Merge branch 'master' into ios

windows/client-management/mdm/applicationcontrol-csp.md

@@ -8,7 +8,7 @@ ms.prod: w10
 ms.technology: windows
 author: ManikaDhiman
 ms.reviewer: jsuther1974
-ms.date: 05/21/2019
+ms.date: 09/10/2020
 ---
 
 # ApplicationControl CSP
@@ -266,7 +266,7 @@ The following is an example of Delete command:
 
 ## PowerShell and WMI Bridge Usage Guidance
 
-The ApplicationControl CSP can also be managed locally from PowerShell or via SCCM's task sequence scripting by leveraging the [WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
+The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by leveraging the [WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
 
 ### Setup for using the WMI Bridge
 

windows/client-management/mdm/applocker-csp.md

@@ -35,7 +35,7 @@ Defines restrictions for applications.
 > Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node.
 
 > [!NOTE]
-> Deploying policies via the AppLocker CSP will force a reboot during OOBE.
+> The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
 
 Additional information:
 
@@ -484,7 +484,7 @@ The following list shows the apps that may be included in the inbox.
 <td></td>
 </tr>
 <tr class="odd">
-<td>Colour profile</td>
+<td>Color profile</td>
 <td>b08997ca-60ab-4dce-b088-f92e9c7994f3</td>
 <td></td>
 </tr>

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
   - [What is dmwappushsvc?](#what-is-dmwappushsvc)
 
 - **Change history in MDM documentation**
+    - [September 2020](#september-2020)
     - [August 2020](#august-2020)
     - [July 2020](#july-2020)
     - [June 2020](#june-2020)
@@ -438,9 +439,6 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
 <li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</li>
 <li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</li>
 <li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</li>
-<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</li>
-<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</li>
-<li>LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</li>
 <li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
 <li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
 <li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
@@ -458,7 +456,6 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic</li>
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers</li>
 <li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
-<li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>
 <li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</li>
 <li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode</li>
 <li>Notifications/DisallowCloudNotification</li>
@@ -768,7 +765,6 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
 <li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li>
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</li>
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li>
-<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li>
 <li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li>
 <li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li>
 <li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li>
@@ -1414,6 +1410,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
 <li>Update/ExcludeWUDriversInQualityUpdate</li>
 <li>Update/PauseFeatureUpdates</li>
 <li>Update/PauseQualityUpdates</li>
+<li>Update/SetProxyBehaviorForUpdateDetection</li>
 <li>Update/UpdateServiceUrlAlternate (Added in the January service release of Windows 10, version 1607)</li>
 <li>WindowsInkWorkspace/AllowWindowsInkWorkspace</li>
 <li>WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace</li>
@@ -1996,6 +1993,11 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 
 ## Change history in MDM documentation
 
+### September 2020
+|New or updated topic | Description|
+|--- | ---|
+|[Policy CSP - LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)|Removed the following unsupported LocalPoliciesSecurityOptions policy settings from the documentation:<br>- RecoveryConsole_AllowAutomaticAdministrativeLogon <br>- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways<br>- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible<br>- DomainMember_DisableMachineAccountPasswordChanges<br>- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems<br>|
+
 ### August 2020
 |New or updated topic | Description|
 |--- | ---|
@@ -2436,9 +2438,6 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 <ul>
 <li>Bluetooth/AllowPromptedProximalConnections</li>
 <li>KioskBrowser/EnableEndSessionButton</li>
-<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</li>
-<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</li>
-<li>LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</li>
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication</li>
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic</li>
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic</li>
@@ -2647,7 +2646,6 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</li>
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
 <li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
-<li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>
 <li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</li>
 <li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode</li>
 <li>RestrictedGroups/ConfigureGroupMembership</li>
@@ -3018,7 +3016,6 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 <li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li>
 <li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li>
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li>
-<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li>
 <li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li>
 <li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li>
 <li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li>

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -2498,15 +2498,6 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly" id="localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly">LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</a>
   </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways" id="localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways">LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible" id="localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible">LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges" id="localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges">LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</a>
-  </dd>
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
   </dd>
@@ -2585,18 +2576,12 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers" id="localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers">LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers</a>
   </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon" id="localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon">LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</a>
-  </dd>
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon" id="localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon">LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</a>
   </dd>
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile" id="localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile">LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</a>
   </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-systemobjects-requirecaseinsensitivityfornonwindowssubsystems" id="localpoliciessecurityoptions-systemobjects-requirecaseinsensitivityfornonwindowssubsystems">LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</a>
-  </dd>
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
   </dd>
@@ -3918,6 +3903,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-update.md#update-setedurestart" id="update-setedurestart">Update/SetEDURestart</a>
   </dd>
+  <dd> 
+    <a href="./policy-csp-update.md#update-setproxybehaviorforupdatedetection"id="update-setproxybehaviorforupdatedetection">Update/SetProxyBehaviorForUpdateDetection</a> 
+  </dd>
   <dd> 
     <a href="./policy-csp-update.md#update-targetreleaseversion"id="update-targetreleaseversion">Update/TargetReleaseVersion</a> 
   </dd>

windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md

@@ -45,15 +45,6 @@ manager: dansimp
   <dd>
     <a href="#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly">LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</a>
   </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways">LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</a>
-  </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible">LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</a>
-  </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges">LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</a>
-  </dd>
   <dd>
     <a href="#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
   </dd>
@@ -132,18 +123,12 @@ manager: dansimp
   <dd>
     <a href="#localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers">LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers</a>
   </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon">LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</a>
-  </dd>
   <dd>
     <a href="#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon">LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</a>
   </dd>
   <dd>
     <a href="#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile">LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</a>
   </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-systemobjects-requirecaseinsensitivityfornonwindowssubsystems">LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</a>
-  </dd>
   <dd>
     <a href="#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
   </dd>
@@ -714,256 +699,6 @@ GP Info:
 
 <hr/>
 
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways"></a>**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Windows Edition</th>
-    <th>Supported?</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-<tr>
-    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-
-> [!WARNING]
-> Starting in the version 1809 of Windows, this policy is deprecated.
-
-Domain member: Digitally encrypt or sign secure channel data (always)
-
-This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
-
-When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
-
-This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
-
-Domain member: Digitally encrypt secure channel data (when possible)
-Domain member: Digitally sign secure channel data (when possible)
-
-Default: Enabled.
-
-Notes:
-
-If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
-If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
-Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
-
-<!--/Description-->
-<!--RegistryMapped-->
-GP Info:  
--   GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)*
--   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-<!--/RegistryMapped-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible"></a>**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Windows Edition</th>
-    <th>Supported?</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-<tr>
-    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-
-> [!WARNING]
-> Starting in the version 1809 of Windows, this policy is deprecated.
-
-Domain member: Digitally encrypt secure channel data (when possible)
-
-This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
-
-When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
-
-This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
-
-Default: Enabled.
-
-Important
-
-There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
-
-Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
-
-<!--/Description-->
-<!--RegistryMapped-->
-GP Info:  
--   GP English name: *Domain member: Digitally encrypt secure channel data (when possible)*
--   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-<!--/RegistryMapped-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges"></a>**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Windows Edition</th>
-    <th>Supported?</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-<tr>
-    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-
-> [!WARNING]
-> Starting in the version 1809 of Windows, this policy is deprecated.
-
-Domain member: Disable machine account password changes
-
-Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
-
-Default: Disabled.
-
-Notes
-
-This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
-This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
-
-<!--/Description-->
-<!--RegistryMapped-->
-GP Info:  
--   GP English name: *Domain member: Disable machine account password changes*
--   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-<!--/RegistryMapped-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
-<!--/Policy-->
-
-<hr/>
-
 <!--Policy-->
 <a href="" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**  
 
@@ -2902,60 +2637,6 @@ GP Info:
 
 <hr/>
 
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon"></a>**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Windows Edition</th>
-    <th>Supported?</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-</tr>
-<tr>
-    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Description-->
-Recovery console: Allow automatic administrative logon
-
-This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system.
-
-Default: This policy is not defined and automatic administrative logon is not allowed.
-
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-<!--/Description-->
-<!--SupportedValues-->
-Valid values:  
-- 0 - disabled
-- 1 - enabled (allow automatic administrative logon)
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
 <!--Policy-->
 <a href="" id="localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon"></a>**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn**  
 
@@ -3095,63 +2776,6 @@ GP Info:
 
