation](microsoft-defender-atp/get-investigation-object.md)
-####### [Start Investigation](microsoft-defender-atp/initiate-autoir-investigation.md)
-
-###### [Indicators]()
-####### [Methods and properties](ti-indicator.md)
-####### [Submit Indicator](post-ti-indicator.md)
-####### [List Indicators](get-ti-indicators-collection.md)
-####### [Delete Indicator](delete-ti-indicator-by-id.md)
-
-###### [Domain]()
-####### [Get domain related alerts](get-domain-related-alerts.md)
-####### [Get domain related machines](get-domain-related-machines.md)
-####### [Get domain statistics](get-domain-statistics.md)
-
-###### [File]()
-####### [Methods and properties](files.md)
-####### [Get file information](get-file-information.md)
-####### [Get file related alerts](get-file-related-alerts.md)
-####### [Get file related machines](get-file-related-machines.md)
-####### [Get file statistics](get-file-statistics.md)
-
-###### [IP]()
-####### [Get IP related alerts](get-ip-related-alerts.md)
-####### [Get IP statistics](get-ip-statistics.md)
-
-###### [User]()
-####### [Methods](user.md)
-####### [Get user related alerts](get-user-related-alerts.md)
-####### [Get user related machines](get-user-related-machines.md)
-
-##### [How to use APIs - Samples]()
-###### [Microsoft Flow](api-microsoft-flow.md)
-###### [Power BI](api-power-bi.md)
-###### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
-###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
-###### [Using OData Queries](exposed-apis-odata-samples.md)
-
-#### [API for custom alerts]()
-##### [Enable the custom threat intelligence application](enable-custom-ti.md)
-##### [Use the threat intelligence API to create custom alerts](use-custom-ti.md)
-##### [Create custom threat intelligence alerts](custom-ti-api.md)
-##### [PowerShell code examples](powershell-example-code.md)
-##### [Python code examples](python-example-code.md)
-##### [Experiment with custom threat intelligence alerts](experiment-custom-ti.md)
-##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md)
-
-#### [Pull Detections to your SIEM tools]()
-##### [Learn about different ways to pull Detections](configure-siem.md)
-##### [Enable SIEM integration](enable-siem-integration.md)
-##### [Configure Splunk to pull Detections](configure-splunk.md)
-##### [Configure HP ArcSight to pull Detections](configure-arcsight.md)
-##### [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
-##### [Pull Detections using SIEM REST API](pull-alerts-using-rest-api.md)
-##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
-
-#### [Reporting]()
-##### [Create and build Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-##### [Threat protection reports](threat-protection-reports.md)
-##### [Machine health and compliance reports](machine-reports.md)
-
-#### [Interoperability]()
-##### [Partner applications](partner-applications.md)
-
-#### [Manage machine configuration]()
-##### [Ensure your machines are configured properly](configure-machines.md)
-##### [Monitor and increase machine onboarding](configure-machines-onboarding.md)
-##### [Increase compliance to the security baseline](configure-machines-security-baseline.md)
-##### [Optimize ASR rule deployment and detections](configure-machines-asr.md)
-
-#### [Role-based access control]()
-
-##### [Manage portal access using RBAC]()
-###### [Using RBAC](rbac.md)
-###### [Create and manage roles](user-roles.md)
-
-###### [Create and manage machine groups]()
-####### [Using machine groups](machine-groups.md)
-####### [Create and manage machine tags](machine-tags.md)
-
-#### [Configure managed security service provider (MSSP) support](configure-mssp-support.md)
-
-
-### [Configure Microsoft threat protection integration]()
-#### [Configure Conditional Access](configure-conditional-access.md)
-#### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md)
-#### [Configure information protection in Windows](information-protection-in-windows-config.md)
-
-
-### [Configure portal settings]()
-#### [Set up preferences](preferences-setup.md)
-
-#### [General]()
-##### [Update data retention settings](data-retention-settings.md)
-##### [Configure alert notifications](configure-email-notifications.md)
-##### [Enable and create Power BI reports using Windows Security app data](powerbi-reports.md)
-##### [Configure advanced features](advanced-features.md)
-
-#### [Permissions]()
-##### [Use basic permissions to access the portal](basic-permissions.md)
-##### [Manage portal access using RBAC](rbac.md)
-###### [Create and manage roles](user-roles.md)
-###### [Create and manage machine groups](machine-groups.md)
-####### [Create and manage machine tags](machine-tags.md)
-
-#### [APIs]()
-##### [Enable Threat intel](enable-custom-ti.md)
-##### [Enable SIEM integration](enable-siem-integration.md)
-
-#### [Rules]()
-##### [Manage suppression rules](manage-suppression-rules.md)
-##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md)
-##### [Manage indicators](manage-indicators.md)
-##### [Manage automation file uploads](manage-automation-file-uploads.md)
-##### [Manage automation folder exclusions](manage-automation-folder-exclusions.md)
-
-#### [Machine management]()
-##### [Onboarding machines](onboard-configure.md)
-##### [Offboarding machines](offboard-machines.md)
-
-#### [Configure time zone settings](time-settings.md)
-
-
-
-## [Troubleshoot Microsoft Defender ATP]()
-
-### [Troubleshoot sensor state]()
-#### [Check sensor state](check-sensor-status.md)
-#### [Fix unhealthy sensors](fix-unhealthy-sensors.md)
-#### [Inactive machines](fix-unhealthy-sensors.md#inactive-machines)
-#### [Misconfigured machines](fix-unhealthy-sensors.md#misconfigured-machines)
-#### [Review sensor events and errors on machines with Event Viewer](event-error-codes.md)
-
-
-### [Troubleshoot service issues]()
-#### [Troubleshooting issues](troubleshoot-mdatp.md)
-#### [Check service health](service-status.md)
-
-
-### [Troubleshoot attack surface reduction issues]()
-#### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md)
-#### [Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md)
-#### [Collect diagnostic data for files](../windows-defender-exploit-guard/troubleshoot-np.md)
-
-
-### [Troubleshoot next generation protection issues](../microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
index 3ad2b3c9db..6d9c98fc37 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@@ -32,9 +32,6 @@ ms.topic: article
Microsoft Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
-> [!IMPORTANT]
-> This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview.md).
-
To onboard down-level Windows client endpoints to Microsoft Defender ATP, you'll need to:
- Configure and update System Center Endpoint Protection clients.
- Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP as instructed below.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
index 37c447d3fc..64b2b3236f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
@@ -1,8 +1,8 @@
---
title: Configure and manage Microsoft Defender ATP capabilities
ms.reviewer:
-description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, next generation protection, and security controls
-keywords: configure, manage, capabilities, attack surface reduction, next generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls
+description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, next-generation protection, and security controls
+keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -30,7 +30,7 @@ Configure and manage all the Microsoft Defender ATP capabilities to get the best
Topic | Description
:---|:---
[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
-[Configure next generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
+[Configure next-generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next-generation protection to catch all types of emerging threats.
[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP.
[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
index c73e519c52..79394ceaf0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
@@ -12,7 +12,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- M365-security-compliance
+- m365solution-endpointprotect
ms.topic: article
---
@@ -217,8 +219,8 @@ Follow the steps below to identify the Microsoft Defender ATP Workspace ID and W
Once completed, you should see onboarded endpoints in the portal within an hour.
-## Next generation protection
-Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
+## next-generation protection
+Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers.
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
@@ -226,7 +228,7 @@ Microsoft Defender Antivirus is a built-in antimalware solution that provides ne
2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**.
- 
+ 
In certain industries or some select enterprise customers might have specific
needs on how Antivirus is configured.
@@ -237,29 +239,29 @@ needs on how Antivirus is configured.
For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
- 
+ 
- 
+ 
- 
+ 
- 
+ 
- 
+ 
- 
+ 
- 
+ 
- 
+ 
3. Right-click on the newly created antimalware policy and select **Deploy**.
- 
+ 
4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
- 
+ 
After completing this task, you now have successfully configured Windows
Defender Antivirus.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
index c98c0a6c38..fd8438a07e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
@@ -18,22 +18,19 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
-
# Custom detections overview
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions.
+With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts and response actions.
-Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
+Custom detections work with [advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
Custom detections provide:
- Alerts for rule-based detections built from advanced hunting queries
- Automatic response actions that apply to files and devices
->[!NOTE]
->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-
-## Related topic
-- [Create and manage custom detection rules](custom-detection-rules.md)
+## Related topics
+- [Create detection rules](custom-detection-rules.md)
+- [View and manage detection rules](custom-detections-manage.md)
- [Advanced hunting overview](advanced-hunting-overview.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
index e1d07ae2e0..56d83bd553 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
@@ -13,7 +13,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- M365-security-compliance
+- m365solution-endpointprotect
ms.topic: article
---
@@ -172,7 +174,7 @@ how the endpoint security suite should be enabled.
|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities - Invaluable device vulnerability context during incident investigations - Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager [Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 |
-| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes: -Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus. - Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection"). - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research. [Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 |
+| Next-generation protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes: -Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus. - Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection"). - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research. [Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 |
| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 |
| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index a36d89c45a..2586120da8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -49,9 +49,6 @@ Turn on the preview experience setting to be among the first to try upcoming fea
The following features are included in the preview release:
- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android.
-- [Create indicators for certificates](manage-indicators.md) Create indicators to allow or block certificates.
-
-
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) You can now see a comprehensive set of details on the vulnerabilities found in your device to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
index 9c5a742c97..dd1f0dfe6b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -13,7 +13,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- M365-security-compliance
+- m365solution-endpointprotect
ms.topic: article
---
@@ -228,16 +230,15 @@ is configured on these devices.
URLs that include v20 in them are only needed if you have Windows 10, version
1803 or later devices. For example, ```us-v20.events.data.microsoft.com``` is only
needed if the device is on Windows 10, version 1803 or later.
+
- Service location | Microsoft.com DNS record
--|-
-Common URLs for all locations | ```crl.microsoft.com/pki/crl/*``` ```ctldl.windowsupdate.com``` ```www.microsoft.com/pkiops/*``` ```events.data.microsoft.com``` ```notify.windows.com``` ```settings-win.data.microsoft.com```
-European Union | ```eu.vortex-win.data.microsoft.com``` ```eu-v20.events.data.microsoft.com``` ```usseu1northprod.blob.core.windows.net``` ```usseu1westprod.blob.core.windows.net``` ```winatp-gw-neu.microsoft.com``` ```winatp-gw-weu.microsoft.com``` ```wseu1northprod.blob.core.windows.net``` ```wseu1westprod.blob.core.windows.net``` ```automatedirstrprdweu.blob.core.windows.net``` ```automatedirstrprdneu.blob.core.windows.net```
-United Kingdom | ```uk.vortex-win.data.microsoft.com``` ```uk-v20.events.data.microsoft.com``` ```ussuk1southprod.blob.core.windows.net``` ```ussuk1westprod.blob.core.windows.net``` ```winatp-gw-uks.microsoft.com``` ```winatp-gw-ukw.microsoft.com``` ```wsuk1southprod.blob.core.windows.net``` ```wsuk1westprod.blob.core.windows.net``` ```automatedirstrprduks.blob.core.windows.net``` ```automatedirstrprdukw.blob.core.windows.net```
-United States | ```us.vortex-win.data.microsoft.com``` ```ussus1eastprod.blob.core.windows.net``` ```ussus1westprod.blob.core.windows.net``` ```ussus2eastprod.blob.core.windows.net``` ```ussus2westprod.blob.core.windows.net``` ```ussus3eastprod.blob.core.windows.net``` ```ussus3westprod.blob.core.windows.net``` ```ussus4eastprod.blob.core.windows.net``` ```ussus4westprod.blob.core.windows.net``` ```us-v20.events.data.microsoft.com``` ```winatp-gw-cus.microsoft.com``` ```winatp-gw-eus.microsoft.com``` ```wsus1eastprod.blob.core.windows.net``` ```wsus1westprod.blob.core.windows.net``` ```wsus2eastprod.blob.core.windows.net``` ```wsus2westprod.blob.core.windows.net``` ```automatedirstrprdcus.blob.core.windows.net``` ```automatedirstrprdeus.blob.core.windows.net```
+If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the listed URLs.
