| Using a provisioning package in combination with Windows Autopilot can cause issues, especially if the PPKG contains join, enrollment, or device name information. | Using PPKGs in combination with Windows Autopilot is not recommended.
## Related topics
diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md
index 010a4d2420..a03e5fbb55 100644
--- a/windows/deployment/windows-autopilot/troubleshooting.md
+++ b/windows/deployment/windows-autopilot/troubleshooting.md
@@ -67,10 +67,10 @@ So, as an example (this is not a device hash, but it's misaligned unpadded Base6
Now for the padding rules. The padding character is "=". The padding character can only be at the end of the hash, and there can only be a maximum of 2 padding characters. Here's the basic logic.
- Does decoding the hash fail?
- - Yes: Are the last two characters "="?
- - Yes: Replace both "=" with a single "A" character, then try again
- - No: Add another "=" character at the end, then try again
- - No: That hash is valid
+ - Yes: Are the last two characters "="?
+ - Yes: Replace both "=" with a single "A" character, then try again
+ - No: Add another "=" character at the end, then try again
+ - No: That hash is valid
Looping the logic above on the previous example hash, we get the following permutations:
- Q29udG9zbwAAA
@@ -128,6 +128,8 @@ On devices running a [supported version](https://docs.microsoft.com/windows/rele
The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure [the correct configuration is in place](windows-autopilot-requirements.md) to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD.
+An Azure AD device is created upon import - it's important that this object not be deleted. It acts as Autopilot's anchor in AAD for group membership and targeting (including the profile) and can lead to join errors if it's deleted. Once this object has been deleted, to fix the issue, deleting and reimporting this autopilot hash will be necessary so it can recreate the associated object.
+
Error code 801C0003 will typically be reported on an error page titled "Something went wrong". This error means that the Azure AD join failed.
## Troubleshooting Intune enrollment issues
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md
index 07be2bbf3d..7d47fb49d1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.md
@@ -50,6 +50,9 @@ It is currently possible to set a convenience PIN on Azure Active Directory Join
## Can I use an external camera when my laptop is closed or docked?
No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further.
+## Why does authentication fail immediately after provisioning Hybrid Key Trust?
+In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle.
+
## What is the password-less strategy?
Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**.
@@ -166,4 +169,3 @@ Windows Hello for Business can work with any third-party federation servers that
## Does Windows Hello for Business work with Mac and Linux clients?
Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index 57a2493e4c..7a49cdb675 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -64,14 +64,24 @@ Domain controllers automatically request a domain controller certificate (if pub
By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.
Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs.
- **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
+
+ > [!NOTE]
+ > If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
+
6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
+
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
+
8. Close the console.
### Superseding the existing Domain Controller certificate
@@ -81,14 +91,23 @@ Many domain controllers may have an existing domain controller certificate. The
The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template.
Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
+
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
+
4. Click the **Superseded Templates** tab. Click **Add**.
+
5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**.
+
6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**.
+
7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**.
+
8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
+
9. Click **OK** and close the **Certificate Templates** console.
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
@@ -98,16 +117,28 @@ The certificate template is configured to supersede all the certificate template
Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
-5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs.
- **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
+
+5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs.
+
+ > [!NOTE]
+ > If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
+
6. On the **Request Handling** tab, select **Allow private key to be exported**.
+
7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
+
8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission.
-9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
+
+9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
+
10. Close the console.
### Unpublish Superseded Certificate Templates
@@ -117,10 +148,15 @@ The certificate authority only issues certificates based on published certificat
The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
+
1. Open the **Certificate Authority** management console.
+
2. Expand the parent node from the navigation pane.
+
3. Click **Certificate Templates** in the navigation pane.
+
4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
+
5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
### Publish Certificate Templates to the Certificate Authority
@@ -128,13 +164,20 @@ Sign-in to the certificate authority or management workstation with _Enterprise
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+
1. Open the **Certificate Authority** management console.
+
2. Expand the parent node from the navigation pane.
+
3. Click **Certificate Templates** in the navigation pane.
+
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
+
5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+
6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list.
- * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
+
+ \* To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
7. Close the console.
@@ -143,23 +186,37 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU.
1. Start the **Group Policy Management Console** (gpmc.msc)
+
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+
3. Right-click **Group Policy object** and select **New**
+
4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**.