 <hr/>
 
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-systemobjects-requirecaseinsensitivityfornonwindowssubsystems"></a>**LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Windows Edition</th>
-    <th>Supported?</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-<tr>
-    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-System objects: Require case insensitivity for non-Windows subsystems
-
-This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX.
-
-If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting does not allow the Win32 subsystem to become case sensitive.
-
-Default: Enabled.
-
-<!--/Description-->
-<!--/Policy-->
-
-<hr/>
-
 <!--Policy-->
 <a href="" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation"></a>**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**  
 

windows/client-management/mdm/policy-csp-update.md

@@ -194,6 +194,9 @@ manager: dansimp
   <dd>
     <a href="#update-setedurestart">Update/SetEDURestart</a>
   </dd>
+  <dd>
+    <a href="#update-setproxybehaviorforupdatedetection">Update/SetProxyBehaviorForUpdateDetection</a>
+  </dd>
   <dd> 
     <a href="#update-targetreleaseversion">Update/TargetReleaseVersion</a> 
   </dd>
@@ -4133,6 +4136,78 @@ The following list shows the supported values:
 
 <hr/>
 
+
+<!--Policy-->
+<a href="" id="update-setproxybehaviorforupdatedetection"></a>**Update/SetProxyBehaviorForUpdateDetection**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in Windows 10, version 1607 and later. By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP based intranet server despite the vulnerabilities it presents.
+
+This policy setting does not impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP English name: *Select the proxy behavior for Windows Update client for detecting updates with non-TLS (HTTP) based service*
+-   GP name: *Select the proxy behavior*
+-   GP element: *Select the proxy behavior*
+-   GP path: *Windows Components/Windows Update/Specify intranet Microsoft update service location*
+-   GP ADMX file name: *WindowsUpdate.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+The following list shows the supported values:
+
+- 0 (default) - Allow system proxy only for HTTP scans.
+- 1 - Allow user proxy to be used as a fallback if detection using system proxy fails. 
+> [!NOTE]
+> Configuring this policy setting to 1 exposes your environment to potential security risk and makes scans unsecure.
+
+<!--/SupportedValues-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="update-targetreleaseversion"></a>**Update/TargetReleaseVersion**  
 

windows/client-management/mdm/policy-csps-supported-by-group-policy.md

@@ -533,9 +533,6 @@ ms.date: 07/18/2019
 - [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia)
 - [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters)
 - [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly)
-- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways)
-- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible)
-- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges)
 - [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked)
 - [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin)
 - [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin)

windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md

@@ -66,6 +66,7 @@ ms.date: 07/18/2019
 - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
 - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
 - [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot)
+- [Update/SetProxyBehaviorForUpdateDetection](policy-csp-update.md#update-setproxybehaviorforupdatedetection)
 
 ## Related topics
 

windows/client-management/new-policies-for-windows-10.md

@@ -5,7 +5,7 @@ ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
-keywords: ["MDM", "Group Policy"]
+keywords: ["MDM", "Group Policy", "GP"]
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
@@ -21,9 +21,12 @@ ms.topic: reference
 **Applies to**
 
 -   Windows 10
--   Windows 10 Mobile
 
-Windows 10 includes the following new policies for management. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://www.microsoft.com/download/100591).
+As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows,  refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference".
+
+For example, searching for "Windows 2004" + "Group Policy Settings Reference Spreadsheet" in a web browser will return to you the link to download the Group Policy Settings Reference Spreadsheet for Windows 2004.
+
+The latest [group policy reference for Windows 10 version 2004 is available here](https://www.microsoft.com/download/101451).
 
 ## New Group Policy settings in Windows 10, version 1903
 

windows/deployment/update/waas-delivery-optimization-setup.md

@@ -95,7 +95,7 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
 
 In a lab situation, you typically have a large number of devices that are plugged in and have a lot of free disk space. By increasing the content expiration interval, you can take advantage of these devices, using them as excellent upload sources in order to upload much more content over a longer period.
 
-To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **6048000** (7 days) or more (up to 30 days).
+To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **604800** (7 days) or more (up to 30 days).
 
 To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DOMaxCacheAge to 7 or more (up to 30 days).
 
@@ -191,7 +191,7 @@ With no options, this cmdlet returns these data:
 - overall efficiency
 - efficiency in the peered files
 
-Using the `-ListConnections` option returns these detauls about peers:
+Using the `-ListConnections` option returns these details about peers:
 
 - destination IP address
 - peer type

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -1458,15 +1458,15 @@ To turn this Off in the UI:
 
 -OR-
  
-- Create a REG_DWORD registry setting named **EnableActivityFeed** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 2 (two)**
+- Create a REG_DWORD registry setting named **EnableActivityFeed** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**
 
      -and-
 
-- Create a REG_DWORD registry setting named **PublishUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 2 (two)**
+- Create a REG_DWORD registry setting named **PublishUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**
 
      -and-
 
-- Create a REG_DWORD registry setting named **UploadUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 2 (two)**
+- Create a REG_DWORD registry setting named **UploadUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**
     
 ### <a href="" id="bkmk-voice-act"></a>18.23 Voice Activation
 

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md

@@ -76,10 +76,12 @@ Certificate authorities write CRL distribution points in certificates as they ar
 Windows Hello for Business enforces the strict KDC validation security feature, which imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met:
 
 - The domain controller has the private key for the certificate provided.
-- The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**. 
+- The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**.
 - Use the **Kerberos Authentication certificate template** instead of any other older template.
 - The domain controller's certificate has the **KDC Authentication** enhanced key usage.
 - The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain.
+- The domain controller's certificate's signature hash algorithm is **sha256**.
+- The domain controller's certificate's public key is **RSA (2048 Bits)**.
 
 
 > [!Tip]

windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md

@@ -25,8 +25,8 @@ This article addresses common issues in BitLocker and provides guidelines to tro
 Open Event Viewer and review the following logs under Applications and Services logs\\Microsoft\\Windows:
 
 - **BitLocker-API**. Review the Management log, the Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
-   - Microsoft-Windows-BitLocker/BitLocker Operational
+   - Microsoft-Windows-BitLocker-API/BitLocker Operational
-   - Microsoft-Windows-BitLocker/BitLocker Management
+   - Microsoft-Windows-BitLocker-API/BitLocker Management
 
 - **BitLocker-DrivePreparationTool**. Review the Admin log,  the Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
    - Microsoft-Windows-BitLocker-DrivePreparationTool/Operational

windows/security/threat-protection/TOC.md

@@ -18,7 +18,11 @@
 ### [Deployment phases](microsoft-defender-atp/deployment-phases.md)
 ### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md)
 ### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
-### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
+### [Phase 3: Onboard]()
+#### [Onboarding overview](microsoft-defender-atp/onboarding.md)
+##### [Onboarding using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/onboarding-endpoint-configuration-manager.md)
+##### [Onboarding using Microsoft Endpoint Manager](microsoft-defender-atp/onboarding-endpoint-manager.md)
+
 
 ## [Migration guides](microsoft-defender-atp/migration-guides.md)
 ### [Switch from McAfee to Microsoft Defender ATP]()
@@ -97,7 +101,7 @@
 #### [Network protection]()
 ##### [Protect your network](microsoft-defender-atp/network-protection.md)
 ##### [Evaluate network protection](microsoft-defender-atp/evaluate-network-protection.md)
-##### [Turning on network protection](microsoft-defender-atp/enable-network-protection.md)
+##### [Turn on network protection](microsoft-defender-atp/enable-network-protection.md)
  
 #### [Web protection]()
 ##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)

windows/security/threat-protection/auditing/event-4698.md

@@ -62,6 +62,17 @@ This event generates every time a new scheduled task is created.
  </Event>
 
 ```
+>[!NOTE]
+> Windows 10 Versions 1903 and above augments the event with these additional properties:
+> Event Version 1.
+>  ***Event XML:***
+>```
+>  <Data Name="ClientProcessStartKey">5066549580796854</Data> 
+>  <Data Name="ClientProcessId">3932</Data> 
+>  <Data Name="ParentProcessId">5304</Data> 
+>  <Data Name="RpcCallClientLocality">0</Data> 
+>  <Data Name="FQDN">DESKTOP-Name</Data> 
+
 
 ***Required Server Roles:*** None.
 

windows/security/threat-protection/auditing/event-4699.md

@@ -62,6 +62,17 @@ This event generates every time a scheduled task was deleted.
  </Event>
 
