This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| * (asterisk) |
Replaces any number of characters.
Only applies to files in the last folder defined in the argument. |
- Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders. After matching the number of wilcarded and named folders, all subfolders will also be included. |
+ Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders. After matching the number of wild carded and named folders, all subfolders will also be included. |
- C:\MyData\*.txt
@@ -227,7 +225,7 @@ The following table describes how the wildcards can be used and provides some ex
|
Replaces a single character in a folder name.
- After matching the number of wilcarded and named folders, all subfolders will also be included.
+ After matching the number of wild carded and named folders, all subfolders will also be included.
|
@@ -264,15 +262,20 @@ The following table describes how the wildcards can be used and provides some ex
>[!IMPORTANT]
>If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
>
->For example, you can exclude all files that start with "date" in the folders *c:\data\final\marked* and *c:\data\review\marked* by using the rule argument c:\data\\\*\marked\date*.\*.
+>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument c:\data\\\*\marked\date*.\*.
>
->This argument, however, will not match any files in **subfolders** under *c:\data\final\marked* or *c:\data\review\marked*.
+>This argument, however, will not match any files in **subfolders** under `c:\data\final\marked` or `c:\data\review\marked`.
## Review the list of exclusions
-You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), MpCmdRun, PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
+You can retrieve the items in the exclusion list using one of the following methods:
+- [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
+- [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings)
+- MpCmdRun
+- PowerShell
+- [Windows Security app](windows-defender-security-center-antivirus.md#exclusions)
>[!IMPORTANT]
>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
@@ -284,7 +287,7 @@ If you use PowerShell, you can retrieve the list in two ways:
- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
-**Validate the exclusion list by using MpCmdRun:**
+### Validate the exclusion list by using MpCmdRun
To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
@@ -295,7 +298,7 @@ MpCmdRun.exe -CheckExclusion -path
>[!NOTE]
>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
-**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:**
+### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
Use the following cmdlet:
@@ -307,9 +310,9 @@ In the following example, the items contained in the `ExclusionExtension` list a
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
-**Retrieve a specific exclusions list by using PowerShell:**
+### Retrieve a specific exclusions list by using PowerShell
Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
@@ -323,7 +326,7 @@ In the following example, the list is split into new lines for each use of the `
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
@@ -331,15 +334,15 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use
You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file.
-In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace *test.txt* with *test.testing*. If you are testing a path, ensure you run the cmdlet within that path.
+In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure you run the cmdlet within that path.
```PowerShell
Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
```
-If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html).
+If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html).
-You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
+You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
```PowerShell
$client = new-object System.Net.WebClient
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
index 499df8dfac..c51a7da9ea 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index d600158473..a562fd5f60 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 10/08/2018
ms.reviewer:
manager: dansimp
@@ -24,9 +25,9 @@ manager: dansimp
To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
-This topic lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-delivered protection services.
+This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services.
-See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity.
+See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity.
>[!TIP]
>You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
@@ -37,7 +38,7 @@ See the Enterprise Mobility and Security blog post [Important changes to Microso
## Allow connections to the Windows Defender Antivirus cloud service
-The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides very important protection against malware on your endpoints and across your network.
+The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
@@ -46,18 +47,18 @@ See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender
After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
-As a cloud service, it is required that computers have access to the internet and that the ATP machine learning services are reachable. The URL: "\*.blob.core.windows.net" should not be excluded from any kind of network inspection. The table below lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL: "\*.blob.core.windows.net"). Below mention URLs are using port 443 for communication.
+Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
| **Service**| **Description** |**URL** |
| :--: | :-- | :-- |
-| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|\*.wdcp.microsoft.com \*.wdcpalt.microsoft.com \*.wd.microsoft.com|
-| *Microsoft Update Service (MU)*| Security intelligence and product updates |\*.update.microsoft.com|
-| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| \*.download.microsoft.com|
-| *Malware submission storage*|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net |
-| *Certificate Revocation List (CRL)*|Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs |
-| *Symbol Store*|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols |
-| *Universal Telemetry Client*| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com settings-win.data.microsoft.com|
+| Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Windows Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`|
+| Microsoft Update Service (MU)| Security intelligence and product updates |`*.update.microsoft.com`|
+|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`|
+| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`ussas1eastprod.blob.core.windows.net`
`ussas1southeastprod.blob.core.windows.net`
`ussau1eastprod.blob.core.windows.net`
`ussau1southeastprod.blob.core.windows.net` |
+| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
`https://www.microsoft.com/pkiops/certs`
`https://crl.microsoft.com/pki/crl/products`
`https://www.microsoft.com/pki/certs` |
+| Symbol Store|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
+| Universal Telemetry Client| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`|
## Validate connections between your network and the cloud
@@ -66,7 +67,7 @@ After whitelisting the URLs listed above, you can test if you are connected to t
**Use the cmdline tool to validate cloud-delivered protection:**
-Use the following argument with the Windows Defender Antivirus command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender Antivirus cloud service:
+Use the following argument with the Windows Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Windows Defender Antivirus cloud service:
```DOS
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
@@ -75,7 +76,7 @@ Use the following argument with the Windows Defender Antivirus command line util
> [!NOTE]
> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher.
-See [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.
+For more information, see [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md).
**Attempt to download a fake malware file from Microsoft:**
@@ -112,16 +113,19 @@ You will also see a detection under **Quarantined threats** in the **Scan histor
>[!NOTE]
->Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md) for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces.
+>Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md).
The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md).