-If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
+|**Item**|**Description**|
+|:-----|:-----|
+|[](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
+
### Microsoft Defender ATP service backend IP range
diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
index 11d05369ee..4435b74d94 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
@@ -1,59 +1,59 @@
----
-title: Recommendation methods and properties
-description: Retrieves top recent alerts.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Recommendation resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization
-[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
-[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
-[Get recommendation devices](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of devices associated with the security recommendation
-[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Recommendation ID
-productName | String | Related software name
-recommendationName | String | Recommendation name
-Weaknesses | Long | Number of discovered vulnerabilities
-Vendor | String | Related vendor name
-recommendedVersion | String | Recommended version
-recommendationCategory | String | Recommendation category. Possible values are: "Accounts", "Application", "Network", "OS", "SecurityStack
-subCategory | String | Recommendation sub-category
-severityScore | Double | Potential impact of the configuration to the organization's Microsoft Secure Score for Devices (1-10)
-publicExploit | Boolean | Public exploit is available
-activeAlert | Boolean | Active alert is associated with this recommendation
-associatedThreats | String collection | Threat analytics report is associated with this recommendation
-remediationType | String | Remediation type. Possible values are: "ConfigurationChange","Update","Upgrade","Uninstall"
-Status | Enum | Recommendation exception status. Possible values are: "Active" and "Exception"
-configScoreImpact | Double | Microsoft Secure Score for Devices impact
-exposureImpacte | Double | Exposure score impact
-totalMachineCount | Long | Number of installed devices
-exposedMachinesCount | Long | Number of installed devices that are exposed to vulnerabilities
-nonProductivityImpactedAssets | Long | Number of devices which are not affected
-relatedComponent | String | Related software component
+---
+title: Recommendation methods and properties
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Recommendation resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization
+[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
+[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
+[Get recommendation devices](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of devices associated with the security recommendation
+[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
+
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+id | String | Recommendation ID
+productName | String | Related software name
+recommendationName | String | Recommendation name
+Weaknesses | Long | Number of discovered vulnerabilities
+Vendor | String | Related vendor name
+recommendedVersion | String | Recommended version
+recommendationCategory | String | Recommendation category. Possible values are: "Accounts", "Application", "Network", "OS", "SecurityStack
+subCategory | String | Recommendation sub-category
+severityScore | Double | Potential impact of the configuration to the organization's Microsoft Secure Score for Devices (1-10)
+publicExploit | Boolean | Public exploit is available
+activeAlert | Boolean | Active alert is associated with this recommendation
+associatedThreats | String collection | Threat analytics report is associated with this recommendation
+remediationType | String | Remediation type. Possible values are: "ConfigurationChange","Update","Upgrade","Uninstall"
+Status | Enum | Recommendation exception status. Possible values are: "Active" and "Exception"
+configScoreImpact | Double | Microsoft Secure Score for Devices impact
+exposureImpacte | Double | Exposure score impact
+totalMachineCount | Long | Number of installed devices
+exposedMachinesCount | Long | Number of installed devices that are exposed to vulnerabilities
+nonProductivityImpactedAssets | Long | Number of devices which are not affected
+relatedComponent | String | Related software component
diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md
index bc8b673887..efd9066f69 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/score.md
@@ -1,40 +1,40 @@
----
-title: Score methods and properties
-description: Retrieves your organization's exposure score, device secure score, and exposure score by device group
-keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by device group
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Score resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score.
-[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score.
-[List exposure score by device group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by device group.
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-Score | Double | The current score.
-Time | DateTime | The date and time in which the call for this API was made.
-RbacGroupName | String | The device group name.
+---
+title: Score methods and properties
+description: Retrieves your organization's exposure score, device secure score, and exposure score by device group
+keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by device group
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Score resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score.
+[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score.
+[List exposure score by device group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by device group.
+
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+Score | Double | The current score.
+Time | DateTime | The date and time in which the call for this API was made.
+RbacGroupName | String | The device group name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
index db1b08907f..1fdb856b5d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
@@ -100,11 +100,11 @@ You can view the overall number of automated investigations from the last 30 day
## Automated investigations statistics
-This tile shows statistics related to automated investigations in the last 30 days. It shows the number of investigations completed, the number of successfully remediated investigations, the average pending time it takes for an investigation to be initiated, the average time it takes to remediate an alert, the number of alerts investigated, and the number of hours of automation saved from a typical manual investigation.
+This tile shows statistics related to automated investigations in the last seven days. It shows the number of investigations completed, the number of successfully remediated investigations, the average pending time it takes for an investigation to be initiated, the average time it takes to remediate an alert, the number of alerts investigated, and the number of hours of automation saved from a typical manual investigation.
-You can click on **Automated investigations**, **Remidated investigations**, and **Alerts investigated** to navigate to the **Investigations** page, filtered by the appropriate category. This lets you see a detailed breakdown of investigations in context.
+You can click on **Automated investigations**, **Remediated investigations**, and **Alerts investigated** to navigate to the **Investigations** page, filtered by the appropriate category. This lets you see a detailed breakdown of investigations in context.
## Users at risk
The tile shows you a list of user accounts with the most active alerts and the number of alerts seen on high, medium, or low alerts.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md
index 0853d1f0d8..bacc9d839f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/software.md
@@ -1,49 +1,49 @@
----
-title: Software methods and properties
-description: Retrieves top recent alerts.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Software resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-
-Method |Return Type |Description
-:---|:---|:---
-[List software](get-software.md) | Software collection | List the organizational software inventory.
-[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID.
-[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
-[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of devices that are associated with the software ID.
-[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
-[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID
-
-## Properties
-
-Property | Type | Description
-:---|:---|:---
-id | String | Software ID
-Name | String | Software name
-Vendor | String | Software vendor name
-Weaknesses | Long | Number of discovered vulnerabilities
-publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
-activeAlert | Boolean | Active alert is associated with this software
-exposedMachines | Long | Number of exposed devices
-impactScore | Double | Exposure score impact of this software
+---
+title: Software methods and properties
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Software resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+
+Method |Return Type |Description
+:---|:---|:---
+[List software](get-software.md) | Software collection | List the organizational software inventory.
+[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID.
+[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
+[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of devices that are associated with the software ID.
+[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
+[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID
+
+## Properties
+
+Property | Type | Description
+:---|:---|:---
+id | String | Software ID
+Name | String | Software name
+Vendor | String | Software vendor name
+Weaknesses | Long | Number of discovered vulnerabilities
+publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
+activeAlert | Boolean | Active alert is associated with this software
+exposedMachines | Long | Number of exposed devices
+impactScore | Double | Exposure score impact of this software
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
index 0261393243..9e26a9fef5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
@@ -13,7 +13,10 @@ author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- M365-security-compliance
+- m365solution-symantecmigrate
+- m365solution-overview
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
index f6102fbeb5..6c7c329a2e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
@@ -13,7 +13,9 @@ author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- M365-security-compliance
+- m365solution-symantecmigrate
ms.topic: article
---
@@ -49,9 +51,9 @@ Deployment methods vary, depending on which operating system is selected. Refer
|---------|---------|
|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp) - [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) - [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm) - [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
|- Windows 8.1 Enterprise - Windows 8.1 Pro - Windows 7 SP1 Enterprise - Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)
**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). |
-|- Windows Server 2019 and later - Windows Server 2019 core edition - Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script) - [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp) - [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) - [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-machines-using-earlier-versions-of-system-center-configuration-manager) - [VDI onboarding scripts for non-persistent machines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+|- Windows Server 2019 and later - Windows Server 2019 core edition - Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script) - [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp) - [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) - [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager) - [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
|- Windows Server 2016 - Windows Server 2012 R2 - Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center) - [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
-|macOS - 10.15 (Catalina) - 10.14 (Mojave) - 10.13 (High Sierra)
Linux: - RHEL 7.2+ - CentOS Linux 7.2+ - Ubuntu 16 LTS, or higher LTS - SLES 12+ - Debian 9+ - Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) |
## Run a detection test
@@ -75,15 +77,11 @@ Now that you have onboarded your organization's devices to Microsoft Defender AT
2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`.
3. Look for an entry named **SmcInstData**. Right-click the item, and then choose **Delete**.
-3. Remove Symantec from your devices. You can use SEP Manager to perform this task. See [Configuring client packages to uninstall existing security software](https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Managing-a-custom-installation/preparing-for-client-installation-v16742985-d21e7/configuring-client-packages-to-uninstall-existing-v73569396-d21e2634.html).
-
-
-> [!TIP]
-> Need help? See the following Broadcom resources:
-> - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html).
-> - Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040).
-> - macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387).
-> - Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054).
+3. Remove Symantec from your devices. If you need help with this, see the following Broadcom resources:
+ - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html)
+ - Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040)
+ - macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387)
+ - Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054)
## Make sure Microsoft Defender ATP is in active mode
@@ -99,5 +97,4 @@ To do this, visit the Microsoft Defender ATP demo scenarios site ([https://demo.
**Congratulations**! You have completed your [migration from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-
-- To learn more about Microsoft Defender ATP and how to configure or adjust various features and capabilities, see [Microsoft Defender ATP documentation](https://docs.microsoft.com/windows/security/threat-protection).
\ No newline at end of file
+- [Manage Microsoft Defender Advanced Threat Protection, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
index 5f7918273a..2a678e94e4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
@@ -13,7 +13,9 @@ author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- M365-security-compliance
+- m365solution-symantecmigrate
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
index eef8e48d51..692c6a9e61 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
@@ -13,7 +13,9 @@ author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- M365-security-compliance
+- m365solution-symantecmigrate
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
index 3c49e66665..c470a3566b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
@@ -1,6 +1,6 @@
---
-title: Event timeline
-description: Event timeline is a "risk news feed" which will help you interpret how risk is introduced into the organization and which mitigations happened to reduce it.
+title: Event timeline in threat and vulnerability management
+description: Event timeline is a "risk news feed" that helps you interpret how risk is introduced into the organization, and which mitigations happened to reduce it.
keywords: event timeline, mdatp event timeline, mdatp tvm event timeline, threat and vulnerability management, Microsoft Defender Advanced Threat Protection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -16,16 +16,14 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Event timeline
+# Event timeline - threat and vulnerability management
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Event timeline is a risk news feed which helps you interpret how risk, through new vulnerabilities or exploits, is introduced into the organization. You can view events which may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was addd to an exploit kit, and more.
+Event timeline is a risk news feed that helps you interpret how risk is introduced into the organization through new vulnerabilities or exploits. You can view events that may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was added to an exploit kit, and more.
Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) so you can determine the cause of large changes. Reduce you exposure score by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md).
@@ -33,27 +31,27 @@ Event timeline also tells the story of your [exposure score](tvm-exposure-score.
You can access Event timeline mainly through three ways:
-- In the Threat & Vulnerability Management navigation menu in the Microsoft Defender Security Center
-- Top events card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). The highest impact events (for example, affect the most machines or critical vulnerabilities)
-- Hovering over the Exposure Score graph in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
+- In the threat and vulnerability management navigation menu in the Microsoft Defender Security Center
+- Top events card in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). The highest impact events (for example, affect the most devices or critical vulnerabilities)
+- Hovering over the Exposure Score graph in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md)
### Navigation menu
-Go to the Threat & Vulnerability Management navigation menu and select **Event timeline** to view impactful events.
+Go to the threat and vulnerability management navigation menu and select **Event timeline** to view impactful events.
### Top events card
-In the Threat & Vulnerability Management dashboard, the "Top events" card displays the three most impactful events in the last 7 days. Select **Show more** to go to the Event timeline page.
+In the threat and vulnerability management dashboard, the "Top events" card displays the three most impactful events in the last 7 days. Select **Show more** to go to the Event timeline page.
### Exposure score graph
-In the Threat & Vulnerability Management dashboard, hover over the Exposure score graph to view top events from that day that impacted your machines. If there are no events, then none will be shown.
+In the threat and vulnerability management dashboard, hover over the Exposure score graph to view top events from that day that impacted your devices. If there are no events, then none will be shown.
-Selecting **Show all events from this day** will lead you to the Event timeline page with a pre-populated custom date range for that day.
+Selecting **Show all events from this day** takes you to the Event timeline page with a custom date range for that day.
@@ -63,25 +61,28 @@ Select **Custom range** to change the date range to another custom one, or a pre
## Event timeline overview
-On the Event timeline page, you can view the all the necesssary info related to an event.
+On the Event timeline page, you can view the all the necessary info related to an event.
Features:
- Customize columns
-- Filter by event type or percent of impacted machines
+- Filter by event type or percent of impacted devices
- View 30, 50, or 100 items per page
The two large numbers at the top of the page show the number of new vulnerabilities and exploitable vulnerabilities, not events. Some events can have multiple vulnerabilities, and some vulnerabilities can have multiple events.
+>[!NOTE]
+>Event type called "New configuration assessment" coming soon.
+
### Columns
- **Date**: month, day, year
-- **Event**: impactful event, including component, type, and number of impacted machines
+- **Event**: impactful event, including component, type, and number of impacted devices
- **Related component**: software
-- **Originally impacted machines**: the number, and percentage, of impacted machines when this event originally occurred. You can also filter by the percent of originally impacted machines, out of your total number of machines.
-- **Currently impacted machines**: the current number, and percentage, of machines that this event currently impacts. You can find this field by selecting **Customize columns**.
+- **Originally impacted devices**: the number, and percentage, of impacted devices when this event originally occurred. You can also filter by the percent of originally impacted devices, out of your total number of devices.
+- **Currently impacted devices**: the current number, and percentage, of devices that this event currently impacts. You can find this field by selecting **Customize columns**.
- **Types**: reflect time-stamped events that impact the score. They can be filtered.
- Exploit added to an exploit kit
- Exploit was verified
@@ -100,27 +101,31 @@ The following icons show up next to events:
### Drill down to a specific event
-Once you select an event, a flyout will appear listing the details and current CVEs that affect your machines. You can show more CVEs or view the related recommendation.