+
5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**.
+
6. In the navigation pane, expand **Policies** under **Computer Configuration**.
+
7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**.
+
8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**.
+
9. Select **Enabled** from the **Configuration Model** list.
-10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
+
+10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box.
+
11. Select the **Update certificates that use certificate templates** check box.
+
12. Click **OK**. Close the **Group Policy Management Editor**.
### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object
Sign-in to a domain controller or management workstations with _Domain Admin_ equivalent credentials.
-1. Start the **Group Policy Management Console** (gpmc.msc)
-2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…**
+
+1. Start the **Group Policy Management Console** (gpmc.msc).
+
+2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…**.
+
3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
### Validating your work
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index 79bae6b394..931ca5edf7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -1,6 +1,6 @@
---
title: Deploy Microsoft Defender ATP for Linux manually
-ms.reviewer:
+ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for Linux manually from the command line.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
@@ -14,7 +14,7 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: conceptual
---
@@ -53,13 +53,13 @@ In order to preview new features and provide early feedback, it is recommended t
> In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”.
```bash
- sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
+ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
- For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insider-fast* channel:
+ For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insider-fast* channel:
```bash
- sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
+ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
```
- Install the Microsoft GPG public key:
@@ -67,12 +67,18 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc
```
-
+
```bash
sudo rpm --import microsoft.asc
```
-- Download and make usable all the metadata for the currently enabled yum repositories:
+- Install `yum-utils` if it is not already installed:
+
+ ```bash
+ sudo yum install yum-utils
+ ```
+
+- Download and make usable all the metadata for the currently enabled yum repositories:
```bash
yum makecache
@@ -85,10 +91,10 @@ In order to preview new features and provide early feedback, it is recommended t
In the following commands, replace *[distro]* and *[version]* with the information you've identified:
```bash
- sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
+ sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
- For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insider-fast* channel:
+ For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insider-fast* channel:
```bash
sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/sles/12/insiders-fast.repo
@@ -99,7 +105,7 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc
```
-
+
```bash
rpm --import microsoft.asc
```
@@ -112,6 +118,12 @@ In order to preview new features and provide early feedback, it is recommended t
sudo apt-get install curl
```
+- Install `libplist-utils` if it is not already installed:
+
+ ```bash
+ sudo apt-get install libplist-utils
+ ```
+
- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config`.
In the below command, replace *[distro]* and *[version]* with the information you've identified:
@@ -123,7 +135,7 @@ In order to preview new features and provide early feedback, it is recommended t
For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insider-fast* channel:
```bash
- curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
+ curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
```
- Install the repository configuration:
@@ -141,12 +153,7 @@ In order to preview new features and provide early feedback, it is recommended t
- Install the Microsoft GPG public key:
```bash
- curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
- ```
-
- ```bash
- sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/
-
+ curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add -
```
- Install the https driver if it's not already present:
@@ -193,7 +200,7 @@ Download the onboarding package from Microsoft Defender Security Center:
4. From a command prompt, verify that you have the file.
Extract the contents of the archive:
-
+
```bash
ls -l
total 8
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index 02831671bc..bda42ad846 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -13,7 +13,7 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: conceptual
---
@@ -59,7 +59,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
If an error occurs during installation, the installer will only report a general failure.
-The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
+The detailed log will be saved to `/Library/Logs/Microsoft/mdatp/install.log`. If you experience issues during installation, send us this file so we can help diagnose the cause.
## Uninstalling
@@ -72,6 +72,7 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Please note
### From the command line
- ```sudo rm -rf '/Applications/Microsoft Defender ATP.app'```
+- ```sudo rm -rf '/Library/Application Support/Microsoft/Defender/'```
## Configuring from the command line
@@ -98,6 +99,10 @@ Important tasks, such as controlling product settings and triggering on-demand s
|EDR |Add group tag to machine. EDR tags are used for managing machine groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` |
|EDR |Remove group tag from machine |`mdatp --edr --remove-tag [name]` |
+## Client Microsoft Defender ATP quarantine directory
+
+`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`.
+
## Microsoft Defender ATP portal information
-[This blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect in Microsoft Defender ATP Security Center.