>[!IMPORTANT]
>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
-## Related topics
+## Related articles
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+
- [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
-- [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/)
+
+- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
index 61c02f6a88..6bd6aeb7b2 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index d2191e0488..36714d75c3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 12/10/2018
ms.reviewer:
manager: dansimp
@@ -52,15 +53,15 @@ You can [configure how locally and globally defined exclusions lists are merged]
-**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:**
+### Use Microsoft Intune to exclude files that have been opened by specified processes from scans
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
-**Use System Center Configuration Manager to exclude files that have been opened by specified processes from scans:**
+### Use System Center Configuration Manager to exclude files that have been opened by specified processes from scans
See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
-**Use Group Policy to exclude files that have been opened by specified processes from scans:**
+### Use Group Policy to exclude files that have been opened by specified processes from scans
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -80,7 +81,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
-**Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:**
+### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
@@ -109,7 +110,7 @@ Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:**
+### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans
Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -125,7 +126,7 @@ See the following for more information and allowed parameters:
-**Use the Windows Security app to exclude files that have been opened by specified processes from scans:**
+### Use the Windows Security app to exclude files that have been opened by specified processes from scans
See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
@@ -156,7 +157,7 @@ If you use PowerShell, you can retrieve the list in two ways:
- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
-**Validate the exclusion list by using MpCmdRun:**
+### Validate the exclusion list by using MpCmdRun
To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
@@ -168,7 +169,7 @@ MpCmdRun.exe -CheckExclusion -path
>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
-**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:**
+### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
Use the following cmdlet:
@@ -178,7 +179,7 @@ Get-MpPreference
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Retrieve a specific exclusions list by using PowerShell:**
+### Retrieve a specific exclusions list by using PowerShell
Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
@@ -189,7 +190,7 @@ $WDAVprefs.ExclusionProcess
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-## Related topics
+## Related articles
- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
index c1495c80c6..8e6f966e08 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
index 90c2964d84..b62d657934 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
@@ -9,11 +9,12 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
ms.date: 11/13/2018
ms.reviewer:
manager: dansimp
+ms.custom: nextgen
---
# Enable and configure antivirus always-on protection and monitoring
@@ -59,7 +60,7 @@ Root | Allow antimalware service to remain running always | If protection update
The main real-time protection capability is enabled by default, but you can disable it with Group Policy:
-**Use Group Policy to disable real-time protection:**
+### Use Group Policy to disable real-time protection
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -69,7 +70,7 @@ The main real-time protection capability is enabled by default, but you can disa
4. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**.
-## Related topics
+## Related articles
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
index 2b5bb82466..9702fdb478 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index caae6efc4e..85b7b015a3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -11,8 +11,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
---
# Configure Windows Defender Antivirus exclusions on Windows Server
@@ -35,8 +36,6 @@ Custom exclusions take precedence over automatic exclusions.
> [!TIP]
> Custom and duplicate exclusions do not conflict with automatic exclusions.
-
-
Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
## Opt out of automatic exclusions
@@ -54,7 +53,7 @@ In Windows Server 2016, the predefined exclusions delivered by Security intellig
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
-**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:**
+### Use Group Policy to disable the auto-exclusions list on Windows Server 2016
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -74,7 +73,7 @@ Set-MpPreference -DisableAutoExclusions $true
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016:**
+### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -294,6 +293,7 @@ This section lists the exclusions that are delivered automatically when you inst
- %systemroot%\System32\lsass.exe
### DHCP Server exclusions
+
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
- *%systemroot%*\System32\DHCP\\*\\\*.mdb
@@ -307,6 +307,7 @@ This section lists the exclusions that are delivered automatically when you inst
- *%systemroot%*\System32\DHCP\\*\\\*.edb
### DNS Server exclusions
+
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
- File and folder exclusions for the DNS Server role:
@@ -324,6 +325,7 @@ This section lists the file and folder exclusions and the process exclusions tha
- *%systemroot%*\System32\dns.exe
### File and Storage Services exclusions
+
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
- *%SystemDrive%*\ClusterStorage
@@ -333,6 +335,7 @@ This section lists the file and folder exclusions that are delivered automatical
- *%SystemDrive%*\mscs
### Print Server exclusions
+
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
- File type exclusions:
@@ -350,6 +353,7 @@ This section lists the file type exclusions, folder exclusions, and the process
- spoolsv.exe
### Web Server exclusions
+
This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
- Folder exclusions:
@@ -373,6 +377,7 @@ This section lists the folder exclusions and the process exclusions that are del
- *%SystemDrive%*\PHP5433\php-cgi.exe
### Windows Server Update Services exclusions
+
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
- *%systemroot%*\WSUS\WSUSContent
@@ -383,7 +388,7 @@ This section lists the folder exclusions that are delivered automatically when y
- *%systemroot%*\SoftwareDistribution\Download
-## Related topics
+## Related articles
- [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
index da95773da3..d771955c80 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index a700977d08..4e5666fd45 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
index b95dce5844..ad4a8eee3e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
index 4371855830..9f668be613 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index 307d8fcd7d..3dfe9a2e82 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -202,6 +203,6 @@ On Windows Server 2016, Windows Defender Antivirus will automatically deliver th
## Additional resources
-- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
+- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( https://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
- [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index acad6edc05..c9ade7db82 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
audience: ITPro
ms.date: 10/02/2018
ms.reviewer:
@@ -142,7 +143,7 @@ See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for det
Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus.
-## Related topics
+## Related articles
-- [Next gen protection](windows-defender-antivirus-in-windows-10.md)
+- [Next-generation protection](windows-defender-antivirus-in-windows-10.md)
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index c9aca52f0d..1bc4cdbd31 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -9,10 +9,11 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
ms.reviewer:
manager: dansimp
+ms.custom: nextgen
---
# Enable cloud-delivered protection
diff --git a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
index 33b7f2e9ab..6173192baf 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
index a5cbbeb7a7..8285dbdc5e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -26,9 +27,9 @@ manager: dansimp
Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device.
-It can only be enabled in certain situations. See [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products.
+It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md).
-**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the Windows Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
+**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a limited subset of the Windows Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
## How to enable limited periodic scanning
@@ -42,15 +43,15 @@ If another antivirus product is installed and working correctly, Windows Defende
-Underneath any 3rd party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning.
+Underneath any third party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning.
-Sliding the swtich to **On** will show the standard Windows Defender AV options underneath the 3rd party AV product. The limited periodic scanning option will appear at the bottom of the page.
+Sliding the switch to **On** will show the standard Windows Defender AV options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page.
-## Related topics
+## Related articles
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
index 805f9c697f..c238f05823 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -28,7 +29,7 @@ Windows Defender Antivirus allows you to determine if updates should (or should
You can use System Center Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan.
-**Use Configuration Manager to check for protection updates before running a scan:**
+### Use Configuration Manager to check for protection updates before running a scan
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
@@ -36,23 +37,23 @@ You can use System Center Configuration Manager, Group Policy, PowerShell cmdlet
3. Click **OK**.
-4.[Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+4. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
-**Use Group Policy to check for protection updates before running a scan:**
+### Use Group Policy to check for protection updates before running a scan
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**.
5. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**.
6. Click **OK**.
-**Use PowerShell cmdlets to check for protection updates before running a scan:**
+### Use PowerShell cmdlets to check for protection updates before running a scan
Use the following cmdlets:
@@ -60,9 +61,9 @@ Use the following cmdlets:
Set-MpPreference -CheckForSignaturesBeforeRunningScan
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index).
-**Use Windows Management Instruction (WMI) to check for protection updates before running a scan**
+### Use Windows Management Instruction (WMI) to check for protection updates before running a scan
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -70,20 +71,19 @@ Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com
CheckForSignaturesBeforeRunningScan
```
-See the following for more information:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
+For more information, see [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
## Check for protection updates on startup
You can use Group Policy to force Windows Defender Antivirus to check and download protection updates when the machine is started.
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**.
5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**.
@@ -91,21 +91,21 @@ You can use Group Policy to force Windows Defender Antivirus to check and downlo
You can also use Group Policy, PowerShell, or WMI to configure Windows Defender Antivirus to check for updates at startup even when it is not running.
-**Use Group Policy to download updates when Windows Defender Antivirus is not present:**
+### Use Group Policy to download updates when Windows Defender Antivirus is not present
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Using the **Group Policy Management Editor**, go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Security Intelligence Updates**.
5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**.
6. Click **OK**.
-**Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present:**
+### Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present
Use the following cmdlets:
@@ -113,43 +113,44 @@ Use the following cmdlets:
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
```
-See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present:**
+### Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present
-Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
+Use the [**Set** method of the **MSFT_MpPreference**](https://docs.microsoft.com/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
```WMI
SignatureDisableUpdateOnStartupWithoutEngine
```
-See the following for more information:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
+For more information, see [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
## Allow ad hoc changes to protection based on cloud-delivered protection
-Windows Defender AV can make changes to its protection based on cloud-delivered protection. This can occur outside of normal or scheduled protection updates.
+Windows Defender AV can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates.
If you have enabled cloud-delivered protection, Windows Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Windows Defender AV to automatically receive that protection update. Other important protection updates can also be applied.
-**Use Group Policy to automatically download recent updates based on cloud-delivered protection:**
+### Use Group Policy to automatically download recent updates based on cloud-delivered protection
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following:
- 1. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
- 2. Double-click **Allow notifications to disable definitions based reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**.
+
+5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
+
+6. **Allow notifications to disable definitions-based reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
> [!NOTE]
> "Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.
-## Related topics
+## Related articles
- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
index ca75fa1e6f..fabe399119 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -32,7 +33,7 @@ When the user returns to work and logs on to their PC, Windows Defender Antiviru
If Windows Defender Antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md).
-**Use Configuration Manager to configure catch-up protection updates:**
+### Use Configuration Manager to configure catch-up protection updates
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
@@ -45,7 +46,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie
4. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
-**Use Group Policy to enable and configure the catch-up update feature:**
+### Use Group Policy to enable and configure the catch-up update feature
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -59,7 +60,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie
6. Click **OK**.
-**Use PowerShell cmdlets to configure catch-up protection updates:**
+### Use PowerShell cmdlets to configure catch-up protection updates
Use the following cmdlets:
@@ -69,7 +70,7 @@ Set-MpPreference -SignatureUpdateCatchupInterval
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to configure catch-up protection updates:**
+### Use Windows Management Instruction (WMI) to configure catch-up protection updates
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -81,13 +82,11 @@ See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-
-
## Set the number of days before protection is reported as out-of-date
You can also specify the number of days after which Windows Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender Antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
-**Use Group Policy to specify the number of days before protection is considered out-of-date:**
+### Use Group Policy to specify the number of days before protection is considered out-of-date
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -106,8 +105,6 @@ You can also specify the number of days after which Windows Defender Antivirus p
4. Click **OK**.
-
-
## Set up catch-up scans for endpoints that have not been scanned for a while
You can set the number of consecutive scheduled scans that can be missed before Windows Defender Antivirus will force a scan.
@@ -120,7 +117,7 @@ The process for enabling this feature is:
This feature can be enabled for both full and quick scans.
-**Use Group Policy to enable and configure the catch-up scan feature:**
+### Use Group Policy to enable and configure the catch-up scan feature
1. Ensure you have set up at least one scheduled scan.
@@ -140,7 +137,7 @@ This feature can be enabled for both full and quick scans.
> [!NOTE]
> The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run.
-**Use PowerShell cmdlets to configure catch-up scans:**
+### Use PowerShell cmdlets to configure catch-up scans
Use the following cmdlets:
@@ -152,7 +149,7 @@ Set-MpPreference -DisableCatchupQuickScan
See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to configure catch-up scans:**
+### Use Windows Management Instruction (WMI) to configure catch-up scans
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -165,7 +162,7 @@ See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-**Use Configuration Manager to configure catch-up scans:**
+### Use Configuration Manager to configure catch-up scans
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
@@ -175,8 +172,7 @@ See the following for more information and allowed parameters:
4. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
-
-## Related topics
+## Related articles
- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
index 146b92de6f..0185b12a58 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -10,8 +10,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -33,7 +34,7 @@ You can schedule updates for your endpoints by:
You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic for more information.
-**Use Configuration Manager to schedule protection updates:**
+## Use Configuration Manager to schedule protection updates
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
@@ -47,7 +48,7 @@ You can also randomize the times when each endpoint checks and downloads protect
5. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
-**Use Group Policy to schedule protection updates:**
+## Use Group Policy to schedule protection updates
> [!IMPORTANT]
> By default, Windows Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default.
@@ -65,8 +66,7 @@ You can also randomize the times when each endpoint checks and downloads protect
3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
-
-**Use PowerShell cmdlets to schedule protection updates:**
+## Use PowerShell cmdlets to schedule protection updates
Use the following cmdlets:
@@ -78,7 +78,7 @@ Set-MpPreference -SignatureUpdateInterval
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to schedule protection updates:**
+## Use Windows Management Instruction (WMI) to schedule protection updates
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -92,7 +92,7 @@ See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-## Related topics
+## Related articles
- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index e5efd9c691..775068abed 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -24,6 +25,7 @@ manager: dansimp
There are two types of updates related to keeping Windows Defender Antivirus up to date:
1. Protection updates
+
2. Product updates
You can also apply [Windows security baselines](https://technet.microsoft.com/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection.