+Once you select an event, a flyout will appear with a list of the details and current CVEs that affect your devices. You can show more CVEs or view the related recommendation.
-The arrow below "score trend" helps you determine whether this event potentially raised or lowered your organizational exposure score. Higher exposure score means machines are more vulnerable to exploitation.
+The arrow below "score trend" helps you determine whether this event potentially raised or lowered your organizational exposure score. Higher exposure score means devices are more vulnerable to exploitation.
-From there, select **Go to related security recommendation** to go to the [security recommendations page](tvm-security-recommendation.md) and the recommendation that will address the new software vulnerability. After reading the description and vulnerability details in the security recommendation, you can [submit a remediation request](tvm-security-recommendation.md#request-remediation), and track the request in the [remediation page](tvm-remediation.md).
+From there, select **Go to related security recommendation** view the recommendation that addresses the new software vulnerability in the [security recommendations page](tvm-security-recommendation.md). After reading the description and vulnerability details in the security recommendation, you can [submit a remediation request](tvm-security-recommendation.md#request-remediation), and track the request in the [remediation page](tvm-remediation.md).
## View Event timelines in software pages
To open a software page, select an event > select the hyperlinked software name (like Visual Studio 2017) in the section called "Related component" in the flyout. [Learn more about software pages](tvm-software-inventory.md#software-pages)
-A full page will appear with all the details of a specific software, including an event timeline tab. From there you can view all the events related to that software, along with security recommendations, discovered vulnerabilities, installed machines, and version distribution.
+A full page will appear with all the details of a specific software. Mouse over the graph to see the timeline of events for that specific software.
+
+
+
+Navigate to the event timeline tab to view all the events related to that software. You can also see security recommendations, discovered vulnerabilities, installed devices, and version distribution.
## Related topics
-- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
+- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
@@ -130,6 +135,6 @@ A full page will appear with all the details of a specific software, including a
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Advanced hunting overview](overview-hunting.md)
- [All advanced hunting tables](advanced-hunting-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 3a565b7fd9..87bf456ec8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -1,6 +1,6 @@
---
-title: Threat & Vulnerability Management scenarios
-description: Learn how Threat & Vulnerability Management can be used to help security admins, IT admins, and SecOps collaborate in defending against security threats.
+title: Scenarios - threat and vulnerability management
+description: Learn how threat and vulnerability management can be used to help security admins, IT admins, and SecOps collaborate.
keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Threat & Vulnerability Management scenarios
+# Scenarios - threat and vulnerability management
**Applies to:**
@@ -36,7 +36,7 @@ ms.topic: article
3. Enter the following queries:
```kusto
-// Search for machines with High active alerts or Critical CVE public exploit
+// Search for devices with High active alerts or Critical CVE public exploit
DeviceTvmSoftwareInventoryVulnerabilities
| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId
| where IsExploitAvailable == 1 and CvssScore >= 7
@@ -50,11 +50,40 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
```
+## Define a device's value to the organization
+
+Defining a device’s value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation. Devices marked as “high value” will receive more weight.
+
+Device value options:
+
+- Low
+- Normal (Default)
+- High
+
+Examples of devices that should be marked as high value:
+
+- Domain controllers, Active Directory
+- Internet facing devices
+- VIP devices
+- Devices hosting internal/external production services
+
+### Set device value
+
+1. Navigate to any device page, the easiest place is from the device inventory.
+
+2. Select **Device Value** from three dots next to the actions bar at the top of the page.
+ 
+
+
+
+3. A flyout will appear with the current device value and what it means. Review the value of the device and choose the one that best fits your device.
+
+
## Related topics
-- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
+- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
@@ -63,6 +92,6 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
- [Weaknesses](tvm-weaknesses.md)
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Advanced hunting overview](overview-hunting.md)
- [All advanced hunting tables](advanced-hunting-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
index 8f87ff3707..be0e27f27a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
@@ -7,7 +7,6 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
index 882df03a74..86607dd332 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
@@ -3,7 +3,6 @@ title: Troubleshoot exploit protection mitigations
keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install
description: Remove unwanted Exploit protection mitigations.
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
index b435c4b723..1118d17529 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
@@ -3,7 +3,6 @@ title: Troubleshoot problems with Network protection
description: Resources and sample code to troubleshoot issues with Network protection in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, microsoft defender atp, microsoft defender advanced threat protection
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
index 445718afae..2e1d1f2adb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
@@ -28,12 +28,10 @@ ms.topic: troubleshooting
You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues.
This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the devices.
-
## Troubleshoot issues with onboarding tools
If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem.
-
### Troubleshoot onboarding when deploying with Group Policy
Deployment with Group Policy is done by running the onboarding script on the devices. The Group Policy console does not indicate if the deployment has succeeded or not.
@@ -42,7 +40,6 @@ If you have completed the onboarding process and don't see devices in the [Devic
If the script completes successfully, see [Troubleshoot onboarding issues on the devices](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur.
-
### Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager
When onboarding devices using the following versions of Configuration Manager:
@@ -57,10 +54,10 @@ If the deployment fails, you can check the output of the script on the devices.
If the onboarding completed successfully but the devices are not showing up in the **Devices list** after an hour, see [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur.
-
### Troubleshoot onboarding when deploying with a script
**Check the result of the script on the device:**
+
1. Click **Start**, type **Event Viewer**, and press **Enter**.
2. Go to **Windows Logs** > **Application**.
@@ -68,6 +65,7 @@ If the onboarding completed successfully but the devices are not showing up in t
3. Look for an event from **WDATPOnboarding** event source.
If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue.
+
> [!NOTE]
> The following event IDs are specific to the onboarding script only.
@@ -82,7 +80,6 @@ Event ID | Error Type | Resolution steps
`40` | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
`65` | Insufficient privileges| Run the script again with administrator privileges.
-
### Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
@@ -97,7 +94,7 @@ Use the following tables to understand the possible causes of issues while onboa
If none of the event logs and troubleshooting steps work, download the Local script from the **Device management** section of the portal, and run it in an elevated command prompt.
-**Microsoft Intune error codes and OMA-URIs**:
+#### Microsoft Intune error codes and OMA-URIs
Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
:---:|:---|:---|:---|:---
@@ -107,8 +104,7 @@ Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause a
| | | | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently supported platforms: Enterprise, Education, and Professional. Server is not supported.
0x87D101A9 | -2016345687 |SyncML(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently supported platforms: Enterprise, Education, and Professional.
-
-**Known issues with non-compliance**
+#### Known issues with non-compliance
The following table provides information on issues with non-compliance and how you can address the issues.
@@ -118,8 +114,7 @@ Case | Symptoms | Possible cause and troubleshooting steps
`2` | Device is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the device as non-compliant by SenseIsRunning when DM session occurs on system start.
**Troubleshooting steps:** The issue should automatically be fixed within 24 hours.
`3` | Device is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same device at same time.
-
-**Mobile Device Management (MDM) event logs**
+#### Mobile Device Management (MDM) event logs
View the MDM event logs to troubleshoot issues that might arise during onboarding:
@@ -131,17 +126,16 @@ ID | Severity | Event description | Troubleshooting steps
:---|:---|:---|:---
1819 | Error | Microsoft Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
-
## Troubleshoot onboarding issues on the device
-If the deployment tools used does not indicate an error in the onboarding process, but devices are still not appearing in the devices list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent:
+If the deployment tools used does not indicate an error in the onboarding process, but devices are still not appearing in the devices list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent.
+
- [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log)
- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled)
- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
- [Ensure the device has an Internet connection](#ensure-the-device-has-an-internet-connection)
- [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)
-
### View agent onboarding errors in the device event log
1. Click **Start**, type **Event Viewer**, and press **Enter**.
@@ -176,24 +170,23 @@ Event ID | Message | Resolution steps
`30` | Failed to disable $(build.sense.productDisplayName) mode in Microsoft Defender Advanced Threat Protection. Failure code: %1 | Contact support.
`32` | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the device.
`55` | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the device.
-`63` | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type.
+`63` | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type.
`64` | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing.
`68` | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type.
-`69` | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
+`69` | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
+
+
-
There are additional components on the device that the Microsoft Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
-
### Ensure the diagnostic data service is enabled
If the devices aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the device. The service might have been disabled by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
-
### Ensure the service is set to start
**Use the command line to check the Windows 10 diagnostic data service startup type**:
@@ -216,7 +209,6 @@ First, you should check that the service is set to start automatically when Wind
If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
-
**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
1. Open an elevated command-line prompt on the device:
@@ -255,14 +247,18 @@ To ensure that sensor has service connectivity, follow the steps described in th
If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) topic.
-
### Ensure that Microsoft Defender Antivirus is not disabled by a policy
+> [!IMPORTANT]
+> The following only applies to devices that have **not** yet received the August 2020 (version 4.18.2007.8) update to Microsoft Defender Antivirus.
+>
+> The update ensures that Microsoft Defender Antivirus cannot be turned off on client devices via system policy.
+
**Problem**: The Microsoft Defender ATP service does not start after onboarding.
**Symptom**: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start the service.
-**Solution**: If your devices are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
+**Solution**: If your devices are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not turned off by a system policy.
- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:
@@ -273,19 +269,21 @@ If the verification fails and your environment is using a proxy to connect to th
- ``
- ``
+
+> [!IMPORTANT]
+> The `disableAntiSpyware` setting is discontinued and will be ignored on all client devices, as of the August 2020 (version 4.18.2007.8) update to Microsoft Defender Antivirus.
+
- After clearing the policy, run the onboarding steps again.
-- You can also check the following registry key values to verify that the policy is disabled:
-
- 1. Open the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
- 2. Ensure that the value `DisableAntiSpyware` is not present.
+- You can also check the previous registry key values to verify that the policy is disabled, by opening the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
> [!NOTE]
> In addition, you must ensure that wdfilter.sys and wdboot.sys are set to their default start values of "0".
- > - ``
- > - ``
+ >
+ > - ``
+ > - ``
## Troubleshoot onboarding issues on a server
@@ -295,6 +293,7 @@ If you encounter issues while onboarding a server, go through the following veri
- [Ensure that the server proxy and Internet connectivity settings are configured properly](configure-server-endpoints.md#server-proxy)
You might also need to check the following:
+
- Check that there is a Microsoft Defender Advanced Threat Protection Service running in the **Processes** tab in **Task Manager**. For example:
@@ -311,12 +310,12 @@ You might also need to check the following:
- Check to see that devices are reflected in the **Devices list** in the portal.
-
## Confirming onboarding of newly built devices
There may be instances when onboarding is deployed on a newly built device but not completed.
The steps below provide guidance for the following scenario:
+
- Onboarding package is deployed to newly built devices
- Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed
- Device is turned off or restarted before the end user performs a first logon
@@ -325,7 +324,6 @@ The steps below provide guidance for the following scenario:
> [!NOTE]
> The following steps are only relevant when using Microsoft Endpoint Configuration Manager. For more details about onboarding using Microsoft Endpoint Configuration Manager, see [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection).
-
1. Create an application in Microsoft Endpoint Configuration Manager.
@@ -444,8 +442,8 @@ The steps below provide guidance for the following scenario:
-
## Related topics
+
- [Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md)
- [Onboard devices](onboard-configure.md)
- [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index eaa32244f3..8c35924c4f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -1,7 +1,7 @@
---
-title: Threat & Vulnerability Management dashboard insights
-description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience.
-keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score
+title: Threat and vulnerability management dashboard insights
+description: The threat and vulnerability management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience.
+keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, threat and vulnerability management, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score
search.appverid: met150
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -16,7 +16,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Threat & Vulnerability Management dashboard insights
+# Threat and vulnerability management dashboard insights
**Applies to:**
@@ -24,49 +24,49 @@ ms.topic: conceptual
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
+Threat and vulnerability management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable device vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager
-You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
+You can use the threat and vulnerability management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
-- View exposure and Microsoft Secure Score for Devices side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices
+- View you exposure score and Microsoft Secure Score for Devices, along with top security recommendations, software vulnerability, remediation activities, and exposed devices
- Correlate EDR insights with endpoint vulnerabilities and process them
-- Select remediation options, triage and track the remediation tasks
+- Select remediation options to triage and track the remediation tasks
- Select exception options and track active exceptions
> [!NOTE]
-> Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and Microsoft Secure Score for Devices.
+> Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's threat and vulnerability management exposure score and Microsoft Secure Score for Devices.
-Watch this video for a quick overview of what is in the Threat & Vulnerability Management dashboard.
+Watch this video for a quick overview of what is in the threat and vulnerability management dashboard.
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r1nv]
-## Threat & Vulnerability Management in Microsoft Defender Security Center
+## Threat and vulnerability management in Microsoft Defender Security Center
You can navigate through the portal using the menu options available in all sections. Refer to the following tables for a description of each section.
-## Threat & Vulnerability Management navigation pane
+## Threat and vulnerability management navigation pane
Area | Description
:---|:---
**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.
[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP.