\ No newline at end of file
+[This blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect in Microsoft Defender ATP Security Center.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index 7ebc368cbc..5184c72aca 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 03/04/2020
ms.reviewer:
manager: dansimp
---
@@ -24,8 +24,8 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
There are two types of updates related to keeping Windows Defender Antivirus up to date:
-1. Protection updates
+1. Protection updates
2. Product updates
You can also apply [Windows security baselines](https://technet.microsoft.com/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection.
@@ -36,15 +36,40 @@ Windows Defender Antivirus uses both [cloud-delivered protection](utilize-micros
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
+Engine updates are included with the Security intelligence updates and are released on a monthly cadence.
+
## Product updates
-Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases.
+Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases.
You can manage the distribution of updates through Windows Server Update Service (WSUS), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
+## Released platform and engine versions
+
+Only the main version is listed in the following table as reference information:
+
+Month | Platform/Client | Engine
+---|---|---
+Feb-2020 | - | 1.1.16800.x
+Jan-2020 | 4.18.2001.x | 1.1.16700.x
+Dec-2019 | - | - |
+Nov-2019 | 4.18.1911.x | 1.1.16600.x
+Oct-2019 | 4.18.1910.x | 1.1.16500.x
+Sep-2019 | 4.18.1909.x | 1.1.16400.x
+Aug-2019 | 4.18.1908.x | 1.1.16300.x
+Jul-2019 | 4.18.1907.x | 1.1.16200.x
+Jun-2019 | 4.18.1906.x | 1.1.16100.x
+May-2019 | 4.18.1905.x | 1.1.16000.x
+Apr-2019 | 4.18.1904.x | 1.1.15900.x
+Mar-2019 | 4.18.1903.x | 1.1.15800.x
+Feb-2019 | 4.18.1902.x | 1.1.15700.x
+Jan-2019 | 4.18.1901.x | 1.1.15600.x
+Dec-18 | 4.18.1812.X | 1.1.15500.x
+
+
## In this section
-Topic | Description
+Article | Description
---|---
[Manage how protection updates are downloaded and applied](manage-protection-updates-windows-defender-antivirus.md) | Protection updates can be delivered through a number of sources.
[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) | You can schedule when protection updates should be downloaded.
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 97443ac815..44fd750878 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 02/24/2020
+ms.date: 03/04/2020
---
# Understand WDAC policy rules and file rules
@@ -126,3 +126,19 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
> [!NOTE]
> Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md)
+
+## Windows Defender Application Control filename rules
+
+File name rule levels provide administrators to specify the file attributes off which to base a file name rule. File name rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Specification of the file name level occurs when creating new policy rules. In addition, to combine file name levels found in multiple policies, you can merge multiple policies.
+
+Use Table 3 to select the appropriate file name level for your available administrative resources and Windows Defender Application Control deployment scenario.
+
+**Table 3. Windows Defender Application Control policy - filename levels**
+
+| Rule level | Description |
+|----------- | ----------- |
+| **File Description** | Specifies the file description provided by the developer of the binary. |
+| **Internal Name** | Specifies the internal name of the binary. |
+| **Original File Name** | Specifies the original file name, or the name with which the file was first created, of the binary. |
+| **Package Family Name** | Specifies the package family name of the binary. The package family name consists of two parts: the name of the file and the publisher ID. |
+| **Product Name** | Specifies the name of the product with which the binary ships. |
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index 05dc390aef..f46696402c 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -34,25 +34,30 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM)
### Group Policy
1. Click **Start** > type and then click **Edit group policy**.
+
2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**.
-
+ 
### Windows Security Center
Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
-
-
+ 
+
### Registry
1. Open Registry editor.
+
2. Click **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Control** > **DeviceGuard** > **Scenarios**.
+
3. Right-click **Scenarios** > **New** > **Key** and name the new key **SystemGuard**.
+
4. Right-click **SystemGuard** > **New** > **DWORD (32-bit) Value** and name the new DWORD **Enabled**.
+
5. Double-click **Enabled**, change the value to **1**, and click **OK**.
-
+ 
> [!IMPORTANT]
> If System Guard is enabled with a registry key, standard hardware security is not available for the Intel i5 7200U processor.
@@ -63,8 +68,8 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
->[!NOTE]
->To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity).
+> [!NOTE]
+> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs).
## System requirements for System Guard
|