@@ -34,7 +36,6 @@ Windows Defender Antivirus uses both [cloud-delivered protection](utilize-micros
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
-
## Product updates
Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
index 179c55aac4..94b9e04752 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -46,7 +47,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
2. Use a VBScript to create a script, then run it on each computer in your network.
3. Manually opt-in every computer on your network through the **Settings** menu.
-**Use Group Policy to opt-in to Microsoft Update:**
+### Use Group Policy to opt-in to Microsoft Update
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -54,18 +55,17 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
4. Click **Policies** then **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**.
6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
-**Use a VBScript to opt-in to Microsoft Update**
+### Use a VBScript to opt-in to Microsoft Update
1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
2. Run the VBScript you created on each computer in your network.
-
-**Manually opt-in to Microsoft Update**
+### Manually opt-in to Microsoft Update
1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
2. Click **Advanced** options.
@@ -75,7 +75,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source.
-**Use Group Policy to prevent security intelligence updates on battery power:**
+### Use Group Policy to prevent security intelligence updates on battery power
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -89,10 +89,7 @@ You can configure Windows Defender Antivirus to only download protection updates
2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power.
-
-
-
-## Related topics
+## Related articles
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Update and manage Windows Defender Antivirus in Windows 10](deploy-manage-report-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index acfa9717f3..5eb2cef516 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -14,6 +14,7 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
+ms.custom: nextgen
---
# Protect security settings with Tamper Protection
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
index 583e4365b4..8f6ebb3c64 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -34,52 +35,49 @@ With the setting set to **Enabled**:
With the setting set to **Disabled** or not configured:
-
+
>[!NOTE]
->Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+>Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app."
-In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning "Your system administrator has restricted access to this app.":
+
-
+## Use Group Policy to hide the Windows Defender AV interface from users
-**Use Group Policy to hide the Windows Defender AV interface from users:**
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
+3. Click **Administrative templates**.
-4. Click **Administrative templates**.
+4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
+5. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**.
-6. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**.
-
-
-Also see the [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topic for more options on preventing users form modifying protection on their PCs.
+See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs.
## Prevent users from pausing a scan
-You can prevent users from pausing scans. This can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
+You can prevent users from pausing scans, which can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
+### Use Group Policy to prevent users from pausing a scan
-**Use Group Policy to prevent users from pausing a scan:**
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
+3. Click **Administrative templates**.
-4. Click **Administrative templates**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
-
-6. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**.
-
-
-## Related topics
+5. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**.
+## Related articles
- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+
- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)
+
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
index 41a8f3094f..16f606bbae 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Monitor and report on Windows Defender Antivirus protection
-description: Use Configuration Manager or SIEM tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI.
+description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI.
keywords: siem, monitor, report, windows defender av
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -22,24 +23,22 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender Antivirus.
-
-You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
+With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings.
+If you have a third-party security information and event management (SIEM) server, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx).
-If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx).
+Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md).
-Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security audting](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md).
-
-These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/library/windows/desktop/bb427443(v=vs.85).aspx). It is common practice for SIEMs to have connectors for Windows events. This technique allows for correlation of all security events from the machine in the SIEM.
+These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/library/windows/desktop/bb427443(v=vs.85).aspx). Often, SIEM servers have connectors for Windows events, allowing you to correlate all security events in your SIEM server.
You can also [monitor malware events using the Malware Assessment solution in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-malware).
For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref2).
-## Related topics
+## Related articles
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+
- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
index 68c4accc82..f99aa7584f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
@@ -32,7 +33,7 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y
> [!NOTE]
> You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV.
-## Related topics
+## Related articles
- [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
- [Review scan results](review-scan-results-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
index 1c07b37c51..78fed4d5d4 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -25,18 +26,17 @@ manager: dansimp
After an Windows Defender Antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results.
-**Use Microsoft Intune to review scan results:**
+## Use Microsoft Intune to review scan results
1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
2. Click the scan results in **Device actions status**.
-**Use Configuration Manager to review scan results:**
+## Use Configuration Manager to review scan results
See [How to monitor Endpoint Protection status](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection).
-
-**Use the Windows Security app to review scan results:**
+## Use the Windows Security app to review scan results
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -45,10 +45,7 @@ See [How to monitor Endpoint Protection status](https://docs.microsoft.com/sccm/
- Click **See full history** for any of the sections to see previous detections and the action taken. You can also clear the list.
- Information about the last scan is displayed at the bottom of the page.
-
-
-
-**Use PowerShell cmdlets to review scan results:**
+## Use PowerShell cmdlets to review scan results
The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat, each detection will be listed separately, based on the time of each detection:
@@ -70,15 +67,12 @@ Get-MpThreat
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to review scan results:**
+## Use Windows Management Instruction (WMI) to review scan results
Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) classes.
-
-
-
-## Related topics
+## Related articles
- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
index 4c62952e60..66db88455e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -38,49 +39,40 @@ A full scan can be useful on endpoints that have encountered a malware threat to
>[!NOTE]
>By default, quick scans run on mounted removable devices, such as USB drives.
-**Use Configuration Manager to run a scan:**
+## Use Configuration Manager to run a scan
See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
-**Use the mpcmdrun.exe command-line utility to run a scan:**
+## Use the mpcmdrun.exe command-line utility to run a scan
Use the following `-scan` parameter:
```DOS
mpcmdrun.exe -scan -scantype 1
```
-
-
-
See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
-
-
-**Use Microsoft Intune to run a scan:**
+## Use Microsoft Intune to run a scan
1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
2. Select **...More** and then select **Quick Scan** or **Full Scan**.
-**Use the Windows Security app to run a scan:**
+## Use the Windows Security app to run a scan
See [Run a scan in the Windows Security app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
-
-
-**Use PowerShell cmdlets to run a scan:**
+## Use PowerShell cmdlets to run a scan
Use the following cmdlet:
```PowerShell
Start-MpScan
```
-
-
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to run a scan:**
+## Use Windows Management Instruction (WMI) to run a scan
Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/library/dn455324(v=vs.85).aspx#methods) class.