[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions.
-[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs or security updates.
+[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs or security updates.
[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details.
-## Threat & Vulnerability Management dashboard
+## Threat and vulnerability management dashboard
Area | Description
:---|:---
-**Selected device groups (#/#)** | Filter the Threat & Vulnerability Management data you want to see in the dashboard and cards by device groups. What you select in the filter applies throughout the Threat & Vulnerability management pages.
+**Selected device groups (#/#)** | Filter the threat and vulnerability management data you want to see in the dashboard and cards by device groups. What you select in the filter applies throughout the threat and vulnerability management pages.
[**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
-[**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page.
+[**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md) | See the security posture of the operating system, applications, network, accounts, and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page.
**Device exposure distribution** | See how many devices are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Devices list** page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
**Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
@@ -77,7 +77,7 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico
## Related topics
-- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Exposure score](tvm-exposure-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
@@ -88,4 +88,4 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index 5391b7ca6b..19805c1e0b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -1,6 +1,6 @@
---
-title: Exposure score
-description: The Microsoft Defender ATP exposure score reflects how vulnerable your organization is to cybersecurity threats.
+title: Exposure score in threat and vulnerability management
+description: The threat and vulnerability management exposure score reflects how vulnerable your organization is to cybersecurity threats.
keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score, threat and vulnerability management, Microsoft Defender Advanced Threat Protection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -16,7 +16,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Exposure score
+# Exposure score - threat and vulnerability management
**Applies to:**
@@ -24,7 +24,7 @@ ms.topic: conceptual
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-Your Exposure score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable from exploitation.
+Your exposure score is visible in the [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable from exploitation.
- Quickly understand and identify high-level takeaways about the state of security in your organization.
- Detect and respond to areas that require investigation or action to improve the current state.
@@ -36,7 +36,7 @@ The card gives you a high-level view of your exposure score trend over time. Any
## How it works
-Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your devices are to imminent threats.
+Threat and vulnerability management introduces a new exposure score metric, which visually represents how exposed your devices are to imminent threats.
The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
@@ -55,13 +55,13 @@ You can remediate the issues based on prioritized [security recommendations](tvm
## Reduce your threat and vulnerability exposure
-Lower your threat and vulnerability exposure by remediating [security recommendations](tvm-security-recommendation.md). Make the most impact to your exposure score by remediating the top security recommendations, which can be viewed in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md).
+Lower your threat and vulnerability exposure by remediating [security recommendations](tvm-security-recommendation.md). Make the most impact to your exposure score by remediating the top security recommendations, which can be viewed in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md).
## Related topics
-- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
+- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
@@ -70,4 +70,4 @@ Lower your threat and vulnerability exposure by remediating [security recommenda
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
index 5cdd484045..1ea368d48c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
@@ -1,7 +1,7 @@
---
title: Overview of Microsoft Secure Score for Devices in Microsoft Defender Security Center
description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls
-keywords: Microsoft Secure Score for Devices, mdatp Microsoft Secure Score for Devices, secure score, configuration score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
+keywords: Microsoft Secure Score for Devices, mdatp Microsoft Secure Score for Devices, secure score, configuration score, threat and vulnerability management, security controls, improvement opportunities, security configuration score over time, security posture, baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -23,9 +23,9 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>[!NOTE]
-> Configuration score is now part of Threat & Vulnerability Management as Microsoft Secure Score for Devices.
+> Configuration score is now part of threat and vulnerability management as Microsoft Secure Score for Devices.
-Your score for devices is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories:
+Your score for devices is visible in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories:
- Application
- Operating system
@@ -35,6 +35,18 @@ Your score for devices is visible in the [Threat & Vulnerability Management dash
Select a category to go to the [**Security recommendations**](tvm-security-recommendation.md) page and view the relevant recommendations.
+## Turn on the Microsoft Secure Score connector
+
+Forward Microsoft Defender ATP signals, giving Microsoft Secure Score visibility into the device security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data.
+
+Changes might take up to a few hours to reflect in the dashboard.
+
+1. In the navigation pane, go to **Settings** > **Advanced features**
+
+2. Scroll down to **Microsoft Secure Score** and toggle the setting to **On**.
+
+3. Select **Save preferences**.
+
## How it works
>[!NOTE]
@@ -51,7 +63,7 @@ The data in the Microsoft Secure Score for Devices card is the product of meticu
You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
-1. From the Microsoft Secure Score for Devices card in the Threat & Vulnerability Management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
+1. From the Microsoft Secure Score for Devices card in the threat and vulnerability management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.
@@ -82,9 +94,9 @@ You can improve your security configuration when you remediate issues from the s
## Related topics
-- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
+- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
@@ -92,4 +104,4 @@ You can improve your security configuration when you remediate issues from the s
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index 2c3f7a6ef5..a94e2b07c4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -1,7 +1,7 @@
---
-title: Remediation and exception
-description: Remediate security weaknesses and fill exceptions by integrating Microsoft Intune and Microsoft Endpoint Configuration Manager.
-keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
+title: Remediation activities and exceptions - threat and vulnerability management
+description: Remediate security weaknesses discovered through security recommendations, and create exceptions if needed, in threat and vulnerability management.
+keywords: microsoft defender atp tvm remediation, mdatp tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -16,7 +16,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Remediation activities and exceptions
+# Remediation activities and exceptions - threat and vulnerability management
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -34,22 +34,22 @@ Lower your organization's exposure from vulnerabilities and increase your securi
You can access the Remediation page a few different ways:
-- Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
-- Top remediation activities card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
+- Threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
+- Top remediation activities card in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md)
### Navigation menu
-Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization.
+Go to the threat and vulnerability management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization.
### Top remediation activities in the dashboard
-View **Top remediation activities** in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.
+View **Top remediation activities** in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.
## Remediation activities
-When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
+When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete.
@@ -95,9 +95,9 @@ Select **Show exceptions** at the bottom of the **Top security recommendations**
## Related topics
-- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
+- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
@@ -106,4 +106,4 @@ Select **Show exceptions** at the bottom of the **Top security recommendations**
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index ad8c99b503..3b9cd84b1d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -1,6 +1,6 @@
---
-title: Security recommendations
-description: Get actionable security recommendations prioritized by threat, likelihood to be breached, and value.
+title: Security recommendations by threat and vulnerability management
+description: Get actionable security recommendations prioritized by threat, likelihood to be breached, and value, in threat and vulnerability management.
keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -16,7 +16,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Security recommendations
+# Security recommendations - threat and vulnerability management
**Applies to:**
@@ -28,13 +28,13 @@ ms.topic: conceptual
Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance.
-Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
+Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
## How it works
Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time.
-- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
+- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations show the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
- **Breach likelihood** - Your organization's security posture and resilience against threats
@@ -44,8 +44,8 @@ Each device in the organization is scored based on three important factors to he
Access the Security recommendations page a few different ways:
-- Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
-- Top security recommendations in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
+- Threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
+- Top security recommendations in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md)
View related security recommendations in the following places:
@@ -54,15 +54,15 @@ View related security recommendations in the following places:
### Navigation menu
-Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization.
+Go to the threat and vulnerability management navigation menu and select **Security recommendations**. The page contains a list of security recommendations for the threats and vulnerabilities found in your organization.
-### Top security recommendations in the Threat & Vulnerability Management dashboard
+### Top security recommendations in the threat and vulnerability management dashboard
-In a given day as a Security Administrator, you can take a look at the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
+In a given day as a Security Administrator, you can take a look at the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side by side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
-The top security recommendations lists the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details about the recommendation.
+The top security recommendations list the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details.
## Security recommendations overview
@@ -74,7 +74,7 @@ The color of the **Exposed devices** graph changes as the trend changes. If the
### Icons
-Useful icons also quickly calls your attention to:
+Useful icons also quickly call your attention to:
-  possible active alerts
-  associated public exploits
-  recommendation insights
@@ -85,16 +85,16 @@ Select the security recommendation that you want to investigate or process.
-From the flyout, you can do any of the following:
+From the flyout, you can choose any of the following options:
-- **Open software page** - Open the software page to get more context on the software and how it is distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution.
+- **Open software page** - Open the software page to get more context on the software and how it's distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution.
- [**Remediation options**](tvm-security-recommendation.md#request-remediation) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
-- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet.
+- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet.
>[!NOTE]
->When a change is made on a device, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center.
+>When a change is made on a device, it typically takes two hours for the data to be reflected in the Microsoft Defender Security Center. However, it may sometimes take longer.
### Investigate changes in machine exposure or impact
@@ -106,7 +106,7 @@ If there is a large jump in the number of exposed machines, or a sharp increase
## Request remediation
-The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
+The threat and vulnerability management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
### Enable Microsoft Intune connection
@@ -118,7 +118,7 @@ See [Use Intune to remediate vulnerabilities identified by Microsoft Defender AT
1. Select a security recommendation you would like to request remediation for, and then select **Remediation options**.
-2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within Threat & Vulnerability Management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices.
+2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices.
3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
@@ -137,22 +137,23 @@ There are many reasons why organizations create exceptions for a recommendation.
When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
-1. Select a security recommendation you would like create an exception for, and then **Exception options**.
+1. Select a security recommendation you would like to create an exception for, and then **Exception options**.
2. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
The following list details the justifications behind the exception options:
- - **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a device, third party antivirus
- - **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow
- - **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive
+ - **Third party control** - A third party product or software already addresses this recommendation
+ - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced
+ - **Alternate mitigation** - An internal tool already addresses this recommendation
+ - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced
+ - **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive
- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
- - **Other** - False positive
3. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
-4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and select the **Exceptions** tab to view all your exceptions (current and past).
+4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat and vulnerability management** menu and select the **Exceptions** tab to view all your exceptions (current and past).
## Report inaccuracy
@@ -166,34 +167,34 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
-4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
+4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts.
## Find and remediate software or software versions which have reached end-of-support (EOS)
-End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
+End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions with ended support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
-It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end of support, and update versions that have reached end of support. It is best to create and implement a plan **before** the end of support dates.
+It's crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end-of-support and update versions that are no longer supported. It's best to create and implement a plan **before** the end of support dates.
-To find software or software versions which have reached end-of-support:
+To find software or software versions that are no longer supported:
-1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**.
+1. From the threat and vulnerability management menu, navigate to **Security recommendations**.
2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**.
-3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page.
+3. You'll see a list of recommendations related to software with ended support, software versions that are end of support, or versions with upcoming end of support. These tags are also visible in the [software inventory](tvm-software-inventory.md) page.
### List of versions and dates
-To view a list of version that have reached end of support, or end or support soon, and those dates, follow the below steps:
+To view a list of versions that have reached end of support, or end or support soon, and those dates, follow the below steps:
-1. For software that has versions which have reached end of support, or will reach end of support soon, a message will appear in the flyout once the security recommendation is selected.
+1. A message will appear in the security recommendation flyout for software with versions that have reached end of support, or will reach end of support soon.
-2. Select the **version distribution** link to go to the software drill down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support.
+2. Select the **version distribution** link to go to the software drill-down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support.
@@ -201,14 +202,13 @@ To view a list of version that have reached end of support, or end or support so
-After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats.
-
+Once you identify which software and software versions are vulnerable due to their end-of-support status, you must decide whether to update or remove them from your organization. Doing so will lower your organizations exposure to vulnerabilities and advanced persistent threats.
## Related topics
-- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
+- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Remediation and exception](tvm-remediation.md)
@@ -217,4 +217,4 @@ After you have identified which software and software versions are vulnerable du
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
+- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index 9e6591f91c..d157c8610f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -1,7 +1,7 @@
---
-title: Software inventory
-description: Microsoft Defender ATP Threat & Vulnerability Management's software inventory page shows how many weaknesses and vulnerabilities have been detected in software.
-keywords: microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory
+title: Software inventory in threat and vulnerability management
+description: The software inventory page for Microsoft Defender ATP's threat and vulnerability management shows how many weaknesses and vulnerabilities have been detected in software.
+keywords: threat and vulnerability management, microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -16,33 +16,33 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Software inventory
+# Software inventory - threat and vulnerability management
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
+The software inventory in threat and vulnerability management is a list of all the software in your organization. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.
## How it works
-In the field of discovery, we are leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md).
+In the field of discovery, we're leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md).
-Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.
+Since it's real time, in a matter of minutes, you'll see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.
## Navigate to the Software inventory page
-You can access the Software inventory page by selecting **Software inventory** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md).
+Access the Software inventory page by selecting **Software inventory** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md).
View software on specific devices in the individual devices pages from the [devices list](machines-view-overview.md).
## Software inventory overview
-The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support.
+The **Software inventory** page opens with a list of software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can filter the list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support.
-Select the software that you want to investigate and a flyout panel opens up with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**.
+Select the software that you want to investigate. A flyout panel will open with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**.