 ```
+>[!NOTE]
+> Windows 10 Versions 1903 and above augments the event with these additional properties:
+> Event Version 1.
+>  ***Event XML:***
+>```
+>  <Data Name="ClientProcessStartKey">5066549580796854</Data> 
+>  <Data Name="ClientProcessId">3932</Data> 
+>  <Data Name="ParentProcessId">5304</Data> 
+>  <Data Name="RpcCallClientLocality">0</Data> 
+>  <Data Name="FQDN">DESKTOP-Name</Data> 
+
 
 ***Required Server Roles:*** None.
 

windows/security/threat-protection/auditing/event-4700.md

@@ -62,6 +62,17 @@ This event generates every time a scheduled task is enabled.
  </Event>
 
 ```
+>[!NOTE]
+> Windows 10 Versions 1903 and above augments the event with these additional properties:
+> Event Version 1.
+>  ***Event XML:***
+>```
+>  <Data Name="ClientProcessStartKey">5066549580796854</Data> 
+>  <Data Name="ClientProcessId">3932</Data> 
+>  <Data Name="ParentProcessId">5304</Data> 
+>  <Data Name="RpcCallClientLocality">0</Data> 
+>  <Data Name="FQDN">DESKTOP-Name</Data> 
+
 
 ***Required Server Roles:*** None.
 

windows/security/threat-protection/auditing/event-4701.md

@@ -62,6 +62,17 @@ This event generates every time a scheduled task is disabled.
  </Event>
 
 ```
+>[!NOTE]
+> Windows 10 Versions 1903 and above augments the event with these additional properties:
+> Event Version 1.
+>  ***Event XML:***
+>```
+>  <Data Name="ClientProcessStartKey">5066549580796854</Data> 
+>  <Data Name="ClientProcessId">3932</Data> 
+>  <Data Name="ParentProcessId">5304</Data> 
+>  <Data Name="RpcCallClientLocality">0</Data> 
+>  <Data Name="FQDN">DESKTOP-Name</Data> 
+
 
 ***Required Server Roles:*** None.
 

windows/security/threat-protection/auditing/event-4702.md

@@ -62,6 +62,17 @@ This event generates every time scheduled task was updated/changed.
  </Event>
 
 ```
+>[!NOTE]
+> Windows 10 Versions 1903 and above augments the event with these additional properties:
+> Event Version 1.
+>  ***Event XML:***
+>```
+>  <Data Name="ClientProcessStartKey">5066549580796854</Data> 
+>  <Data Name="ClientProcessId">3932</Data> 
+>  <Data Name="ParentProcessId">5304</Data> 
+>  <Data Name="RpcCallClientLocality">0</Data> 
+>  <Data Name="FQDN">DESKTOP-Name</Data> 
+
 
 ***Required Server Roles:*** None.
 

windows/security/threat-protection/device-control/control-usb-devices-using-intune.md

@@ -8,7 +8,6 @@ ms.pagetype: security
 ms.localizationpriority: medium
 ms.author: dansimp
 author: dansimp
-ms.date: 10/04/2019
 ms.reviewer: dansimp
 manager: dansimp
 audience: ITPro
@@ -23,7 +22,7 @@ Microsoft recommends [a layered approach to securing removable media](https://ak
 1. [Discover plug and play connected events for peripherals in Microsoft Defender ATP advanced hunting](#discover-plug-and-play-connected-events). Identify or investigate suspicious usage activity.
 
 2. Configure to allow or block only certain removable devices and prevent threats.
-    1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by USB vendor IDs, product IDs, device IDs, or a combination. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
+    1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by using USB device IDs. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
 
     2. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:  
            - Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.  
@@ -98,35 +97,37 @@ In this example, the following classes needed to be added: HID, Keyboard, and {3
 
 ![Device host controller](images/devicehostcontroller.jpg)
 
-If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device ID that you want to add. To find the vendor or product IDs, see [Look up device vendor ID or product ID](#look-up-device-vendor-id-or-product-id). 
+If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device ID that you want to add. Device ID is based on the vendor ID and product ID values for a device. For information on device ID formats, see [Standard USB Identifiers](https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers). 
+
+To find the device IDs, see [Look up device ID](#look-up-device-id). 
 
 For example:
 
 1. Remove class USBDevice from the **Allow installation of devices using drivers that match these device setup**.
-2. Add the vendor ID or product ID to allow in the **Allow installation of device that match any of these device IDs**. 
+2. Add the device ID to allow in the **Allow installation of device that match any of these device IDs**. 
 
 
 #### Prevent installation and usage of USB drives and other peripherals
 
 If you want to prevent the installation of a device class or certain devices, you can use the prevent device installation policies:
 
-1. Enable **Prevent installation of devices that match any of these device IDs**.
+1. Enable **Prevent installation of devices that match any of these device IDs** and add these devices to the list.
 2. Enable **Prevent installation of devices using drivers that match these device setup classes**.
 
 > [!Note]
 > The prevent device installation policies take precedence over the allow device installation policies.
 
-The **Prevent installation of devices that match any of these device IDs** policy allows you to specify a list of vendor or product IDs for devices that Windows is prevented from installing. 
+The **Prevent installation of devices that match any of these device IDs** policy allows you to specify a list of devices that Windows is prevented from installing. 
 
 To prevent installation of devices that match any of these device IDs: 
 
-1. [Look up device vendor ID or product ID](#look-up-device-vendor-id-or-product-id) for devices that you want Windows to prevent from installing.
+1. [Look up device ID](#look-up-device-id) for devices that you want Windows to prevent from installing.
 ![Look up vendor or product ID](images/lookup-vendor-product-id.png)
 2. Enable **Prevent installation of devices that match any of these device IDs** and add the vendor or product IDs to the list.
 ![Add vendor ID to prevent list](images/add-vendor-id-to-prevent-list.png)
 
-#### Look up device vendor ID or product ID
+#### Look up device ID
-You can use Device Manager to look up a device vendor or product ID.
+You can use Device Manager to look up a device ID.
 
 1. Open Device Manager.
 2. Click **View** and select **Devices by connection**.
@@ -135,11 +136,11 @@ You can use Device Manager to look up a device vendor or product ID.
 5. Click the **Property** drop-down list and select **Hardware Ids**.
 6. Right-click the top ID value and select **Copy**.
 
-For information on vendor and product ID formats, see [Standard USB Identifiers](https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers).
+For information about Device ID formats, see [Standard USB Identifiers](https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers).
 
 For information on vendor IDs, see [USB members](https://www.usb.org/members).
 
-The following is an example for looking up a device vendor ID or product ID using PowerShell: 
+The following is an example for looking up a device vendor ID or product ID (which is part of the device ID) using PowerShell: 
 ``` PowerShell
 Get-WMIObject -Class Win32_DiskDrive |
 Select-Object -Property * 

windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md

@@ -13,7 +13,7 @@ ms.author: deniseb
 ms.custom: nextgen
 ms.reviewer: 
 manager: dansimp
-ms.date: 09/07/2020
+ms.date: 09/10/2020
 ---
 
 # Manage Microsoft Defender Antivirus updates and apply baselines
@@ -31,6 +31,10 @@ There are two types of updates related to keeping Microsoft Defender Antivirus u
 > Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.  
 > This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
 
+> [!NOTE]
+> You can use the below URL to find out what are the current versions:
+> [https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info)
+
 ## Security intelligence updates
 
 Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection. 
@@ -59,7 +63,7 @@ All our updates contain:
 * integration improvements (Cloud, MTP)  
 <br/>
 <details>
-<summary> August-2020 (Platform: 4.18.2008.3 | Engine: 1.1.17400.5)</summary>
+<summary> August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)</summary>
 
 &ensp;Security intelligence update version: **1.323.9.0**  
 &ensp;Released: **August 27, 2020**  
@@ -72,6 +76,7 @@ All our updates contain:
 * Improved scan event telemetry
 * Improved behavior monitoring for memory scans
 * Improved macro streams scanning
+* Added "AMRunningMode" to Get-MpComputerStatus Powershell CmdLet
 
 ### Known Issues
 No known issues  
@@ -221,7 +226,7 @@ Support phase: **Technical upgrade Support (Only)**
 * Support platform updates when TMP is redirected to network path
 * Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates)
 * extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
-* Fix 4.18.1911.10 hang
+* Fix 4.18.1911.3 hang
    
 ### Known Issues
 [**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection.  Affected machines appear to the customer as having not updated to the latest antimalware platform.  
@@ -229,14 +234,17 @@ Support phase: **Technical upgrade Support (Only)**
 > [!IMPORTANT]
 > This updates is needed by RS1 devices running lower version of the platform to support SHA2. <br/>This update has reboot flag for systems that are experiencing the hang issue.<br/> the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
 <br/>
+> [!IMPORTANT]
+> This update is categorized as an "update" due to its reboot requirement and will only be offered with a [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update)
+<br/>
 </details>
 