@@ -88,8 +80,7 @@ See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-## Related topics
-
+## Related articles
- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
index bf6852066d..e49771c6ae 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 12/10/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
index f8a9335f5f..e6b6bf10d0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -9,11 +9,12 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
+ms.custom: nextgen
---
# Specify the cloud-delivered protection level
@@ -27,9 +28,7 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
-
-
-**Use Intune to specify the level of cloud-delivered protection:**
+## Use Intune to specify the level of cloud-delivered protection
1. Sign in to the [Azure portal](https://portal.azure.com).
2. Select **All services > Intune**.
@@ -46,13 +45,15 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
-**Use Configuration Manager to specify the level of cloud-delivered protection:**
+## Use Configuration Manager to specify the level of cloud-delivered protection
-1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
-**Use Group Policy to specify the level of cloud-delivered protection:**
+## Use Group Policy to specify the level of cloud-delivered protection
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx).
+
+2. Right-click the Group Policy Object you want to configure, and then click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
@@ -60,20 +61,19 @@ For more information about Intune device profiles, including how to create and c
5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**.
-1. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
- 1. **Default Windows Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files.
- 2. **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
- 3. **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
- 4. **Zero tolerance blocking level** blocks all unknown executables.
+6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
+ - **Default Windows Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files.
+ - **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
+ - **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
+ - **Zero tolerance blocking level** blocks all unknown executables.
+
+ > [!WARNING]
+ > While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection).
- > [!WARNING]
- > While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection).
-6. Click **OK**.
+7. Click **OK**.
-
-
-## Related topics
+## Related articles
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
index 787e3d4728..d123f26a35 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.reviewer:
manager: dansimp
---
@@ -34,7 +35,7 @@ For common error codes and event IDs related to the Windows Defender Antivirus s
There are three steps to troubleshooting these problems:
-1. Confirm that you have met all pre-requisites
+1. Confirm that you have met all prerequisites
2. Check your connectivity to the Windows Defender cloud-based service
3. Submit support logs
@@ -42,9 +43,9 @@ There are three steps to troubleshooting these problems:
>It typically takes 3 days for devices to start appearing in Update Compliance.
-## Confirm pre-requisites
+## Confirm prerequisites
-In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both the Update Compliance service and for Windows Defender Antivirus:
+In order for devices to properly show up in Update Compliance, you have to meet certain prerequisites for both the Update Compliance service and for Windows Defender Antivirus:
>[!div class="checklist"]
>- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](windows-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance.
@@ -55,7 +56,7 @@ In order for devices to properly show up in Update Compliance, you have to meet
“You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
-If the above pre-requisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
+If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
> [!div class="nextstepaction"]
> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data-update-compliance.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index a371aaca96..8b02e56f61 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/11/2018
ms.reviewer:
manager: dansimp
@@ -46,7 +47,7 @@ You can directly view the event log, or if you have a third-party security infor
The table in this section lists the main Windows Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error.
-**To view a Windows Defender Antivirus event**
+## To view a Windows Defender Antivirus event
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**.
@@ -54,9 +55,6 @@ The table in this section lists the main Windows Defender Antivirus event IDs an
4. In the details pane, view the list of individual events to find your event.
5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
-
-
-
| Event ID: 1000 |
@@ -361,7 +359,7 @@ Message:
Description:
-For more information please see the following:
+For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -434,7 +432,7 @@ Message:
Description:
|
-Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
+Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information, see the following:
- User: <Domain>\<User>
- Name: <Threat name>
@@ -452,7 +450,7 @@ Windows Defender Antivirus has taken action to protect this machine from malware
- Quarantine: The resource was quarantined
- Remove: The resource was deleted
- Allow: The resource was allowed to execute/exist
-- User defined: User defined action which is normally one from this list of actions that the user has specified
+- User defined: User-defined action that is normally one from this list of actions that the user has specified
- No action: No action
- Block: The resource was blocked from executing
@@ -486,7 +484,7 @@ Message:
Description:
|
-Windows Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
+Windows Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information, see the following:
- User: <Domain>\<User>
- Name: <Threat name>
@@ -505,7 +503,7 @@ Windows Defender Antivirus has encountered an error when taking action on malwar
- Quarantine: The resource was quarantined
- Remove: The resource was deleted
- Allow: The resource was allowed to execute/exist
-- User defined: User defined action which is normally one from this list of actions that the user has specified
+- User defined: User-defined action that is normally one from this list of actions that the user has specified
- No action: No action
- Block: The resource was blocked from executing
@@ -545,7 +543,7 @@ Message:
Description:
|
-Windows Defender Antivirus has restored an item from quarantine. For more information please see the following:
+Windows Defender Antivirus has restored an item from quarantine. For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -589,7 +587,7 @@ Message:
Description:
|
-Windows Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information please see the following:
+Windows Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -636,7 +634,7 @@ Message:
Description:
|
-Windows Defender Antivirus has deleted an item from quarantine.
For more information please see the following:
+Windows Defender Antivirus has deleted an item from quarantine.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -680,7 +678,7 @@ Description:
|
Windows Defender Antivirus has encountered an error trying to delete an item from quarantine.
-For more information please see the following:
+For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -729,7 +727,7 @@ Description:
Windows Defender Antivirus has removed history of malware and other potentially unwanted software.
-- Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
+- Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
- User: <Domain>\<User>
|
@@ -760,7 +758,7 @@ Description:
Windows Defender Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software.
-- Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
+- Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
- User: <Domain>\<User>
- Error Code: <Error code>
Result code associated with threat status. Standard HRESULT values.
@@ -793,7 +791,7 @@ Message:
Description:
|
-Windows Defender Antivirus has detected a suspicious behavior.
For more information please see the following:
+Windows Defender Antivirus has detected a suspicious behavior.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -870,7 +868,7 @@ Message:
Description:
|
-Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
+Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -951,7 +949,7 @@ Message:
Description:
|
-Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
For more information please see the following:
+Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -999,7 +997,7 @@ UAC
- Quarantine: The resource was quarantined
- Remove: The resource was deleted
- Allow: The resource was allowed to execute/exist
-- User defined: User defined action which is normally one from this list of actions that the user has specified
+- User defined: User-defined action that is normally one from this list of actions that the user has specified
- No action: No action
- Block: The resource was blocked from executing
@@ -1012,7 +1010,7 @@ Description of the error.