@@ -56,8 +56,8 @@ You can view software pages a few different ways:
A full page will appear with all the details of a specific software and the following information:
-- Side panel with vendor information, prevalence of the software in the organization (including number of devices it is installed on, and exposed devices that are not patched), whether and exploit is available, and impact to your exposure score
-- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed devices
+- Side panel with vendor information, prevalence of the software in the organization (including number of devices it's installed on, and exposed devices that aren't patched), whether and exploit is available, and impact to your exposure score
+- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs with the number of exposed devices
- Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the devices that the software is installed on, and the specific versions of the software with the number of devices that have each version installed and number of vulnerabilities.
@@ -67,24 +67,24 @@ You can view software pages a few different ways:
We now show evidence of where we detected a specific software on a device from the registry, disk or both.
You can find it on any devices found in the [devices list](machines-view-overview.md) in a section called "Software Evidence."
-From the Microsoft Defender Security Center navigation panel, go to **Devices list** > select the name of a device to open the device page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence.
+From the Microsoft Defender Security Center navigation panel, go to the **Devices list**. Select the name of a device to open the device page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence.
## Report inaccuracy
-You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information.
+Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated.
1. Open the software flyout on the Software inventory page.
2. Select **Report inaccuracy**.
-3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
-4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
+3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details about the inaccuracy.
+4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts.
## Related topics
-- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
+- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
@@ -93,4 +93,4 @@ You can report a false positive when you see any vague, inaccurate version, inco
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
index 68cb359a5a..d29f6dfc63 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
@@ -1,57 +1,58 @@
----
-title: Threat & Vulnerability Management supported operating systems and platforms
-description: Before you begin, ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your all devices are properly accounted for.
-keywords: threat & vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score
-search.appverid: met150
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-# Threat & Vulnerability Management supported operating systems and platforms
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-Before you begin, ensure that you meet the following operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for.
-
-Operating system | Security assessment support
-:---|:---
-Windows 7 | Operating System (OS) vulnerabilities
-Windows 8.1 | Not supported
-Windows 10 1607-1703 | Operating System (OS) vulnerabilities
-Windows 10 1709+ |Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
-Windows Server 2008 R2 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
-Windows Server 2012 R2 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
-Windows Server 2016 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
-Windows Server 2019 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
-MacOS | Not supported (planned)
-Linux | Not supported (planned)
-
-Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list.
-
-## Related topics
-
-- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation and exception](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+---
+title: Supported operating systems and platforms for threat and vulnerability management
+description: Before you begin, ensure that you meet the operating system or platform requisites for threat and vulnerability management so the activities in your all devices are properly accounted for.
+keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score
+search.appverid: met150
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+# Supported operating systems and platforms - threat and vulnerability management
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
+Before you begin, ensure that you meet the following operating system or platform requisites for threat and vulnerability management so the activities in your devices are properly accounted for.
+
+>[!NOTE]
+>The supported systems and platforms for threat and vulnerability management may be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list.
+
+Operating system | Security assessment support
+:---|:---
+Windows 7 | Operating System (OS) vulnerabilities
+Windows 8.1 | Not supported
+Windows 10 1607-1703 | Operating System (OS) vulnerabilities
+Windows 10 1709+ |Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
+Windows Server 2008 R2 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
+Windows Server 2012 R2 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
+Windows Server 2016 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
+Windows Server 2019 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
+macOS | Not supported (planned)
+Linux | Not supported (planned)
+
+## Related topics
+
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation and exception](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
+- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index 32379a298f..37a974d932 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -1,7 +1,7 @@
---
-title: Weaknesses
-description: Microsoft Defender Security Center offers a Weaknesses page, which lists vulnerabilities found in the infected software running in your organization.
-keywords: mdatp threat & vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm
+title: Weaknesses found by threat and vulnerability management
+description: Lists the common vulnerabilities and exposures (CVE) ID of weaknesses found in the software running in your organization. Discovered by the Microsoft Defender ATP threat and vulnerability management capability.
+keywords: mdatp threat & vulnerability management, threat and vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -16,7 +16,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Weaknesses
+# Weaknesses found by threat and vulnerability management
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -25,9 +25,9 @@ ms.topic: conceptual
[!include[Prerelease information](../../includes/prerelease.md)]
-Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
+Threat and vulnerability management uses the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
-The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, and threat insights.
+The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network:
@@ -40,53 +40,61 @@ The **Weaknesses** page lists down the vulnerabilities found in the infected sof
Access the Weaknesses page a few different ways:
-- Selecting **Weaknesses** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
+- Selecting **Weaknesses** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
- Global search
### Navigation menu
-Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open the list of CVEs.
+Go to the threat and vulnerability management navigation menu and select **Weaknesses** to open the list of CVEs.
### Vulnerabilities in global search
1. Go to the global search drop-down menu.
-2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you are looking for.
+2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you're looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you're looking for.
-3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates.
+3. Select the CVE to open a flyout panel with more information, including the vulnerability description, details, threat insights, and exposed devices.
-To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search.
+To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then select search.
## Weaknesses overview
-If the **Exposed Devices** column shows 0, that means you are not at risk. If exposed devices exist, the next step is to remediate the vulnerabilities in those devices to reduce the risk to your assets and organization.
+Remediate the vulnerabilities in exposed devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you aren't at risk.
-
+
### Breach and threat insights
-You can view the related breach and threat insights in the **Threat** column when the icons are colored red.
+View related breach and threat insights in the **Threat** column when the icons are colored red.
>[!NOTE]
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon  and breach insight icon .
-The breach insights icon is highlighted if there is a vulnerability found in your organization.
+The breach insights icon is highlighted if there's a vulnerability found in your organization.
-The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit or connected to specific advanced persistent campaigns or activity groups. Threat Analytics report links are provided that you can read with zero-day exploitation news, disclosures, or related security advisories.
+The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. Hovering over the icon shows whether the threat is a part of an exploit kit, or connected to specific advanced persistent campaigns or activity groups. When available, there is a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories.
+### Gain vulnerability insights
+
+If you select a CVE, a flyout panel will open with more information, including the vulnerability description, details, threat insights, and exposed devices.
+
+The "OS Feature" category is shown in relevant scenarios.
+
+ 
+
## View Common Vulnerabilities and Exposures (CVE) entries in other places
### Top vulnerable software in the dashboard
-1. Go to the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
+1. Go to the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software, along with threat information and a high-level view of device exposure over time.
-2. Select the software that you want to investigate to go a drill down page.
+2. Select the software you want to investigate to go to a drilldown page.
3. Select the **Discovered vulnerabilities** tab.
-4. Select the vulnerability that you want to investigate. A flyout panel will appear with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+4. Select the vulnerability you want to investigate for more information on vulnerability details
@@ -102,30 +110,32 @@ View related weaknesses information in the device page.
3. The device page will open with details and response options for the device you want to investigate.
4. Select **Discovered vulnerabilities**.
- [Screenshot of the device page with details and response options](images/tvm-discovered-vulnerabilities.png)
+ 
5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic.
#### CVE Detection logic
-Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the device page) that shows the detection logic and source.
+Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. The new section is called "Detection Logic" (in any discovered vulnerability in the device page) and shows the detection logic and source.
-
+The "OS Feature" category is also shown in relevant scenarios. A CVE would affect devices that run a vulnerable OS only if a specific OS component is enabled. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, we’ll only attach this CVE to the Windows Server 2019 devices with the DNS capability enabled in their OS.
+
+
## Report inaccuracy
-You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information.
+Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated.
1. Open the CVE on the Weaknesses page.
-2. Select **Report inaccuracy**.
-3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
-4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
+2. Select **Report inaccuracy** and a flyout pane will open.
+3. Select the inaccuracy category from the drop-down menu and fill in your email address and inaccuracy details.
+4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts.
## Related topics
-- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
+- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
@@ -134,4 +144,4 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
+- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index 18a1a896b3..d58c080f49 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -1,6 +1,6 @@
---
title: Create and manage roles for role-based access control
-description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation
+description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation in the Microsoft Defender Security Center
keywords: user roles, roles, access rbac
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -18,6 +18,7 @@ ms.topic: article
---
# Create and manage roles for role-based access control
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -26,63 +27,58 @@ ms.topic: article
[!include[Prerelease information](../../includes/prerelease.md)]
## Create roles and assign the role to an Azure Active Directory group
+
The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
1. In the navigation pane, select **Settings > Roles**.
-2. Click **Add role**.
+2. Select **Add item**.
3. Enter the role name, description, and permissions you'd like to assign to the role.
- - **Role name**
- - **Description**
- - **Permissions**
- - **View data** - Users can view information in the portal.
- >[!NOTE]
- >To view Threat & Vulnerability Management data, select **Threat and vulnerability management**.
-
- - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage device tags, and export device timeline.
- - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
- - Security operations - Take response actions
- - Approve or dismiss pending remediation actions
- - Manage allowed/blocked lists for automation
- - Manage allowed/blocked create Indicators
+4. Select **Next** to assign the role to an Azure AD Security group.
- >[!NOTE]
- >To enable your Security operation personnel to choose remediation options and file exceptions, select **Threat and vulnerability management - Remediation handling**, and **Threat and vulnerability management - Exception handling**.
-
- - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups.
+5. Use the filter to select the Azure AD group that you'd like to add to this role to.
- > [!NOTE]
- > This setting is only available in the Microsoft Defender ATP administrator (default) role.
-
- - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications.
-
- - **Live response capabilities** - Users can take basic or advanced live response commands.
- - Basic commands allow users to:
- - Start a live response session
- - Run read only live response commands on a remote device
- - Advanced commands allow users to:
- - Run basic actions
- - Download a file from the remote device
- - View a script from the files library
- - Run a script on the remote device from the files library take read and write commands.
-
- For more information on the available commands, see [Investigate devices using Live response](live-response.md).
-
-4. Click **Next** to assign the role to an Azure AD Security group.
-
-5. Use the filter to select the Azure AD group that you'd like to add to this role.
-
-6. Click **Save and close**.
+6. **Save and close**.
7. Apply the configuration settings.
-
> [!IMPORTANT]
-> After creating roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created.
+> After creating roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created.
+### Permission options
+- **View data**
+ - **Security operations** - View all security operations data in the portal
+ - **Threat and vulnerability management** - View threat and vulnerability management data in the portal
+
+- **Active remediation actions**
+ - **Security operations** - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators
+ - **Threat and vulnerability management - Exception handling** - Create new exceptions and manage active exceptions
+ - **Threat and vulnerability management - Remediation handling** - Submit new remediation requests, create tickets, and manage existing remediation activities
+
+- **Alerts investigation** - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags.
+
+- **Manage portal system settings** - Configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups.
+
+ > [!NOTE]
+ > This setting is only available in the Microsoft Defender ATP administrator (default) role.
+
+- **Manage security settings in Security Center** - Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications, manage evaluation lab.
+
+- **Live response capabilities**
+ - **Basic** commands:
+ - Start a live response session
+ - Perform read only live response commands on remote device (excluding file copy and execution
+ - **Advanced** commands:
+ - Download a file from the remote device
+ - Upload a file to the remote device
+ - View a script from the files library
+ - Execute a script on the remote device from the files library
+
+For more information on the available commands, see [Investigate devices using Live response](live-response.md).
+
## Edit roles
1. Select the role you'd like to edit.
@@ -99,7 +95,7 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
2. Click the drop-down button and select **Delete role**.
-
## Related topic
+
- [User basic permissions to access the portal](basic-permissions.md)
- [Create and manage device groups](machine-groups.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
index f215fda3db..0a72f9fa7d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
@@ -63,6 +63,17 @@ You can choose to limit the list of incidents shown based on their status to see
### Data sensitivity
Use this filter to show incidents that contain sensitivity labels.
+## Incident naming
+
+To understand the incident's scope at-a-glance, automatic incident naming, currently in public preview, generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories.
+
+For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
+
+> [!NOTE]
+> Incidents that existed prior the rollout of automatic incident naming will not have their name changed.
+
+Learn more about [turning on preview features](preview.md#turn-on-preview-features).
+
## Related topics
- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
- [Manage incidents](manage-incidents.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
index 73aeb36a61..15ec215f1c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
@@ -1,50 +1,50 @@
----
-title: Vulnerability methods and properties
-description: Retrieves vulnerability information
-keywords: apis, graph api, supported apis, get, vulnerability
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Vulnerability resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization
-[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID
-[List devices by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of devices that are associated with the vulnerability ID
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Vulnerability ID
-Name | String | Vulnerability title
-Description | String | Vulnerability description
-Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical”
-cvssV3 | Double | CVSS v3 score
-exposedMachines | Long | Number of exposed devices
-publishedOn | DateTime | Date when vulnerability was published
-updatedOn | DateTime | Date when vulnerability was updated
-publicExploit | Boolean | Public exploit exists
-exploitVerified | Boolean | Exploit is verified to work
-exploitInKit | Boolean | Exploit is part of an exploit kit
-exploitTypes | String collection | Exploit impact. Possible values are: “Denial of service”, “Local privilege escalation”, “Denial of service”
-exploitUris | String collection | Exploit source URLs
+---
+title: Vulnerability methods and properties
+description: Retrieves vulnerability information
+keywords: apis, graph api, supported apis, get, vulnerability
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Vulnerability resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization
+[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID
+[List devices by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of devices that are associated with the vulnerability ID
+
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+id | String | Vulnerability ID
+Name | String | Vulnerability title
+Description | String | Vulnerability description
+Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical”
+cvssV3 | Double | CVSS v3 score
+exposedMachines | Long | Number of exposed devices
+publishedOn | DateTime | Date when vulnerability was published
+updatedOn | DateTime | Date when vulnerability was updated
+publicExploit | Boolean | Public exploit exists
+exploitVerified | Boolean | Exploit is verified to work
+exploitInKit | Boolean | Exploit is part of an exploit kit
+exploitTypes | String collection | Exploit impact. Possible values are: “Denial of service”, “Local privilege escalation”, “Denial of service”
+exploitUris | String collection | Exploit source URLs
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
index bbcad993a7..cc9c36fae9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
@@ -24,38 +24,38 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-Web content filtering is part of [Web protection](web-protection-overview.md) capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns.