 <details>
-<summary> November-2019 (Platform: 4.18.1911.2 | Engine: 1.1.16600.7)</summary>
+<summary> November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)</summary>
 
 Security intelligence update version: **1.307.13.0**  
 Released: **December 7, 2019**  
-Platform: **4.18.1911.2**  
+Platform: **4.18.1911.3**  
 Engine: **1.1.17000.7**  
 Support phase: **No support**  
      
@@ -248,7 +256,7 @@ Support phase: **No support**
 * add MRT logs to support files
    
 ### Known Issues
-No known issues
+When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
 <br/>
 </details>
 

windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md

@@ -8,7 +8,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 03/28/2019
+ms.date: 09/07/2020
 ms.reviewer: 
 manager: dansimp
 ms.custom: asr
@@ -18,6 +18,7 @@ ms.custom: asr
 
 **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+
 Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
 
 ## What is Application Guard and how does it work?

windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md

@@ -1,6 +1,6 @@
 ---
-title: Turning on network protection
+title: Turn on network protection
-description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager.
+description: Enable network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager.
 keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -14,7 +14,7 @@ ms.reviewer:
 manager: dansimp
 ---
 
-# Turning on network protection
+# Turn on network protection
 
 **Applies to:**
 
@@ -22,6 +22,8 @@ manager: dansimp
 
 [Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it.
 
+[Learn more about network filtering configuration options](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering)
+
 ## Check if network protection is enabled
 
 Check if network protection has been enabled on a local device by using Registry editor.
@@ -40,9 +42,8 @@ Check if network protection has been enabled on a local device by using Registry
 Enable network protection by using any of these methods:
 
 * [PowerShell](#powershell)
-* [Microsoft Intune](#intune)
 * [Mobile Device Management (MDM)](#mobile-device-management-mdm)
-* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
+* [Microsoft Endpoint Manager / Intune](#microsoft-endpoint-manager-formerly-intune)
 * [Group Policy](#group-policy)
 
 ### PowerShell
@@ -62,41 +63,17 @@ Enable network protection by using any of these methods:
 
     Use `Disabled` instead of `AuditMode` or `Enabled` to turn off the feature.
 
-### Intune
+### Mobile device management (MDM)
-
-1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-
-2. Go to **Device configuration** > **Profiles** > **Create profile**.
-
-3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
-   
-    ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
-
-4. Select **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.  
-   
-    ![Enable network protection in Intune](../images/enable-np-intune.png)
-
-5. Select **OK** to save each open section and **Create**.
-
-6. Select the profile called **Assignments**, assign to **All Users & All Devices**, and **Save**.
-
-### Mobile Device Management (MDM)
 
 Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
 
-## Microsoft Endpoint Configuration Manager
+### Microsoft Endpoint Manager (formerly Intune)
 
-1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. Sign into the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com)
 
-2. Then go to **Home** > **Create Exploit Guard Policy**.
+2. Create or edit an [endpoint protection configuration profile](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-configure)
 
-3. Enter a name and a description, select **Network protection**, and then **Next**.
+3. Under "Configuration Settings" in the profile flow, go to **Microsoft Defender Exploit Guard** > **Network filtering** > **Network protection** > **Enable** or **Audit only**
-
-4. Choose whether to block or audit access to suspicious domains and select **Next**.
-
-5. Review the settings and select **Next** to create the policy.
-
-6. After the policy is created, **Close**.
 
 ### Group Policy
 
@@ -112,6 +89,9 @@ Use the following procedure to enable network protection on domain-joined comput
 
 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
 
+> [!NOTE]
+> On older versions of Windows, the group policy path may say "Windows Defender Antivirus" instead of "Microsoft Defender Antivirus."
+
 4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options:
     * **Block** - Users can't access malicious IP addresses and domains
     * **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains

windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md

@@ -38,7 +38,7 @@ It's important to understand the following requirements prior to creating indica
 
 - This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
 - The Antimalware client version must be  4.18.1901.x or later.
-- Supported on machines on Windows 10, version 1703 or later.
+- Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019.
 - The virus and threat protection definitions must be up-to-date.
 - This feature currently supports entering .CER or .PEM file extensions.
 

windows/security/threat-protection/microsoft-defender-atp/indicator-file.md

@@ -37,7 +37,7 @@ It's important to understand the following prerequisites prior to creating indic
 
 - This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
 - The Antimalware client version must be 4.18.1901.x or later.
-- Supported on machines on Windows 10, version 1703 or later.
+- Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019.
 - To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
 - This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
 
@@ -76,4 +76,4 @@ Files automatically blocked by an indicator won't show up in the file's Action c
 - [Create indicators](manage-indicators.md)
 - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
 - [Create indicators based on certificates](indicator-certificates.md)
-- [Manage indicators](indicator-manage.md)
+- [Manage indicators](indicator-manage.md)

windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md

@@ -0,0 +1,355 @@
+---
+title: Onboarding using Microsoft Endpoint Configuration Manager 
+description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Configuration Manager
+keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- M365-security-compliance
+- m365solution-endpointprotect  
+ms.topic: article
+---
+
+# Onboarding using Microsoft Endpoint Configuration Manager 
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Collection creation
+To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
+deployment can target either and existing collection or a new collection can be
+created for testing. The onboarding like group policy or manual method does
+not install any agent on the system. Within the Configuration Manager console
+the onboarding process will be configured as part of the compliance settings
+within the console. Any system that receives this required configuration will
+maintain that configuration for as long as the Configuration Manager client
+continues to receive this policy from the management point. Follow the steps
+below to onboard systems with Configuration Manager.
+
+1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.            
+
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-device-collections.png)
+
+2. Right Click **Device Collection** and select **Create Device Collection**.
+
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-create-device-collection.png)
+
+3. Provide a **Name** and **Limiting Collection**, then select **Next**.
+
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-limiting-collection.png)
+
+4. Select **Add Rule** and choose **Query Rule**.
+
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-query-rule.png)
+
+5.  Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
+
+     ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-direct-membership.png)
+
+6. Select **Criteria** and then choose the star icon.
+
+     ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-criteria.png)
+
+7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.
+
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-simple-value.png)
+
+8. Select **Next** and **Close**.
+
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-membership-rules.png)
+
+9. Select **Next**.
+
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-confirm.png)
+
+After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. 
+
+## Endpoint detection and response
+### Windows 10
+From within the Microsoft Defender Security Center it is possible to download
+the '.onboarding' policy that can be used to create the policy in System Center Configuration
+Manager and deploy that policy to Windows 10 devices.
+
+1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
+
+
+
+2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**.
+
+    ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-onboarding-wizard.png)
+
+3. Select **Download package**.
+
+    ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-download-package.png)
+
+4. Save the package to an accessible location.
+5. In  Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
+
+6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
+
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-create-policy.png)
+
+7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
+
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-policy-name.png)
+
+8. Click **Browse**.
+
+9. Navigate to the location of the downloaded file from step 4 above.
+
+10. Click **Next**.
+11. Configure the Agent with the appropriate samples (**None** or **All file types**).
+
+    ![Image of configuration settings](images/configmgr-config-settings.png)
+
+12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
+
+    ![Image of configuration settings](images/configmgr-telemetry.png)
+
+14. Verify the configuration, then click **Next**.
+
+     ![Image of configuration settings](images/configmgr-verify-configuration.png)
+
+15. Click **Close** when the Wizard completes.
+
+16.  In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
+
+     ![Image of configuration settings](images/configmgr-deploy.png)
+
+17. On the right panel, select the previously created collection and click **OK**.
+
+    ![Image of configuration settings](images/configmgr-select-collection.png)
+
+
+### Previous versions of Windows Client (Windows 7 and Windows 8.1)
+Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
+
+1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
+
+2. Under operating system choose **Windows 7 SP1 and 8.1**.
+
+3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
+
+    ![Image of onboarding](images/91b738e4b97c4272fd6d438d8c2d5269.png)
+
+4. Install the Microsoft Monitoring Agent (MMA). <br>
+    MMA is currently (as of January 2019) supported on the following Windows Operating
+    Systems:
+
+    -   Server SKUs: Windows Server 2008 SP1 or Newer
+
+    -   Client SKUs: Windows 7 SP1 and later
+
+    The MMA agent will need to be installed on Windows devices. To install the
+    agent, some systems will need to download the [Update for customer experience
+    and diagnostic
+    telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+    in order to collect the data with MMA. These system versions include but may not
+    be limited to:
+
+    -   Windows 8.1
+
+    -   Windows 7
+
+    -   Windows Server 2016
+
+    -   Windows Server 2012 R2
+
+    -   Windows Server 2008 R2
+
+    Specifically, for Windows 7 SP1, the following patches must be installed:
+
+    -   Install
+        [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
+
+    -   Install either [.NET Framework
+        4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or
+        later) **or**
+        [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
+        Do not install both on the same system.
+
+5. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
+
+Once completed, you should see onboarded endpoints in the portal within an hour.
+
+## Next generation protection 
+Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
+
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
+
+    ![Image of antimalware policy](images/9736e0358e86bc778ce1bd4c516adb8b.png)
+
+2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence   updates** and choose **OK**.
+
+    ![Image of next generation protection pane](images/1566ad81bae3d714cc9e0d47575a8cbd.png)
+
+    In certain industries or some select enterprise customers might have specific
+needs on how Antivirus is configured.
+
+  
+    [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
+
+    For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
+  
+    
+    ![Image of next generation protection pane](images/cd7daeb392ad5a36f2d3a15d650f1e96.png)
+
+    ![Image of next generation protection pane](images/36c7c2ed737f2f4b54918a4f20791d4b.png)
+
+    ![Image of next generation protection pane](images/a28afc02c1940d5220b233640364970c.png)
+
+    ![Image of next generation protection pane](images/5420a8790c550f39f189830775a6d4c9.png)
+
+    ![Image of next generation protection pane](images/33f08a38f2f4dd12a364f8eac95e8c6b.png)
+
+    ![Image of next generation protection pane](images/41b9a023bc96364062c2041a8f5c344e.png)
+
+    ![Image of next generation protection pane](images/945c9c5d66797037c3caeaa5c19f135c.png)
+
+    ![Image of next generation protection pane](images/3876ca687391bfc0ce215d221c683970.png)
+
+3. Right-click on the newly created antimalware policy and select **Deploy**.
+
+    ![Image of next generation protection pane](images/f5508317cd8c7870627cb4726acd5f3d.png)
+
+4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
+
+     ![Image of next generation protection pane](images/configmgr-select-collection.png)
+
+After completing this task, you now have successfully configured Windows
+Defender Antivirus.
+
+## Attack surface reduction
+The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
+Protection. 
+
+All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode.
+
+To set ASR rules in Audit mode:
+
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+   ![Image of Microsoft Endpoint Configuration Manager console](images/728c10ef26042bbdbcd270b6343f1a8a.png)
+
+
+2.  Select **Attack Surface Reduction**.
+   
+
+3. Set rules to **Audit** and click **Next**.
+
+    ![Image of Microsoft Endpoint Configuration Manager console](images/d18e40c9e60aecf1f9a93065cb7567bd.png)
+
+4. Confirm the new Exploit Guard policy by clicking on **Next**.
+
+    ![Image of Microsoft Endpoint Configuration Manager console](images/0a6536f2c4024c08709cac8fcf800060.png)
+
+    
+5. Once the policy is created click **Close**.
+
+    ![Image of Microsoft Endpoint Configuration Manager console](images/95d23a07c2c8bc79176788f28cef7557.png)
+
+    
+
+6.  Right-click on the newly created policy and choose **Deploy**.
+    
+    ![Image of Microsoft Endpoint Configuration Manager console](images/8999dd697e3b495c04eb911f8b68a1ef.png)
+
+7. Target the policy to the newly created Windows 10 collection and click **OK**.
+
+    ![Image of Microsoft Endpoint Configuration Manager console](images/0ccfe3e803be4b56c668b220b51da7f7.png)
+
+After completing this task, you now have successfully configured ASR rules in audit mode.  
+  
+Below are additional steps to verify whether ASR rules are correctly applied to
+endpoints. (This may take few minutes)
+
+
+1. From a web browser, navigate to <https://securitycenter.windows.com>.
+
+2.  Select **Configuration management** from left side menu.
+
+3. Click **Go to attack surface management** in the Attack surface management panel. 
+    
+    ![Image of attack surface management](images/security-center-attack-surface-mgnt-tile.png)
+
+4. Click **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
+
+    ![A screenshot of attack surface reduction rules reports](images/f91f406e6e0aae197a947d3b0e8b2d0d.png)
+
+5. Click each device shows configuration details of ASR rules.
+
+    ![A screenshot of attack surface reduction rules reports](images/24bfb16ed561cbb468bd8ce51130ca9d.png)
+
+See [Optimize ASR rule deployment and
+detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr)   for more details.  
+
+
+### To set Network Protection rules in Audit mode:
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and  Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+    ![A screenshot System Center Configuration Manager](images/728c10ef26042bbdbcd270b6343f1a8a.png)
+
+2. Select **Network protection**.
+
+3. Set the setting to **Audit** and click **Next**. 
+
+    ![A screenshot System Center Confirugatiom Manager](images/c039b2e05dba1ade6fb4512456380c9f.png)
+
+4. Confirm the new Exploit Guard Policy by clicking **Next**.
+    
+    ![A screenshot Exploit GUard policy](images/0a6536f2c4024c08709cac8fcf800060.png)
+
+5. Once the policy is created click on **Close**.
+
+    ![A screenshot Exploit GUard policy](images/95d23a07c2c8bc79176788f28cef7557.png)
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+    ![A screenshot Microsoft Endpoint Configuration Manager ](images/8999dd697e3b495c04eb911f8b68a1ef.png)
+
+7. Select the policy to the newly created Windows 10 collection and choose **OK**.
+
+    ![A screenshot Microsoft Endpoint Configuration Manager ](images/0ccfe3e803be4b56c668b220b51da7f7.png)
+
+After completing this task, you now have successfully configured Network
+Protection in audit mode.
+
+### To set Controlled Folder Access rules in Audit mode:
+
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+    ![A screenshot of Microsoft Endpoint Configuration Manager ](images/728c10ef26042bbdbcd270b6343f1a8a.png)
+
+2. Select **Controlled folder access**.
+    
+3. Set the configuration to **Audit** and click **Next**.
+
+    ![A screenshot of Microsoft Endpoint Configuration Manager ](images/a8b934dab2dbba289cf64fe30e0e8aa4.png)    
+    
+4. Confirm the new Exploit Guard Policy by clicking on **Next**.
+
+    ![A screenshot of Microsoft Endpoint Configuration Manager ](images/0a6536f2c4024c08709cac8fcf800060.png)
+
+5. Once the policy is created click on **Close**.
+
+    ![A screenshot of Microsoft Endpoint Configuration Manager ](images/95d23a07c2c8bc79176788f28cef7557.png)
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+    ![A screenshot of Microsoft Endpoint Configuration Manager ](images/8999dd697e3b495c04eb911f8b68a1ef.png)
+
+7.  Target the policy to the newly created Windows 10 collection and click **OK**.
+
+    ![A screenshot of Microsoft Endpoint Configuration Manager ](images/0ccfe3e803be4b56c668b220b51da7f7.png)
+
+You have now successfully configured Controlled folder access in audit mode.
+
+## Related topic
+- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)

windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md

@@ -0,0 +1,364 @@
+---
+title: Onboarding using Microsoft Endpoint Manager 
+description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint  Manager
+keywords: onboarding, configuration, deploy, deployment, endpoint manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- M365-security-compliance
+- m365solution-endpointprotect  
+ms.topic: article
+---
+
+# Onboarding using Microsoft Endpoint Manager 
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+
+In this section, we will be using Microsoft Endpoint Manager (MEM) to deploy
+Microsoft Defender ATP to your endpoints.
+
+For more information about MEM, check out these resources:
+- [Microsoft Endpoint Manager page](https://docs.microsoft.com/mem/)
+- [Blog post on convergence of Intune and ConfigMgr](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/)
+- [Introduction video on MEM](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace)
+
+
+This process is a multi-step process, you'll need to:
+
+-   Identify target devices or users
+
+    -   Create an Azure Active Directory group (User or Device)
+
+-   Create a Configuration Profile
+
+    -   In MEM, we'll guide you in creating a separate policy for each feature
+
+## Resources
+
+
+Here are the links you'll need for the rest of the process:
+
+-   [MEM portal](https://aka.ms/memac)
+
+-   [Security Center](https://securitycenter.windows.com/)
+
+-   [Intune Security baselines](https://docs.microsoft.com/mem/intune/protect/security-baseline-settings-defender-atp#microsoft-defender)
+
+## Identify target devices or users
+In this section, we will create a test group to assign your configurations on.
+
+>[!NOTE]
+>Intune uses Azure Active Directory (Azure AD) groups to manage devices and
+users. As an Intune admin, you can set up groups to suit your organizational
+needs.<br>
+> For more information, see [Add groups to organize users and devices](https://docs.microsoft.com/mem/intune/fundamentals/groups-add).
+
+### Create a group
+
+1.  Open the MEM portal.
+
+2.  Open **Groups > New Group**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/66f724598d9c3319cba27f79dd4617a4.png)
+
+3.  Enter details and create a new group.
+
+    ![Image of Microsoft Endpoint Manager portal](images/b1e0206d675ad07db218b63cd9b9abc3.png)
+
+4.  Add your test user or device.
+
+5.  From the **Groups > All groups** pane, open your new group.
+
+6.  Select  **Members > Add members**.
+
+7.  Find your test user or device and select it.
+
+    ![Image of Microsoft Endpoint Manager portal](images/149cbfdf221cdbde8159d0ab72644cd0.png)
+
+8.  Your testing group now has a member to test.
+
+## Create configuration policies
+In the following section, you'll create a number of configuration policies.
+First is a configuration policy to select which groups of users or devices will
+be onboarded to Microsoft Defender ATP. Then you will continue by creating several
+different types of Endpoint security policies.
+
+### Endpoint detection and response
+
+1.  Open the MEM portal.
+
+2.  Navigate to **Endpoint security > Endpoint detection and response**. Click
+    on **Create Profile**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/58dcd48811147feb4ddc17212b7fe840.png)
+
+3.  Under **Platform, select Windows 10 and Later, Profile - Endpoint detection
+    and response > Create**.
+
+4.  Enter a name and description, then select  **Next**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/a5b2d23bdd50b160fef4afd25dda28d4.png)
+
+5.  Select settings as required, then select  **Next**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/cea7e288b5d42a9baf1aef0754ade910.png)
+
+    >[!NOTE]
+    >In this instance, this has been auto populated as Microsoft Defender ATP has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender ATP in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp). <br>
+    
+
+    ![Image of Microsoft Endpoint Manager portal](images/2466460812371ffae2d19a10c347d6f4.png)
+
+6.  Add scope tags if necessary, then select  **Next**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/ef844f52ec2c0d737ce793f68b5e8408.png)
+
+7.  Add test group by clicking on **Select groups to include** and choose your group, then select  **Next**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/fc3525e20752da026ec9f46ab4fec64f.png)
+
+8.  Review and accept, then select  **Create**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/289172dbd7bd34d55d24810d9d4d8158.png)
+
+9.  You can view your completed policy.
+
+    ![Image of Microsoft Endpoint Manager portal](images/5a568b6878be8243ea2b9d82d41ed297.png)
+
+### Next-generation protection
+
+1.  Open the MEM portal.
+
+2.  Navigate to **Endpoint security > Antivirus > Create Policy**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/6b728d6e0d71108d768e368b416ff8ba.png)
+
+3.  Select **Platform - Windows 10 and Later - Windows and Profile – Microsoft
+    Defender Antivirus > Create**.
+
+4.  Enter name and description, then select  **Next**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/a7d738dd4509d65407b7d12beaa3e917.png)
+
+5.  In the **Configuration settings page**: Set the configurations you require for
+    Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time
+    Protection, and Remediation).
+
+    ![Image of Microsoft Endpoint Manager portal](images/3840b1576d6f79a1d72eb14760ef5e8c.png)
+
+6.  Add scope tags if necessary, then select  **Next**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/2055e4f9b9141525c0eb681e7ba19381.png)
+
+7.  Select groups to include, assign to your test group, then select  **Next**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/48318a51adee06bff3908e8ad4944dc9.png)
+
+8.  Review and create, then select  **Create**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/dfdadab79112d61bd3693d957084b0ec.png)
+
+9.  You'll see the configuration policy you created.
+
+    ![Image of Microsoft Endpoint Manager portal](images/38180219e632d6e4ec7bd25a46398da8.png)
+
+### Attack Surface Reduction – Attack surface reduction rules
+
+1.  Open the MEM portal.
+
+2.  Navigate to **Endpoint security > Attack surface reduction**.
+
+3.  Select  **Create Policy**.
+
+4.  Select **Platform - Windows 10 and Later – Profile - Attack surface reduction
+    rules > Create**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/522d9bb4288dc9c1a957392b51384fdd.png)
+
+5.  Enter a name and description, then select  **Next**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png)
+
+6.  In the **Configuration settings page**: Set the configurations you require for
+    Attack surface reduction rules, then select  **Next**.
+
+    >[!NOTE]
+    >We will be configuring all of the Attack surface reduction rules to Audit.
+
+    For more information, see [Attack surface reduction rules](attack-surface-reduction.md).
+
+    ![Image of Microsoft Endpoint Manager portal](images/dd0c00efe615a64a4a368f54257777d0.png)
+
+7.  Add Scope Tags as required, then select  **Next**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/6daa8d347c98fe94a0d9c22797ff6f28.png)
+
+8.  Select groups to include and assign to test group, then select  **Next**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/45cefc8e4e474321b4d47b4626346597.png)
+
+9. Review the details, then select  **Create**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/2c2e87c5fedc87eba17be0cdeffdb17f.png)
+
+10. View the policy.
+
+    ![Image of Microsoft Endpoint Manager portal](images/7a631d17cc42500dacad4e995823ffef.png)
+
+### Attack Surface Reduction – Web Protection
+
+1.  Open the MEM portal.
+
+2.  Navigate to **Endpoint security > Attack surface reduction**.
+
+3.  Select  **Create Policy**.
+
+4.  Select **Windows 10 and Later – Web protection > Create**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png)
+
+5.  Enter a name and description, then select  **Next**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/5be573a60cd4fa56a86a6668b62dd808.png)
+
+6.  In the **Configuration settings page**: Set the configurations you require for
+   Web Protection, then select  **Next**.
+
+    >[!NOTE]
+    >We are configuring Web Protection to Block.
+
+    For more information, see [Web Protection](web-protection-overview.md).
+
+    ![Image of Microsoft Endpoint Manager portal](images/6104aa33a56fab750cf30ecabef9f5b6.png)
+
+7.  Add **Scope Tags as required > Next**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/6daa8d347c98fe94a0d9c22797ff6f28.png)
+
+8.  Select **Assign to test group > Next**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/45cefc8e4e474321b4d47b4626346597.png)
+
+9.  Select **Review and Create > Create**.
+
+    ![Image of Microsoft Endpoint Manager portal](images/8ee0405f1a96c23d2eb6f737f11c1ae5.png)
+
+10. View the policy.
+
+    ![Image of Microsoft Endpoint Manager portal](images/e74f6f6c150d017a286e6ed3dffb7757.png)
+
+## Validate configuration settings
+
+
+### Confirm Policies have been applied
+
+
+Once the Configuration policy has been assigned, it will take some time to apply.
+
+For information on timing, see [Intune configuration information](https://docs.microsoft.com/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+
+To confirm that the configuration policy has been applied to your test device, follow the following process for each configuration policy.
+
+1.  Open the MEM portal and navigate to the relevant policy as shown in the
+    steps above. The following example shows the next generation protection settings.
+
+    ![Image of Microsoft Endpoint Manager portal](images/43ab6aa74471ee2977e154a4a5ef2d39.png)
+
+2.  Select  the **Configuration Policy** to view the policy status.
+
+    ![Image of Microsoft Endpoint Manager portal](images/55ecaca0e4a022f0e29d45aeed724e6c.png)
+
+3.  Select  **Device Status** to see the status.
+
+    ![Image of Microsoft Endpoint Manager portal](images/18a50df62cc38749000dbfb48e9a4c9b.png)
+
+4.  Select  **User Status** to see the status.
+
+    ![Image of Microsoft Endpoint Manager portal](images/4e965749ff71178af8873bc91f9fe525.png)
+
+5.  Select  **Per-setting status** to see the status.
+
+    >[!TIP]
+    >This view is very useful to identify any settings that conflict with another policy.
+
+    ![Image of Microsoft Endpoint Manager portal](images/42acc69d0128ed09804010bdbdf0a43c.png)
+
+### Endpoint detection and response
+
+
+1.  Before applying the configuration, the Microsoft Defender ATP
+    Protection service should not be started.
+
+    ![Image of Services panel](images/b418a232a12b3d0a65fc98248dbb0e31.png)
+
+2.  After the configuration has been applied, the Microsoft Defender ATP
+    Protection Service should be started.
+
+    ![Image of Services panel](images/a621b699899f1b41db211170074ea59e.png)
+
+3.  After the services are running on the device, the device appears in Microsoft
+    Defender Security Center.
+
+    ![Image of Microsoft Defender Security Center](images/df0c64001b9219cfbd10f8f81a273190.png)
+
+### Next-generation protection
+
+1.  Before applying the policy on a test device, you should be able to manually
+    manage the settings as shown below.
+
+    ![Image of setting page](images/88efb4c3710493a53f2840c3eac3e3d3.png)
+
+2.  After the policy has been applied, you should not be able to manually manage
+    the settings.
+
+    >[!NOTE]
+    > In the following image **Turn on cloud-delivered protection** and
+    **Turn on real-time protection** are being shown as managed.
+
+    ![Image of setting page](images/9341428b2d3164ca63d7d4eaa5cff642.png)
+
+### Attack Surface Reduction – Attack surface reduction rules
+
+
+1.  Before applying the policy on a test device, pen a PowerShell Window and type `Get-MpPreference`.
+
+2.  This should respond with the following lines with no content:
+
+    AttackSurfaceReductionOnlyExclusions:
+
+    AttackSurfaceReductionRules_Actions:
+
+    AttackSurfaceReductionRules_Ids:
+
+    ![Image of command line](images/cb0260d4b2636814e37eee427211fe71.png)
+
+3.  After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`.
+
+4.  This should respond with the following lines with content as shown below:
+
+    ![Image of command line](images/619fb877791b1fc8bc7dfae1a579043d.png)
+
+### Attack Surface Reduction – Web Protection
+
+1.  On the test device, open a PowerShell Windows and type
+    `(Get-MpPreference).EnableNetworkProtection`.
+
+2.  This should respond with a 0 as shown below.
+
+    ![Image of command line](images/196a8e194ac99d84221f405d0f684f8c.png)
+
+3.  After applying the policy, open a PowerShell Windows and type
+    `(Get-MpPreference).EnableNetworkProtection`.
+
+4.  This should respond with a 1 as shown below.
+
+    ![Image of command line](images/c06fa3bbc2f70d59dfe1e106cd9a4683.png)