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
NOTE:
-Whenever Windows Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:
+Whenever Windows Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services that the malware might have changed:
- Default Internet Explorer or Microsoft Edge setting
- User Access Control settings
- Chrome settings
@@ -1078,7 +1076,7 @@ Message:
Description:
|
-Windows Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
+Windows Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -1126,7 +1124,7 @@ UAC
- Quarantine: The resource was quarantined
- Remove: The resource was deleted
- Allow: The resource was allowed to execute/exist
-- User defined: User defined action which is normally one from this list of actions that the user has specified
+- User defined: User-defined action that is normally one from this list of actions that the user has specified
- No action: No action
- Block: The resource was blocked from executing
@@ -1173,7 +1171,7 @@ Message:
Description:
|
-Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
+Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -1221,7 +1219,7 @@ UAC
- Quarantine: The resource was quarantined
- Remove: The resource was deleted
- Allow: The resource was allowed to execute/exist
-- User defined: User defined action which is normally one from this list of actions that the user has specified
+- User defined: User-defined action that is normally one from this list of actions that the user has specified
- No action: No action
- Block: The resource was blocked from executing
@@ -1323,7 +1321,7 @@ Windows Defender Antivirus client is up and running in a healthy state.
|
|
- Note This event will only be logged if the following policy is set: ThreatFileHashLogging unsigned.
+Note: This event will only be logged if the following policy is set: ThreatFileHashLogging unsigned.
|
@@ -2452,7 +2450,7 @@ Message:
Description:
|
-Windows Defender Antivirus configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
+Windows Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.
- Old value: <Old value number>
Old antivirus configuration value.
@@ -2893,7 +2891,7 @@ Run a full system scan.
This error indicates that an offline scan is required.
| | | Resolution |
-Run offline Windows Defender Antivirus. You can read about how to do this in the offline Windows Defender Antivirus article.
+Run offline Windows Defender Antivirus. You can read about how to do this in the offline Windows Defender Antivirus article.
|
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
index b7114cd1fd..84d8ca6968 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -26,22 +27,21 @@ You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).
In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy settings:
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
-4. Click **Administrative templates**.
+3. Click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus**.
-6. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
+5. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+6. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides links to the appropriate topic in this documentation library (where applicable).
-
-Location | Setting | Documented in topic
+Location | Setting | Article
---|---|---
Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
@@ -88,10 +88,10 @@ Reporting | Configure time out for detections requiring additional action | Not
Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
Root | Turn off Windows Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly)
Root | Define addresses to bypass proxy server | Not used
-Root | Define proxy auto-config (.pac) for connecting to the network | Not used
+Root | Define proxy autoconfig (.pac) for connecting to the network | Not used
Root | Define proxy server for connecting to the network | Not used
Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Root | Allow antimalware service to startup with normal priority | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
+Root | Allow antimalware service to start up with normal priority | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
Root | Allow antimalware service to remain running always | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
Root | Turn off routine remediation | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
Root | Randomize scheduled task times | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
@@ -126,7 +126,7 @@ Scan | Specify the time of day to run a scheduled scan | [Configure scheduled sc
Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Security intelligence updates | Allow security intelligence updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Security intelligence updates | Allow security intelligence updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-Security intelligence updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+Security intelligence updates | Allow notifications to disable definitions-based reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Define file shares for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md)
@@ -143,12 +143,8 @@ Threats | Specify threat alert levels at which default action should not be take
Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
-
-
-
-
-
-## Related topics
+## Related articles
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
index 0a6c5dc31a..6ed604307a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -31,7 +32,7 @@ See the [Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use
For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-## Related topics
+## Related articles
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index bd4a22592f..326511d75c 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -38,7 +39,7 @@ You can [configure which settings can be overridden locally with local policy ov
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
-**Use Windows Defender Antivirus PowerShell cmdlets:**
+## Use Windows Defender Antivirus PowerShell cmdlets
1. Click **Start**, type **powershell**, and press **Enter**.
2. Click **Windows PowerShell** to open the interface.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
index c0e86e1a2b..0e88dfd58b 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index 5553e762b8..e1d2d9c8e9 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -9,10 +9,11 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
ms.reviewer:
manager: dansimp
+ms.custom: nextgen
---
# Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
@@ -21,7 +22,7 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Microsoft next-gen technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
+Microsoft next-generation technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 717e08d7d4..369ebfe876 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
index 6327898e26..d1ec034818 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@@ -14,6 +14,7 @@ ms.author: deniseb
ms.date: 10/14/2019
ms.reviewer:
manager: dansimp
+ms.custom: nextgen
---
# Next-generation protection in Windows 10 and Windows Server 2016
@@ -33,8 +34,7 @@ Next-generation protection includes services that use machine learning together
>- [Cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
>- Fast learning (including [block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md))
>- [Potentially unwanted application blocking](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-
-> [!NOTE]
+>
> For more information regarding what's new in each Windows version, please refer to [What's new in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp).
## Minimum system requirements
@@ -44,7 +44,7 @@ Windows Defender Antivirus is your main vehicle for next-generation protection,
- [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
- [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components)
-## Configuring Next-generation services
+## Configuring next-generation services
You can use the following to configure and manage next-generation services in Windows 10 while running Windows Defender Antivirus:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
index e106d82384..4187645c2e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -28,7 +29,7 @@ You can use Windows Defender Offline if you suspect a malware infection, or you
In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Security app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
-## Pre-requisites and requirements
+## prerequisites and requirements
Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
@@ -92,7 +93,7 @@ You can run a Windows Defender Offline scan with the following:
-**Use PowerShell cmdlets to run an offline scan:**
+### Use PowerShell cmdlets to run an offline scan
Use the following cmdlets:
@@ -102,7 +103,7 @@ Start-MpWDOScan
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to run an offline scan:**
+### Use Windows Management Instruction (WMI) to run an offline scan
Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class to run an offline scan.