+Web content filtering is part of [Web protection](web-protection-overview.md) capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
-You can configure policies across your device groups to block certain categories, effectively preventing users within specified device groups from accessing URLs that are associated with the category. For any category that's not blocked, they are automatically audited i.e. your users will be able to access the URLs without disruption and you will continue to gather access statistics to help create a more custom policy decision. If an element on the page you’re viewing is making calls to a resource which is blocked, your users will see a block notification.
+You can configure policies across your device groups to block certain categories, effectively preventing users within specified device groups from accessing URLs that are associated with the category. For any category that's not blocked, they are automatically audited. That means your users will be able to access the URLs without disruption, and you will continue to gather access statistics to help create a more custom policy decision. If an element on the page you’re viewing is making calls to a resource that is blocked, your users will see a block notification.
-Web content filtering is available on the major web browsers, with blocks performed by SmartScreen (Edge) and Network Protection (Chrome and Firefox). See the prerequisites section for more information about browser support.
+Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome and Firefox). For more information about browser support, see the prerequisites section.
-To summarize the benefits:
+Summarizing the benefits:
-- Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away
-- You can conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
-- You can access web reports in the same central location, with visibility over actual blocks and web usage
+- Users are prevented from accessing websites in blocked categories, whether they're browsing on-premises or away
+- Conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
+- Access web reports in the same central location, with visibility over actual blocks and web usage
## User experience
The blocking experience for Chrome/Firefox is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection.
-For a more user-friendly in-browser experience, consider using Edge.
+For a more user-friendly in-browser experience, consider using Microsoft Edge.
## Prerequisites
Before trying out this feature, make sure you have the following:
-- Windows 10 Enterprise E5 license
+- Windows 10 Enterprise E5 license OR Microsoft 365 E3 + Microsoft 365 E5 Security add-on.
- Access to Microsoft Defender Security Center portal
-- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update.
-Note that if SmartScreen is not turned on, Network Protection will take over the blocking.
+- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update.
+
+If Windows Defender SmartScreen is not turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device.
## Data handling
For this feature, we will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds.
-
## Turn on web content filtering
From the left-hand navigation menu, select **Settings > General > Advanced Features**. Scroll down until you see the entry for **Web content filtering**. Switch the toggle to **On** and **Save preferences**.
@@ -79,7 +79,7 @@ To add a new policy:
>[!NOTE]
>If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.
->ProTip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
+>ProTip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
## Web content filtering cards and details
@@ -119,11 +119,11 @@ You can access the **Report details** for each card by selecting a table row or
Use the time range filter at the top left of the page to select a time period. You can also filter the information or customize the columns. Select a row to open a flyout pane with even more information about the selected item.
-
## Errors and issues
### Limitations and known issues in this preview
-- Only Edge is supported if your device's OS configuraiton is Server (cmd > Systeminfo > OS Configuration). This is because Network Protection is only supported in Inspect mode on Server devices which is responsible for securing traffic across Chrome/Firefox.
+
+- Only Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). This is because Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox.
- Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices in the interim before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index 7c19cb82ea..906f92f4f8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -36,6 +36,9 @@ For more information preview features, see [Preview features](https://docs.micro
> ```
+## July 2020
+- [Create indicators for certificates](manage-indicators.md) Create indicators to allow or block certificates.
+
## June 2020
- [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md) Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux.
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index f13b6bff37..9bae1e6575 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -66,6 +66,9 @@ When submitting Microsoft Defender Smartscreen products, make sure to select **M
## Viewing Microsoft Defender SmartScreen anti-phishing events
+> [!NOTE]
+> No Smartscreen events will be logged when using Microsoft Edge version 77 or later.
+
When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx).
## Viewing Windows event logs for Microsoft Defender SmartScreen
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 0ac210bfc0..9e241156a8 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -26,44 +26,51 @@ The SCT enables administrators to effectively manage their enterprise’s Group
The Security Compliance Toolkit consists of:
-- Windows 10 security baselines
- - Windows 10 Version 1909 (November 2019 Update)
- - Windows 10 Version 1903 (May 2019 Update)
- - Windows 10 Version 1809 (October 2018 Update)
- - Windows 10 Version 1803 (April 2018 Update)
- - Windows 10 Version 1709 (Fall Creators Update)
- - Windows 10 Version 1607 (Anniversary Update)
- - Windows 10 Version 1507
+- Windows 10 security baselines
+ - Windows 10 Version 2004 (May 2020 Update)
+ - Windows 10 Version 1909 (November 2019 Update)
+ - Windows 10 Version 1903 (May 2019 Update)
+ - Windows 10 Version 1809 (October 2018 Update)
+ - Windows 10 Version 1803 (April 2018 Update)
+ - Windows 10 Version 1709 (Fall Creators Update)
+ - Windows 10 Version 1607 (Anniversary Update)
+ - Windows 10 Version 1507
-- Windows Server security baselines
- - Windows Server 2019
- - Windows Server 2016
- - Windows Server 2012 R2
+- Windows Server security baselines
+ - Windows Server 2019
+ - Windows Server 2016
+ - Windows Server 2012 R2
-- Microsoft Office security baseline
- - Microsoft 365 Apps for enterprise (Sept 2019)
+- Microsoft Office security baseline
+ - Microsoft 365 Apps for enterprise (Sept 2019)
-- Microsoft Edge security baseline
- - Version 80
+- Microsoft Edge security baseline
+ - Version 80
-- Tools
- - Policy Analyzer tool
- - Local Group Policy Object (LGPO) tool
+- Tools
+ - Policy Analyzer tool
+ - Local Group Policy Object (LGPO) tool
+
+- Scripts
+ - Baseline-ADImport.ps1
+ - Baseline-LocalInstall.ps1
+ - Remove-EPBaselineSettings.ps1
+ - MapGuidsToGpoNames.ps1
-You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines).
+You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines).
## What is the Policy Analyzer tool?
The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include:
-- Highlight when a set of Group Policies has redundant settings or internal inconsistencies
-- Highlight the differences between versions or sets of Group Policies
-- Compare GPOs against current local policy and local registry settings
-- Export results to a Microsoft Excel spreadsheet
+- Highlight when a set of Group Policies has redundant settings or internal inconsistencies
+- Highlight the differences between versions or sets of Group Policies
+- Compare GPOs against current local policy and local registry settings
+- Export results to a Microsoft Excel spreadsheet
Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
-More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+More information on the Policy Analyzer tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-tool-policy-analyzer/ba-p/701049) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
## What is the Local Group Policy Object (LGPO) tool?
@@ -73,4 +80,4 @@ LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files
It can export local policy to a GPO backup.
It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
-Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+Documentation for the LGPO tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index f5a0e5c08f..df59384aa5 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -6,7 +6,6 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-ms.localizationpriority: medium
author: dansimp
ms.date: 09/17/2018
ms.reviewer:
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index df0b38192a..b3c9f04138 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -56,7 +56,9 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP
### Best practices
-There are no best practices for this setting. Our previous guidance had recommended a setting of **Enabled**, primarily to align with US Federal government recommendations. [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend this setting be **Not Defined**, meaning that we leave the decision to customers. For a deeper explanation, see [Why We’re Not Recommending “FIPS Mode” Anymore](https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/).
+We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it is operating in FIPS 140-2 approved mode.
+
+For a complete list of Microsoft-recommended configuration settings, see [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines). For more information about Windows and FIPS 140-2, see [FIPS 140 Validation](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation).
### Location
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
index 610fcc1a0c..f051177f0c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
@@ -14,7 +14,6 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.assetid: 10c3597f-f44c-4c8e-8fe5-105d4ac016a6
ms.reviewer:
---
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
index a7e35f839e..da15b10af4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
@@ -3,9 +3,6 @@ title: Create a code signing cert for Windows Defender Application Control (Win
description: Learn how to set up a publicly-issued code signing certificate, so you can sign catalog files or WDAC policies internally.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 266e60b744..ae0cd53f63 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -3,9 +3,7 @@ title: Understand Windows Defender Application Control policy design decisions
description: Understand Windows Defender Application Control policy design decisions.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
manager: dansimp
-ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -16,7 +14,6 @@ ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
-manager: dansimp
ms.date: 02/08/2018
---
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
index 555168716a..f49176ee48 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
@@ -3,9 +3,6 @@ title: Use code signing to simplify application control for classic Windows appl
description: With embedded signing, your WDAC policies typically do not have to be updated when an app is updated. To set this up, you can choose from a variety of methods.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
index d050e42b00..766037be4b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
@@ -3,8 +3,6 @@ title: Use the Device Guard Signing Portal in the Microsoft Store for Business
description: You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
-manager: dansimp
ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
@@ -15,7 +13,6 @@ audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
-ms.author: dansimp
manager: dansimp
ms.date: 02/19/2019
---
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index 5bbcb531fa..f5a09fc5c6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -3,9 +3,6 @@ title: Use signed policies to protect Windows Defender Application Control again
description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
index 43cc718d71..79a167e2a1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
@@ -3,7 +3,6 @@ title: Use a Windows Defender Application Control policy to control specific plu
description: WDAC policies can be used not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.prod: w10
@@ -15,8 +14,6 @@ audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
-ms.author: dansimp
-manager: dansimp
ms.date: 05/03/2018
---
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
index 8ad3ce6f98..f0c0979e51 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
@@ -22,7 +22,7 @@ ms.date: 06/13/2018
**Applies to:**
- Windows 10
-- Windows Server 2016 and above
+- Windows Server 2019
Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC).
This is especially true for enterprises with large, ever changing software catalogs.
@@ -36,7 +36,7 @@ A managed installer uses a new rule collection in AppLocker to specify one or mo
Specifying an executable as a managed installer will cause Windows to tag files that are written from the executable’s process (or processes it launches) as having originated from a trusted installation authority. The Managed Installer rule collection is currently supported for AppLocker rules in Group Policy and in Configuration Manager, but not in the AppLocker CSP for OMA-URI policies.
Once the IT administrator adds the Allow: Managed Installer option to a WDAC policy, the WDAC component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy.
-If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.+
+If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.
Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer.
Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps.
@@ -46,9 +46,9 @@ Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExampleP
Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled.
There are three primary steps to keep in mind:
-- Specify managed installers using the Managed Installer rule collection in AppLocker policy
-- Enable service enforcement in AppLocker policy
-- Enable the managed installer option in a WDAC policy
+- Specify managed installers by using the Managed Installer rule collection in AppLocker policy.
+- Enable service enforcement in AppLocker policy.
+- Enable the managed installer option in a WDAC policy.
### Specify managed installers using the Managed Installer rule collection in AppLocker policy
@@ -60,7 +60,7 @@ For more information about creating an AppLocker policy that includes a managed
As mentioned above, the AppLocker CSP for OMA-URI policies does not currently support the Managed Installer rule collection or the Service Enforcement rule extensions mentioned below.
-```code
+```xml
@@ -82,10 +82,10 @@ As mentioned above, the AppLocker CSP for OMA-URI policies does not currently su
## Enable service enforcement in AppLocker policy
Since many installation processes rely on services, it is typically necessary to enable tracking of services.
-Correct tracking of services requires the presence of at least one rule in the rule collection – a simple audit only rule will suffice.
+Correct tracking of services requires the presence of at least one rule in the rule collection — a simple audit only rule will suffice.
For example:
-```code
+```xml
@@ -124,7 +124,7 @@ In order to enable trust for the binaries laid down by managed installers, the E
This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption).
An example of the managed installer option being set in policy is shown below.
-```code
+```xml
@@ -149,7 +149,7 @@ An example of the managed installer option being set in policy is shown below.
To enable the managed installer, you need to set the AppLocker filter driver to autostart and start it.