windows/security/threat-protection/microsoft-defender-atp/onboarding.md

@@ -51,343 +51,21 @@ You are currently in the onboarding phase.
 
 
 
-To deploy Microsoft Defender ATP, you'll need to onboard devices to the service. Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements. 
+To deploy Microsoft Defender ATP, you'll need to onboard devices to the service.
 
-The deployment guide uses Microsoft Endpoint Configuration Manager as the management tool to demonstrate an end-to-end deployment. 
+Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements. 
 
-This article will guide you on:
+After onboarding the devices, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction. 
-- Setting up Microsoft Endpoint Configuration Manager 
+
+
+This article provides resources to guide you on:
+- Using various management tools to onboard devices
+    - [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
+    - [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
 - Endpoint detection and response configuration
 - Next-generation protection configuration
 - Attack surface reduction configuration
 
-## Onboarding using Microsoft Endpoint Configuration Manager 
+## Related topics
-### Collection creation
+- [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
-To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
+- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
-deployment can target either and existing collection or a new collection can be
-created for testing. The onboarding like group policy or manual method does
-not install any agent on the system. Within the Configuration Manager console
-the onboarding process will be configured as part of the compliance settings
-within the console. Any system that receives this required configuration will
-maintain that configuration for as long as the Configuration Manager client
-continues to receive this policy from the management point. Follow the steps
-below to onboard systems with Configuration Manager.
-
-1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.            
-
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-device-collections.png)
-
-2. Right Click **Device Collection** and select **Create Device Collection**.
-
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-create-device-collection.png)
-
-3. Provide a **Name** and **Limiting Collection**, then select **Next**.
-
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-limiting-collection.png)
-
-4. Select **Add Rule** and choose **Query Rule**.
-
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-query-rule.png)
-
-5.  Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
-
-     ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-direct-membership.png)
-
-6. Select **Criteria** and then choose the star icon.
-
-     ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-criteria.png)
-
-7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.
-
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-simple-value.png)
-
-8. Select **Next** and **Close**.
-
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-membership-rules.png)
-
-9. Select **Next**.
-
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-confirm.png)
-
-After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. 
-
-## Endpoint detection and response
-### Windows 10
-From within the Microsoft Defender Security Center it is possible to download
-the '.onboarding' policy that can be used to create the policy in System Center Configuration
-Manager and deploy that policy to Windows 10 devices.
-
-1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
-
-
-
-2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**.
-
-    ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-onboarding-wizard.png)
-
-3. Select **Download package**.
-
-    ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-download-package.png)
-
-4. Save the package to an accessible location.
-5. In  Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
-
-6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
-
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-create-policy.png)
-
-7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
-
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-policy-name.png)
-
-8. Click **Browse**.
-
-9. Navigate to the location of the downloaded file from step 4 above.
-
-10. Click **Next**.
-11. Configure the Agent with the appropriate samples (**None** or **All file types**).
-
-    ![Image of configuration settings](images/configmgr-config-settings.png)
-
-12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
-
-    ![Image of configuration settings](images/configmgr-telemetry.png)
-
-14. Verify the configuration, then click **Next**.
-
-     ![Image of configuration settings](images/configmgr-verify-configuration.png)
-
-15. Click **Close** when the Wizard completes.
-
-16.  In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
-
-     ![Image of configuration settings](images/configmgr-deploy.png)
-
-17. On the right panel, select the previously created collection and click **OK**.
-
-    ![Image of configuration settings](images/configmgr-select-collection.png)
-
-
-### Previous versions of Windows Client (Windows 7 and Windows 8.1)
-Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
-
-1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
-
-2. Under operating system choose **Windows 7 SP1 and 8.1**.
-
-3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
-
-    ![Image of onboarding](images/91b738e4b97c4272fd6d438d8c2d5269.png)
-
-4. Install the Microsoft Monitoring Agent (MMA). <br>
-    MMA is currently (as of January 2019) supported on the following Windows Operating
-    Systems:
-
-    -   Server SKUs: Windows Server 2008 SP1 or Newer
-
-    -   Client SKUs: Windows 7 SP1 and later
-
-    The MMA agent will need to be installed on Windows devices. To install the
-    agent, some systems will need to download the [Update for customer experience
-    and diagnostic
-    telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
-    in order to collect the data with MMA. These system versions include but may not
-    be limited to:
-
-    -   Windows 8.1
-
-    -   Windows 7
-
-    -   Windows Server 2016
-
-    -   Windows Server 2012 R2
-
-    -   Windows Server 2008 R2
-
-    Specifically, for Windows 7 SP1, the following patches must be installed:
-
-    -   Install
-        [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
-
-    -   Install either [.NET Framework
-        4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
-        later) **or**
-        [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
-        Do not install both on the same system.
-
-5. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
-
-Once completed, you should see onboarded endpoints in the portal within an hour.
-
-## next-generation protection 
-Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers.
-
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
-
-    ![Image of antimalware policy](images/9736e0358e86bc778ce1bd4c516adb8b.png)
-
-2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence   updates** and choose **OK**.
-
-    ![Image of next-generation protection pane](images/1566ad81bae3d714cc9e0d47575a8cbd.png)
-
-    In certain industries or some select enterprise customers might have specific
-needs on how Antivirus is configured.
-
-  
-    [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
-
-    For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
-  
-    
-    ![Image of next-generation protection pane](images/cd7daeb392ad5a36f2d3a15d650f1e96.png)
-
-    ![Image of next-generation protection pane](images/36c7c2ed737f2f4b54918a4f20791d4b.png)
-
-    ![Image of next-generation protection pane](images/a28afc02c1940d5220b233640364970c.png)
-
-    ![Image of next-generation protection pane](images/5420a8790c550f39f189830775a6d4c9.png)
-
-    ![Image of next-generation protection pane](images/33f08a38f2f4dd12a364f8eac95e8c6b.png)
-
-    ![Image of next-generation protection pane](images/41b9a023bc96364062c2041a8f5c344e.png)
-
-    ![Image of next-generation protection pane](images/945c9c5d66797037c3caeaa5c19f135c.png)
-
-    ![Image of next-generation protection pane](images/3876ca687391bfc0ce215d221c683970.png)
-
-3. Right-click on the newly created antimalware policy and select **Deploy**.
-
-    ![Image of next-generation protection pane](images/f5508317cd8c7870627cb4726acd5f3d.png)
-
-4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
-
-     ![Image of next-generation protection pane](images/configmgr-select-collection.png)
-
-After completing this task, you now have successfully configured Windows
-Defender Antivirus.
-
-## Attack surface reduction
-The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
-Protection. 
-
-All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode.
-
-To set ASR rules in Audit mode:
-
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
-   ![Image of Microsoft Endpoint Configuration Manager console](images/728c10ef26042bbdbcd270b6343f1a8a.png)
-
-
-2.  Select **Attack Surface Reduction**.
-   
-
-3. Set rules to **Audit** and click **Next**.
-
-    ![Image of Microsoft Endpoint Configuration Manager console](images/d18e40c9e60aecf1f9a93065cb7567bd.png)
-
-4. Confirm the new Exploit Guard policy by clicking on **Next**.
-
-    ![Image of Microsoft Endpoint Configuration Manager console](images/0a6536f2c4024c08709cac8fcf800060.png)
-
-    
-5. Once the policy is created click **Close**.
-
-    ![Image of Microsoft Endpoint Configuration Manager console](images/95d23a07c2c8bc79176788f28cef7557.png)
-
-    
-
-6.  Right-click on the newly created policy and choose **Deploy**.
-    
-    ![Image of Microsoft Endpoint Configuration Manager console](images/8999dd697e3b495c04eb911f8b68a1ef.png)
-
-7. Target the policy to the newly created Windows 10 collection and click **OK**.
-
-    ![Image of Microsoft Endpoint Configuration Manager console](images/0ccfe3e803be4b56c668b220b51da7f7.png)
-
-After completing this task, you now have successfully configured ASR rules in audit mode.  
-  
-Below are additional steps to verify whether ASR rules are correctly applied to
-endpoints. (This may take few minutes)
-
-
-1. From a web browser, navigate to <https://securitycenter.windows.com>.
-
-2.  Select **Configuration management** from left side menu.
-
-3. Click **Go to attack surface management** in the Attack surface management panel. 
-    
-    ![Image of attack surface management](images/security-center-attack-surface-mgnt-tile.png)
-
-4. Click **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
-
-    ![A screenshot of attack surface reduction rules reports](images/f91f406e6e0aae197a947d3b0e8b2d0d.png)
-
-5. Click each device shows configuration details of ASR rules.
-
-    ![A screenshot of attack surface reduction rules reports](images/24bfb16ed561cbb468bd8ce51130ca9d.png)
-
-See [Optimize ASR rule deployment and
-detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr)   for more details.  
-
-
-### To set Network Protection rules in Audit mode:
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and  Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
-    ![A screenshot System Center Configuration Manager](images/728c10ef26042bbdbcd270b6343f1a8a.png)
-
-2. Select **Network protection**.
-
-3. Set the setting to **Audit** and click **Next**. 
-
-    ![A screenshot System Center Confirugatiom Manager](images/c039b2e05dba1ade6fb4512456380c9f.png)
-
-4. Confirm the new Exploit Guard Policy by clicking **Next**.
-    
-    ![A screenshot Exploit GUard policy](images/0a6536f2c4024c08709cac8fcf800060.png)
-
-5. Once the policy is created click on **Close**.
-
-    ![A screenshot Exploit GUard policy](images/95d23a07c2c8bc79176788f28cef7557.png)
-
-6. Right-click on the newly created policy and choose **Deploy**.
-
-    ![A screenshot Microsoft Endpoint Configuration Manager ](images/8999dd697e3b495c04eb911f8b68a1ef.png)
-
-7. Select the policy to the newly created Windows 10 collection and choose **OK**.
-
-    ![A screenshot Microsoft Endpoint Configuration Manager ](images/0ccfe3e803be4b56c668b220b51da7f7.png)
-
-After completing this task, you now have successfully configured Network
-Protection in audit mode.
-
-### To set Controlled Folder Access rules in Audit mode:
-
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
-    ![A screenshot of Microsoft Endpoint Configuration Manager ](images/728c10ef26042bbdbcd270b6343f1a8a.png)
-
-2. Select **Controlled folder access**.
-    
-3. Set the configuration to **Audit** and click **Next**.
-
-    ![A screenshot of Microsoft Endpoint Configuration Manager ](images/a8b934dab2dbba289cf64fe30e0e8aa4.png)    
-    
-4. Confirm the new Exploit Guard Policy by clicking on **Next**.
-
-    ![A screenshot of Microsoft Endpoint Configuration Manager ](images/0a6536f2c4024c08709cac8fcf800060.png)
-
-5. Once the policy is created click on **Close**.
-
-    ![A screenshot of Microsoft Endpoint Configuration Manager ](images/95d23a07c2c8bc79176788f28cef7557.png)
-
-6. Right-click on the newly created policy and choose **Deploy**.
-
-    ![A screenshot of Microsoft Endpoint Configuration Manager ](images/8999dd697e3b495c04eb911f8b68a1ef.png)
-
-7.  Target the policy to the newly created Windows 10 collection and click **OK**.
-
-    ![A screenshot of Microsoft Endpoint Configuration Manager ](images/0ccfe3e803be4b56c668b220b51da7f7.png)
-
-You have now successfully configured Controlled folder access in audit mode.
-

windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md

@@ -23,12 +23,13 @@ ms.topic: conceptual
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
 
-[!include[Prerelease information](../../includes/prerelease.md)]
-
 Threat and vulnerability management uses the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
 
 The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.
 
+>[!NOTE]
+>If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by threat and vulnerability management.
+
 >[!IMPORTANT]
 >To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network:
 >- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)

windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md

@@ -76,10 +76,18 @@ To add a new policy:
 4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories.
 5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected devices.
 
+Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
+
 >[!NOTE]
 >If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.
 
->ProTip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
+### Allow specific websites
+
+It is possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it is applied to the device group in question.
+
+1. Create a custom indicator in the Microsoft Defender Security Center by going to **Settings** > **Indicators** > **URL/Domain** > **Add Item**
+2. Enter the domain of the site
+3. Set the policy action to **Allow**.  
 
 ## Web content filtering cards and details
 

windows/security/threat-protection/security-compliance-toolkit-10.md

@@ -45,11 +45,13 @@ The Security Compliance Toolkit consists of:
     - Microsoft 365 Apps for enterprise (Sept 2019)
 
 - Microsoft Edge security baseline
-    - Version 80
+    - Version 85
 
 - Tools
     - Policy Analyzer tool
     - Local Group Policy Object (LGPO) tool
+    - Set Object Security tool
+    - GPO to PolicyRules tool
 
 -   Scripts
     -   Baseline-ADImport.ps1
@@ -81,3 +83,15 @@ It can export local policy to a GPO backup.
 It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
 
 Documentation for the LGPO tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+
+## What is the Set Object Security tool?
+
+SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc.). For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.
+
+Documentation for the Set Object Security tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+
+## What is the GPO to Policy Rules tool?
+
+Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download. 
+
+Documentation for the GPO to PolicyRules tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).

windows/whats-new/ltsc/whats-new-windows-10-2019.md

@@ -46,7 +46,7 @@ This version of Window 10 includes security improvements for threat protection,
 
 #### Windows Defender ATP
 
-The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. 
+The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform includes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. 
 
 ![Windows Defender ATP](../images/wdatp.png)
 
@@ -99,7 +99,7 @@ Endpoint detection and response is improved. Enterprise customers can now take a
   - Upgraded detections of ransomware and other advanced attacks.
   - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
 
-  **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
+  **Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
 - [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
   - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
 
@@ -185,7 +185,7 @@ Improvements have been added are to Windows Hello for Business and Credential Gu
 
 New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when  you are not present.
 
-New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude: 
+New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) include: 
 - You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
 - For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
 - For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
@@ -208,7 +208,7 @@ Windows Defender Credential Guard has always been an optional feature, but Windo
 
 For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
 
-### Other security improvments
+### Other security improvements
 
 #### Windows security baselines
 
@@ -259,17 +259,6 @@ Using Intune, Autopilot now enables locking the device during provisioning durin
 
 You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices).
 
-#### Windows Autopilot self-deploying mode
-
-Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. 
-
-This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. 
-
-You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. 
-
-To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying). 
-
-
 #### Autopilot Reset	
 
 IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
@@ -413,7 +402,7 @@ If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.micro
 
 ### Co-management
 
-Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
 
 For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
 
@@ -456,7 +445,7 @@ Windows Update for Business now provides greater control over updates, with the
 The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
 
 
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
 
 WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
 
@@ -465,7 +454,7 @@ Windows Update for Business now provides greater control over updates, with the
 The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
 
 
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
 
 WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).