@@ -116,7 +117,7 @@ See the following for more information:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-**Use the Windows Defender Security app to run an offline scan:**
+### Use the Windows Defender Security app to run an offline scan
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -135,7 +136,7 @@ See the following for more information:
Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](windows-defender-security-center-antivirus.md#detection-history).
-## Related topics
+## Related articles
- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index 6333dad0ae..5935c90319 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -40,7 +41,7 @@ See the [Windows Security topic](/windows/threat-protection/windows-defender-sec
>[!NOTE]
>The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
-**Review virus and threat protection settings in the Windows Security app:**
+## Review virus and threat protection settings in the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -66,7 +67,6 @@ Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | De
4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Windows Defender Offline scan
5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option
-
## Common tasks
This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Security app.
@@ -75,7 +75,9 @@ This section describes how to perform some of the most common tasks when reviewi
> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured.
-**Run a scan with the Windows Security app**
+
+### Run a scan with the Windows Security app
+
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -85,7 +87,9 @@ This section describes how to perform some of the most common tasks when reviewi
4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan.
-**Review the security intelligence update version and download the latest updates in the Windows Security app**
+
+### Review the security intelligence update version and download the latest updates in the Windows Security app
+
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -97,8 +101,7 @@ This section describes how to perform some of the most common tasks when reviewi
4. Click **Check for updates** to download new protection updates (if there are any).
-
-**Ensure Windows Defender Antivirus is enabled in the Windows Security app**
+### Ensure Windows Defender Antivirus is enabled in the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -114,7 +117,9 @@ This section describes how to perform some of the most common tasks when reviewi
-**Add exclusions for Windows Defender Antivirus in the Windows Security app**
+
+### Add exclusions for Windows Defender Antivirus in the Windows Security app
+
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -126,7 +131,8 @@ This section describes how to perform some of the most common tasks when reviewi
5. Click the plus icon to choose the type and set the options for each exclusion.
-**Review threat detection history in the Windows Defender Security Center app**
+
+### Review threat detection history in the Windows Defender Security Center app
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -136,7 +142,9 @@ This section describes how to perform some of the most common tasks when reviewi
4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
-**Set ransomware protection and recovery options**
+
+### Set ransomware protection and recovery options
+
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -147,8 +155,7 @@ This section describes how to perform some of the most common tasks when reviewi
5. To set up ransomware recovery options, click **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack.
-
-## Related topics
+## Related articles
- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index 02767f2f29..7275492629 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -5,20 +5,23 @@
### Design and create your WDAC policy
#### [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md)
#### [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md)
-#### [Create an initial default policy](create-initial-default-policy.md)
-#### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
+##### [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md)
+##### [Authorize reputable apps with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
+#### [Example WDAC base policies](example-wdac-base-policies.md)
+#### [Use multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md)
+#### [Common WDAC deployment scenarios](types-of-devices.md)
+##### [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md)
+##### [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md)
+##### [Create a WDAC policy for fixed-workload devices](create-initial-default-policy.md)
+##### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md)
-### [Types of devices](types-of-devices.md)
### [Audit WDAC policies](audit-windows-defender-application-control-policies.md)
### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
-### [Deploy multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md)
### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md)
-### [Deploy WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md)
-### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
index 9f2f505f65..bf0bb97074 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
@@ -1,11 +1,8 @@
---
-title: Create a Windows Defender Application Control policy from a reference computer (Windows 10)
+title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows 10)
description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
keywords: whitelisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -20,14 +17,15 @@ manager: dansimp
ms.date: 05/03/2018
---
-# Create a Windows Defender Application Control policy from a reference computer
+# Create a WDAC policy for fixed-workload devices using a reference computer
**Applies to:**
- Windows 10
-- Windows Server 2016
+- Windows Server 2016 and above
+
+This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc...
-This section outlines the process to create a WDAC policy with Windows PowerShell.
For this example, you must initiate variables to be used during the creation process or use the full file paths in the command.
Then create the WDAC policy by scanning the system for installed applications.
The policy file is converted to binary format when it gets created so that Windows can interpret it.
@@ -52,24 +50,24 @@ You can remove or disable such software on the reference computer.
To create a WDAC policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
-1. Initialize variables that you will use. The following example commands use **InitialScan.xml** and **DeviceGuardPolicy.bin** for the names of the files that will be created:
+1. Initialize variables that you will use.
- `$CIPolicyPath=$env:userprofile+"\Desktop\"`
-
- `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
-
- `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
+ ```powershell
+ $PolicyPath=$env:userprofile+"\Desktop\"
+ $PolicyName="FixedWorkloadPolicy_Audit"
+ $WDACPolicy=$PolicyPath+$PolicyName+".xml"
+ $WDACPolicyBin=$PolicyPath+$PolicyName+".bin"
2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications:
```powershell
- New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt
+ New-CIPolicy -Level PcaCertificate -FilePath $WDACPolicy –UserPEs 3> CIPolicyLog.txt
```
> [!Note]
>
> - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
- >
+ > - You can add the **-MultiplePolicyFormat** parameter when creating policies which will be deployed to computers which are running Windows build 1903+. For more information about multiple policies, see [Deploy multiple Windows Defender Application Control policies](deploy-multiple-windows-defender-application-control-policies.md).
> - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md).
>
> - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned.
@@ -79,10 +77,10 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
```powershell
- ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
+ ConvertFrom-CIPolicy $WDACPolicy $WDACPolicyBin
```
-After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (InitialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
+After you complete these steps, the WDAC binary file ($WDACPolicyBin) and original .xml file ($WDACPolicy) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
> [!NOTE]
> We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
new file mode 100644
index 0000000000..93758237b0
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -0,0 +1,168 @@
+---
+title: Create a WDAC policy for fully-managed devices (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+keywords: whitelisting, security, malware
+ms.topic: conceptual
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 11/20/2019
+---
+
+# Create a WDAC policy for fully-managed devices
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2016 and above
+
+This section outlines the process to create a WDAC policy for **fully-managed devices** within an organization. The key difference between this scenario and [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully-managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully-managed devices should ideally run as standard user and only authorized IT pros have administrative access.
+
+> [!NOTE]
+> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
+
+As described in [common WDAC deployment scenarios](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
+
+**Alice Pena** is the IT team lead tasked with the rollout of WDAC.