Run the following command as an Administrator:
-```code
+```console
appidtel.exe start [-mionly]
```
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
index 73deb5fff0..7fac37b115 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -46,7 +46,7 @@ WDAC policies apply to the managed computer as a whole and affects all users of
### WDAC System Requirements
WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
-WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
+WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
## AppLocker
diff --git a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md b/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
index 4ca95e5608..0533ec00f5 100644
--- a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
+++ b/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
@@ -1,5 +1,10 @@
-# [The Microsoft Defender Security Center app](windows-defender-security-center.md)
+---
+ms.author: dansimp
+author: dansimp
+title: The Microsoft Defender Security Center app
+---
+# [The Microsoft Defender Security Center app](windows-defender-security-center.md)
## [Customize the Microsoft Defender Security Center app for your organization](wdsc-customize-contact-information.md)
## [Hide Microsoft Defender Security Center app notifications](wdsc-hide-notifications.md)
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
index 2ab6468f1e..3179f10cb2 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
@@ -3,7 +3,6 @@ title: Account protection in the Windows Security app
description: Use the Account protection section to manage security for your account and sign in to Microsoft.
keywords: account protection, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide, Windows Defender SmartScreen, SmartScreen Filter, Windows SmartScreen
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index 001c490193..bbfe0a7bd0 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -3,7 +3,6 @@ title: App & browser control in the Windows Security app
description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index cb2c999276..1611fdc1c9 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -3,7 +3,6 @@ title: Customize Windows Security contact information
description: Provide information to your employees on how to contact your IT department when a security issue occurs
keywords: wdsc, security center, defender, notification, customize, contact, it department, help desk, call, help site
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index d02b829376..ca606e3a6b 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -3,7 +3,6 @@ title: Device & performance health in the Windows Security app
description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
keywords: wdsc, windows update, storage, driver, device, installation, battery, health, status
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
index 2acf81e5cf..26a2da094f 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
@@ -3,7 +3,6 @@ title: Device security in the Windows Security app
description: Use the Device security section to manage security built into your device, including virtualization-based security.
keywords: device security, device guard, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
index d785a3f420..47bf414bc9 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
@@ -3,7 +3,6 @@ title: Family options in the Windows Security app
description: Hide the Family options section in enterprise environments
keywords: wdsc, family options, hide, suppress, remove, disable, uninstall, kids, parents, safety, parental, child, screen time
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
index 141a5c002f..4209ff2f58 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -3,11 +3,9 @@ title: Firewall and network protection in the Windows Security app
description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
keywords: wdsc, firewall, windows defender firewall, network, connections, domain, private network, publish network, allow firewall, firewall rule, block firewall
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index c215717a36..e4ee0c83a3 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -3,7 +3,6 @@ title: Hide notifications from the Windows Security app
description: Prevent Windows Security app notifications from appearing on user endpoints
keywords: defender, security center, app, notifications, av, alerts
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -11,7 +10,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 04/30/2018
+ms.date: 07/23/2020
ms.reviewer:
manager: dansimp
---
@@ -52,11 +51,10 @@ You can hide notifications that describe regular events related to the health an
This can only be done in Group Policy.
>[!IMPORTANT]
->### Requirements
>
->You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. Download the latest [Administrative Templates (.admx) for Windows 10, v1809](https://www.microsoft.com/download/details.aspx?id=57576).
+1. Download the latest [Administrative Templates (.admx) for Windows 10, v2004](https://www.microsoft.com/download/101445).
2. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -76,29 +74,30 @@ You can hide all notifications that are sourced from the Windows Security app. T
This can only be done in Group Policy.
>[!IMPORTANT]
->### Requirements
>
->You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below the path would be **Windows components > Windows Defender Security Center > Notifications**
+5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below the path would be **Windows components > Windows Defender Security Center > Notifications**.
+
+ > [!NOTE]
+ > For Windows 10 version 2004 and above the path would be **Windows components > Windows Security > Notifications**.
6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
-7. Use the following registry key and DWORD value to **Hide all notifications**.
-
- **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
+7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+
+> [!NOTE]
+> You can use the following registry key and DWORD value to **Hide all notifications**.
+> **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
**"DisableNotifications"=dword:00000001**
-
-8. Use the following registry key and DWORD value to **Hide not-critical notifications**
-
- **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
+> You can use the following registry key and DWORD value to **Hide not-critical notifications**.
+>**[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
**"DisableEnhancedNotifications"=dword:00000001**
-
-9. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+
## Notifications
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
index df2646c94e..f3c4b5e3d9 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -3,7 +3,6 @@ title: Virus and threat protection in the Windows Security app
description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
index 5431868198..6be93c64cb 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
@@ -3,7 +3,6 @@ title: Manage Windows Security in Windows 10 in S mode
description: Windows Security settings are different in Windows 10 in S mode
keywords: windows 10 in s mode, windows 10 s, windows 10 s mode, wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index 0f263a291a..a3bf04355b 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -3,11 +3,9 @@ title: The Windows Security app
description: The Windows Security app brings together common Windows security features into one place
keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
index 8bea94a26f..ae4136db06 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
@@ -1,6 +1,6 @@
---
-title: Open the Group Policy Management Console to Windows Firewall with Advanced Security (Windows 10)
-description: Open the Group Policy Management Console to Windows Firewall with Advanced Security
+title: Group Policy Management of Windows Firewall with Advanced Security (Windows 10)
+description: Group Policy Management of Windows Firewall with Advanced Security
ms.assetid: 28afab36-8768-4938-9ff2-9d6dab702e98
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 04/19/2017
---
-# Open the Group Policy Management Console to Windows Firewall with Advanced Security
+# Group Policy Management of Windows Firewall with Advanced Security
**Applies to**
- Windows 10
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index d1d4e94a38..3dece2757f 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -15,159 +15,227 @@ ms.reviewer:
# Common Criteria Certifications
-Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria certifications of Microsoft Windows products.
+Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products. This topic lists the current and archived certified Windows products, together with relevant documentation from each certification.
-## Common Criteria Security Targets
+## Certified Products
-### Information for Systems Integrators and Accreditors
+The product releases below are currently certified against the cited Protection Profile, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/). The Security Target describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The Administrative Guide provides guidance on configuring the product to match the evaluated configuration. The Certification Report or Validation Report documents the results of the evaluation by the validation team, with the Assurance Activity Report providing details on the evaluator's actions.
-The Security Target describes security functionality and assurance measures used to evaluate Windows.
+### Microsoft Windows 10 and Windows Server (November 2019 Update, version 1909)
+Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients.
-- [Microsoft Windows 10 (November 2019 Update)](https://download.microsoft.com/download/b/3/7/b37981cf-040a-4b02-a93c-a3d3a93986bf/Windows%2010%201909%20GP%20OS%20Security%20Target.pdf)
-- [Microsoft Windows 10 (May 2019 Update)](https://download.microsoft.com/download/c/6/9/c6903621-901e-4603-b9cb-fbfe5d6aa691/Windows%2010%201903%20GP%20OS%20Security%20Target.pdf)
-- [Microsoft Windows 10 (October 2018 Update)](https://download.microsoft.com/download/3/f/e/3fe6938d-2c2d-4ef1-85d5-1d42dc68ea89/Windows%2010%20version%201809%20GP%20OS%20Security%20Target.pdf)
-- [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
-- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
-- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
-- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
-- [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
-- [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
-- [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
-- [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
-- [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
-- [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
-- [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
-- [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
-- [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf)
-- [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf)
-- [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf)
-- [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf)
-- [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf)
-- [Windows 8 and Windows Server 2012 BitLocker](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
-- [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
-- [Windows 7 and Windows Server 2008 R2](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
-- [Microsoft Windows Server 2008 R2 Hyper-V Role](https://www.microsoft.com/download/en/details.aspx?id=29305)
-- [Windows Vista and Windows Server 2008 at EAL4+](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
-- [Microsoft Windows Server 2008 Hyper-V Role](https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
-- [Windows Vista and Windows Server 2008 at EAL1](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
-- [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](https://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf)
-- [Windows Server 2003 Certificate Server](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
-- [Windows Rights Management Services (RMS) 1.0 SP2](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
+- [Security Target](https://download.microsoft.com/download/b/3/7/b37981cf-040a-4b02-a93c-a3d3a93986bf/Windows%2010%201909%20GP%20OS%20Security%20Target.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/7/7/3/77303254-05fb-4009-8a39-bf5fe7484a41/Windows%2010%201909%20GP%20OS%20Administrative%20Guide.pdf)
+- [Certification Report](https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/0/0/d/00d26b48-a051-4e9a-8036-850d825f8ef9/Windows%2010%201909%20GP%20OS%20Assurance%20Activity%20Report.pdf)
-## Common Criteria Deployment and Administration
+### Microsoft Windows 10 and Windows Server (May 2019 Update, version 1903)
+Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.
-### Information for IT Administrators
+- [Security Target](https://download.microsoft.com/download/c/6/9/c6903621-901e-4603-b9cb-fbfe5d6aa691/Windows%2010%201903%20GP%20OS%20Security%20Target.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/0/b/b/0bb1c6b7-499a-458e-a5f8-e9cf972dfa8d/Windows%2010%201903%20GP%20OS%20Administrative%20Guide.pdf)
+- [Certification Report](https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/2/a/1/2a103b68-cd12-4476-8945-873746b5f432/Windows%2010%201903%20GP%20OS%20Assurance%20Activity%20Report.pdf)
-These documents describe how to configure Windows to replicate the configuration used during the Common Criteria evaluation.
+### Microsoft Windows 10 and Windows Server (October 2018 Update, version 1809)
+Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.
-**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2**
+- [Security Target](https://download.microsoft.com/download/3/f/e/3fe6938d-2c2d-4ef1-85d5-1d42dc68ea89/Windows%2010%20version%201809%20GP%20OS%20Security%20Target.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/f/f/1/ff186e32-35cf-47db-98b0-91ff11763d74/Windows%2010%20version%201809%20GP%20OS%20Administrative%20Guide.pdf)
+- [Certification Report](https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/a/6/6/a66bfcf1-f6ef-4991-ab06-5b1c01f91983/Windows%2010%201809%20GP%20OS%20Assurance%20Activity%20Report.pdf)
-- [Microsoft Windows 10 (November 2019 Update)](https://download.microsoft.com/download/7/7/3/77303254-05fb-4009-8a39-bf5fe7484a41/Windows%2010%201909%20GP%20OS%20Administrative%20Guide.pdf)
-- [Microsoft Windows 10 (May 2019 Update)](https://download.microsoft.com/download/0/b/b/0bb1c6b7-499a-458e-a5f8-e9cf972dfa8d/Windows%2010%201903%20GP%20OS%20Administrative%20Guide.pdf)
-- [Microsoft Windows 10 (October 2018 Update)](https://download.microsoft.com/download/f/f/1/ff186e32-35cf-47db-98b0-91ff11763d74/Windows%2010%20version%201809%20GP%20OS%20Administrative%20Guide.pdf)
-- [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
-- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
-- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
-- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
-- [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
-- [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
-- [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx)
-- [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf)
-- [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx)
-- [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf)
-- [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf)
-- [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf)
+### Microsoft Windows 10 and Windows Server (April 2018 Update, version 1803)
+Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.
-**Windows 8.1 and Windows Phone 8.1**
+- [Security Target](https://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
+- [Certification Report](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/b/3/d/b3da41b6-6ebc-4a26-a581-2d2ad8d8d1ac/Windows%2010%201803%20GP%20OS%20Assurance%20Activity%20Report.pdf)
-- [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
-- [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
+### Microsoft Windows 10 and Windows Server (Fall Creators Update, version 1709)
+Certified against the Protection Profile for General Purpose Operating Systems.
-**Windows 8, Windows RT, and Windows Server 2012**
+- [Security Target](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
+- [Certification Report](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/e/7/6/e7644e3c-1e59-4754-b071-aec491c71849/Windows%2010%201709%20GP%20OS%20Assurance%20Activity%20Report.pdf)
-- [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
-- [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
-- [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
-- [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
+### Microsoft Windows 10 (Creators Update, version 1703)
+Certified against the Protection Profile for General Purpose Operating Systems.
-**Windows 7 and Windows Server 2008 R2**
+- [Security Target](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
+- [Administrative Guide](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
+- [Certification Report](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf)
-- [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
-- [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](https://www.microsoft.com/download/en/details.aspx?id=29308)
+### Microsoft Windows 10 (Anniversary Update, version 1607) and Windows Server 2016
+Certified against the Protection Profile for General Purpose Operating Systems.
-**Windows Vista and Windows Server 2008**
+- [Security Target](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
+- [Administrative Guide](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
+- [Validation Report](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/a/5/f/a5f08a43-75f9-4433-bd77-aeb14276e587/Windows%2010%201607%20GP%20OS%20Assurance%20Activity%20Report.pdf)
-- [Windows Vista and Windows Server 2008 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
-- [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
+### Microsoft Windows 10 (version 1507) and Windows Server 2012 R2
+Certified against the Protection Profile for General Purpose Operating Systems.
-**Windows Server 2003 SP2 including R2, x64, and Itanium**
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf)
+- [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/7/e/5/7e5575c9-10f9-4f3d-9871-bd7cf7422e3b/Windows%2010%20(1507),%20Windows%20Server%202012%20R2%20GPOS%20Assurance%20Activity%20Report.pdf)
-- [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949)
-- [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc)
+## Archived Certified Products
-**Windows Server 2003 SP1(x86), x64, and IA64**
+The product releases below were certified against the cited Protection Profile and are now archived, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/index.cfm?archived=1). The Security Target describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The Administrative Guide provides guidance on configuring the product to match the evaluated configuration. The Validation Report documents the results of the evaluation by the validation team, with the Assurance Activity Report, where available, providing details on the evaluator's actions.
+### Microsoft Windows Server 2016, Windows Server 2012 R2, and Windows 10
+Certified against the Protection Profile for Server Virtualization.
+
+- [Security Target](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
+- [Validation Report](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/3/f/c/3fcc76e1-d471-4b44-9a19-29e69b6ab899/Windows%2010%20Hyper-V,%20Server%202016,%20Server%202012%20R2%20Virtualization%20Assurance%20Activity%20Report.pdf)
+
+### Microsoft Windows 10 and Windows 10 Mobile (Anniversary Update, version 1607)
+Certified against the Protection Profile for Mobile Device Fundamentals.
+
+- [Security Target](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
+- [Administrative Guide](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
+- [Validation Report](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf)
+
+### Microsoft Windows 10 (Anniversary Update, version 1607) and Windows Server 2016
+Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
+
+- [Security Target](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
+- [Administrative Guide](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx)
+- [Validation Report](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/b/8/d/b8ddc36a-408a-4d64-a31c-d41c9c1e9d9e/Windows%2010%201607,%20Windows%20Server%202016%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf)
+
+### Microsoft Windows 10 (November 2015 Update, version 1511)
+Certified against the Protection Profile for Mobile Device Fundamentals.
+
+- [Security Target](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
+- [Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx)
+- [Validation Report](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/1/f/1/1f12ed80-6d73-4a16-806f-d5116814bd7c/Windows%2010%20November%202015%20Update%20(1511)%20MDF%20Assurance%20Activity%20Report.pdf)
+
+### Microsoft Windows 10 and Windows 10 Mobile (version 1507)
+Certified against the Protection Profile for Mobile Device Fundamentals.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10677-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10694-vr.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/a/1/3/a1365491-0a53-42cd-bd73-ca4067c43d86/Windows%2010,%20Windows%2010%20Mobile%20(1507)%20MDF%20Assurance%20Activity%20Report.pdf)
+
+### Microsoft Windows 10 (version 1507)
+Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
+
+- [Security Target](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf)
+- [Validation Report](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/9/3/6/93630ffb-5c06-4fea-af36-164da3e359c9/Windows%2010%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf)
+
+### Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830
+Certified against the Protection Profile for Mobile Device Fundamentals.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-vr.pdf)
+
+### Microsoft Surface Pro 3 and Windows 8.1
+Certified against the Protection Profile for Mobile Device Fundamentals.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-vr.pdf)
+
+### Windows 8.1 and Windows Phone 8.1
+Certified against the Protection Profile for Mobile Device Fundamentals.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-vr.pdf)
+
+### Windows 8 and Windows Server 2012
+Certified against the Protection Profile for General Purpose Operating Systems.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-vr.pdf)
+
+### Windows 8 and Windows RT
+Certified against the Protection Profile for General Purpose Operating Systems.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-vr.pdf)
+
+### Windows 8 and Windows Server 2012 BitLocker
+Certified against the Protection Profile for Full Disk Encryption.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
+
+### Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client
+Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
+
+### Windows 7 and Windows Server 2008 R2
+Certified against the Protection Profile for General Purpose Operating Systems.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
+- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
+
+### Microsoft Windows Server 2008 R2 Hyper-V Role
+
+- [Security Target](https://www.microsoft.com/download/en/details.aspx?id=29305)
+- [Administrative Guide](https://www.microsoft.com/download/en/details.aspx?id=29308)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
+
+### Windows Vista and Windows Server 2008 at EAL4+
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
+- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
+
+### Windows Vista and Windows Server 2008 at EAL1
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
+- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
+- [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
+
+### Microsoft Windows Server 2008 Hyper-V Role
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
+- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
+- [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf)
+
+### Windows XP and Windows Server 2003
+
+- [Security Target - Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](https://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf)
+- [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc)
+- [Windows Server 2003 SP2 R2 Administrator Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949)
+- [Windows Server 2003 SP2 R2 Configuration Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc)
+- [Windows Server 2003 SP1 Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc)
+- [Windows Server 2003 SP1 Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38)
- [Windows Server 2003 with x64 Hardware Administrator's Guide](https://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef)
- [Windows Server 2003 with x64 Hardware Configuration Guide](https://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8)
-
-**Windows Server 2003 SP1**
-
-- [Windows Server 2003 Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc)
-- [Windows Server 2003 Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38)
-
-**Windows XP Professional SP2 (x86) and x64 Edition**
-
-- [Windows XP Common Criteria Administrator Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee)
-- [Windows XP Common Criteria Configuration Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694)
-- [Windows XP Common Criteria User Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779)
+- [Windows XP Administrator Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee)
+- [Windows XP Configuration Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694)
+- [Windows XP User Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779)
- [Windows XP Professional with x64 Hardware Administrator's Guide](https://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431)
- [Windows XP Professional with x64 Hardware Configuration Guide](https://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54)
- [Windows XP Professional with x64 Hardware User’s Guide](https://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569)
-
-**Windows XP Professional SP2, and XP Embedded SP2**
-
- [Windows XP Professional Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60)
- [Windows XP Professional Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de)
- [Windows XP Professional User's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8)
-
-**Windows Server 2003 Certificate Server**
-
-- [Windows Server 2003 Certificate Server Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
-- [Windows Server 2003 Certificate Server Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
-- [Windows Server 2003 Certificate Server User's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
-
-## Common Criteria Evaluation Technical Reports and Certification / Validation Reports
-
-### Information for Systems Integrators and Accreditors
-
-An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team.
-
-- [Microsoft Windows 10 (November 2019 Update)](https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf)
-- [Microsoft Windows 10 (May 2019 Update)](https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf)
-- [Microsoft Windows 10 (October 2018 Update)](https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf)
-- [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
-- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
-- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
-- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
-- [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
-- [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
-- [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
-- [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
-- [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
-- [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf)
-- [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
-- [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf)
-- [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf)
-- [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf)
-- [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf)
-- [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf)
-- [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf)
-- [Windows 8 and Windows Server 2012 BitLocker](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
-- [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
-- [Windows 7 and Windows Server 2008 R2 Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
-- [Windows Vista and Windows Server 2008 Validation Report at EAL4+](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
-- [Windows Server 2008 Hyper-V Role Certification Report](https://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
-- [Windows Vista and Windows Server 2008 Certification Report at EAL1](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
- [Windows XP / Windows Server 2003 with x64 Hardware ETR](https://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef)
- [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](https://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658)
- [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](https://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
@@ -175,10 +243,17 @@ An Evaluation Technical Report (ETR) is a report submitted to the Common Criteri
- [Windows XP Embedded SP2 Validation Report](https://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- [Windows XP and Windows Server 2003 ETR](https://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265)
- [Windows XP and Windows Server 2003 Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf)
-- [Windows Server 2003 Certificate Server ETR](https://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
-- [Windows Server 2003 Certificate Server Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
-- [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
-## Other Common Criteria Related Documents
+### Windows Server 2003 Certificate Server
-- [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc)
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
+- [Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
+- [Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
+- [User's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
+- [Evaluation Technical Report](https://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
+
+### Windows Rights Management Services
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index fa85062872..e7b8a53f7a 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -35,7 +35,7 @@ The following video provides an overview of Windows Sandbox.
## Prerequisites
-- Windows 10 Pro or Enterprise build 18305 or later (*Windows Sandbox is currently not supported on Home SKUs*)
+- Windows 10 Pro, Enterprise or Education build 18305 or later (*Windows Sandbox is currently not supported on Home SKUs*)
- AMD64 architecture
- Virtualization capabilities enabled in BIOS
- At least 4 GB of RAM (8 GB recommended)
@@ -48,7 +48,7 @@ The following video provides an overview of Windows Sandbox.
2. Enable virtualization on the machine.
- If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
- - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization: **Set -VMProcessor -VMName \ -ExposeVirtualizationExtensions $true**
+ - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization: **Set-VMProcessor -VMName \ -ExposeVirtualizationExtensions $true**
1. Use the search bar on the task bar and type **Turn Windows Features on and off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
- If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2.
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index 489cb3373f..8518f5c4af 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -122,7 +122,7 @@ The following [Delivery Optimization](https://docs.microsoft.com/windows/deploym
[Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include:
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
-- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue leveraging deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**).
+- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue leveraging deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215).
## Virtualization
-Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service.
-
-
-[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor)
-
-[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor)
-
-[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor)
-
-[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor)
-
-[BRK3039: Windows 10 and Microsoft Microsoft 365 Apps for enterprise lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor)
-
-[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor)
-
-[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor)
-
-[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor)
+Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. See [MyIgnite - Session catalog](https://myignite.techcommunity.microsoft.com/sessions).
diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md
index b83dd307b0..eb75d04c0c 100644
--- a/windows/deployment/update/windows-update-error-reference.md
+++ b/windows/deployment/update/windows-update-error-reference.md
@@ -8,7 +8,6 @@ itproauthor: jaimeo
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md
index cdb6ea9f85..e3d4342c33 100644
--- a/windows/deployment/update/windows-update-errors.md
+++ b/windows/deployment/update/windows-update-errors.md
@@ -5,8 +5,6 @@ ms.prod: w10
ms.mktglfcycl:
audience: itpro
itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.date: 09/18/2018
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index 1e9deff347..32d22bb62b 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -5,8 +5,6 @@ ms.prod: w10
ms.mktglfcycl:
audience: itpro
itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.date: 09/18/2018
diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md
index 47cb14f395..d96f16274f 100644
--- a/windows/deployment/update/windows-update-overview.md
+++ b/windows/deployment/update/windows-update-overview.md
@@ -6,9 +6,7 @@ ms.mktglfcycl:
audience: itpro
itproauthor: jaimeo
author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
-author: jaimeo
ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md
index 0371ab7f89..17dce5c494 100644
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@@ -4,14 +4,14 @@ description: Use these resource to troubleshoot and reset Windows Update.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
-author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.author: jaimeo
+author: jaimeo
---
# Windows Update - additional resources
diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md
index 967245b7d0..f2f001b980 100644
--- a/windows/deployment/update/windows-update-troubleshooting.md
+++ b/windows/deployment/update/windows-update-troubleshooting.md
@@ -5,8 +5,6 @@ ms.prod: w10
ms.mktglfcycl:
audience: itpro
itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.reviewer:
diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md
index ac584017e2..49657d8483 100644
--- a/windows/deployment/update/wufb-autoupdate.md
+++ b/windows/deployment/update/wufb-autoupdate.md
@@ -6,9 +6,7 @@ ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
-author: jaimeo
ms.date: 06/20/2018
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/update/wufb-basics.md b/windows/deployment/update/wufb-basics.md
index 719b115f4f..0c8f5c32db 100644
--- a/windows/deployment/update/wufb-basics.md
+++ b/windows/deployment/update/wufb-basics.md
@@ -8,7 +8,6 @@ itproauthor: jaimeo
author: jaimeo
ms.localizationprioauthor: jaimeo
ms.audience: itpro
-author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
diff --git a/windows/deployment/update/wufb-managedrivers.md b/windows/deployment/update/wufb-managedrivers.md
index e451d7751a..56f956aae8 100644
--- a/windows/deployment/update/wufb-managedrivers.md
+++ b/windows/deployment/update/wufb-managedrivers.md
@@ -5,8 +5,6 @@ ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.date: 06/21/2018
diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md
index 10037c56b2..93a5ab27b7 100644
--- a/windows/deployment/update/wufb-manageupdate.md
+++ b/windows/deployment/update/wufb-manageupdate.md
@@ -6,9 +6,7 @@ ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
-author: jaimeo
ms.date: 06/20/2018
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/update/wufb-onboard.md b/windows/deployment/update/wufb-onboard.md
index 058f595090..9956826543 100644
--- a/windows/deployment/update/wufb-onboard.md
+++ b/windows/deployment/update/wufb-onboard.md
@@ -5,8 +5,6 @@ ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.reviewer:
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index 3a7f854132..9cef992dea 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -1,64 +1,65 @@
----
-title: Resolve Windows 10 upgrade errors - Windows IT Pro
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
-keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.topic: article
----
-
-# Resolve Windows 10 upgrade errors : Technical information for IT Pros
-
-**Applies to**
-- Windows 10
-
->[!IMPORTANT]
->This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](quick-fixes.md) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md).
-
-This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
-
-The article was originally one page, but has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods.
-
-The following four levels are assigned:
-
-Level 100: Basic 
-
-
-Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism.
-
-- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot). This is the preferred mechanism for all customers.
-- [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). This is used by CSP partners to register devices on behalf of customers.
-- [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business.
-- [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles). You might already be using MSfB to manage your apps and settings.
-
-A summary of each platform's capabilities is provided below.