+
+Alice previously created a policy for the organization's lightly-managed devices. Some devices, however, are more tightly managed and can benefit from a more constrained policy. In particular, certain job functions such as administrative staff and task-workers are not granted administrator level access to their devices. Similarly, shared kiosks are configured only with a managed set of apps and all users of the device except IT run as standard user. On these devices, all apps are deployed and installed by IT.
+
+## Define the "circle-of-trust" for fully-managed devices
+
+Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully-managed devices:
+
+- All clients are running Windows 10 version 1903 or above;
+- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
+
+> [!NOTE]
+> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM)
+
+- Most, but not all, apps are deployed using MEMCM;
+- Sometimes, IT staff install apps directly to these devices without using MEMCM;
+- All users except IT are standard users on these devices.
+
+Alice's team develops a simple console application, called *LamnaITInstaller.exe*, which will become the authorized way for IT staff to install apps directly to devices. *LamnaITInstaller.exe* allows the IT pro to launch another process, such as an app installer. Alice will configure *LamnaITInstaller.exe* as an additional managed installer for WDAC and allows her to remove the need for filepath rules.
+
+Based on the above, Alice defines the pseudo-rules for the policy:
+
+1. **“Windows works”** rules which authorizes:
+ - Windows
+ - WHQL (3rd party kernel drivers)
+ - Windows Store signed apps
+
+2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function
+3. **Allow Managed Installer** (MEMCM and *LamnaITInstaller.exe* configured as a managed installer)
+
+The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are:
+
+- Removal of the Intelligent Security Graph (ISG) option; and
+- Removal of filepath rules.
+
+## Create a custom base policy using an example WDAC base policy
+
+Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's fully-managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs.
+
+Alice follows these steps to complete this task:
+
+> [!NOTE]
+> If you do not use MEMCM or prefer to use a different [example WDAC base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy.
+
+1. [Use MEMCM to create and deploy an audit policy](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above.
+
+2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
+
+ ```powershell
+ $PolicyName= "Lamna_FullyManagedClients_Audit"
+ $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
+ $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
+ ```
+
+3. Copy the policy created by MEMCM to the desktop:
+
+ ```powershell
+ cp $MEMCMPolicy $LamnaPolicy
+ ```
+
+4. Give the new policy a unique ID, descriptive name, and initial version number:
+
+ ```powershell
+ Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
+ Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
+ ```
+
+5. Modify the copied policy to set policy rules:
+
+ ```powershell
+ Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
+ Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy
+ Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu
+ Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
+ Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
+ Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot
+ Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental
+ Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
+ ```
+
+6. If appropriate, add additional signer or file rules to further customize the policy for your organization.
+
+7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
+
+ > [!NOTE]
+ > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
+
+ ```powershell
+ $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
+ ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
+ ```
+
+8. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
+
+At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
+
+## Security considerations of this fully-managed policy
+
+Alice has defined a policy for Lamna's fully-managed devices that makes some trade-offs between security and manageability for apps. Some of the trade-offs include:
+
+- **Users with administrative access**
+ Although applying to fewer users, Lamna still allows some IT staff to log in to its fully-managed devices as administrator. This allows these admin users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+
+ Possible mitigations:
+ - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
+ - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
+ - Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
+- **Unsigned policies**
+ Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
+
+ Existing mitigations applied:
+ - Limit who can elevate to administrator on the device.
+
+ Possible mitigations:
+ - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
+- **Managed installer**
+ See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer)
+
+ Existing mitigations applied:
+ - Limit who can elevate to administrator on the device.
+
+ Possible mitigations:
+ - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
+- **Supplemental policies**
+ Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
+
+ Possible mitigations:
+ - Use signed WDAC policies which allow authorized signed supplemental policies only.
+ - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
+
+## Up next
+
+- [Create a WDAC policy for fixed-workload devices using a reference computer](create-initial-default-policy.md)
+- [Prepare to deploy WDAC policies](windows-defender-application-control-deployment-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
new file mode 100644
index 0000000000..6fc44116aa
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -0,0 +1,184 @@
+---
+title: Create a WDAC policy for lightly-managed devices (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+keywords: whitelisting, security, malware
+ms.topic: conceptual
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 11/15/2019
+---
+
+# Create a WDAC policy for lightly-managed devices
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2016 and above
+
+This section outlines the process to create a WDAC policy for **lightly-managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC managed devices as described in later topics.
+
+> [!NOTE]
+> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
+
+As in the [previous topic](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
+
+**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with very loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she will need to take an incremental approach to application control and use different policies for different workloads.
+
+For the majority of users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value.
+
+## Define the "circle-of-trust" for lightly-managed devices
+
+Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly-managed devices, which currently includes most end-user devices:
+
+- All clients are running Windows 10 version 1903 or above;
+- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
+
+> [!NOTE]
+> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM)
+
+- Some, but not all, apps are deployed using MEMCM;
+- Most users are local administrators on their devices;
+- Some teams may need additional rules to authorize specific apps that don't apply generally to all other users.
+
+Based on the above, Alice defines the pseudo-rules for the policy:
+
+1. **“Windows works”** rules which authorizes:
+ - Windows
+ - WHQL (3rd party kernel drivers)
+ - Windows Store signed apps
+
+2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function
+3. **Allow Managed Installer** (MEMCM configured as a managed installer)
+4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
+5. **Admin-only path rules** for the following locations:
+ - C:\Program Files\*
+ - C:\Program Files (x86)\*
+ - %windir%\*
+
+## Create a custom base policy using an example WDAC base policy
+
+Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly-managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs.
+
+Alice follows these steps to complete this task:
+
+> [!NOTE]
+> If you do not use MEMCM or prefer to use a different [example WDAC base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy.
+
+1. [Use MEMCM to create and deploy an audit policy](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above.
+
+2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
+
+ ```powershell
+ $PolicyName= "Lamna_LightlyManagedClients_Audit"
+ $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
+ $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
+ ```
+
+3. Copy the policy created by MEMCM to the desktop:
+
+ ```powershell
+ cp $MEMCMPolicy $LamnaPolicy
+ ```
+
+4. Give the new policy a unique ID, descriptive name, and initial version number:
+
+ ```powershell
+ Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
+ Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
+ ```
+
+5. Modify the copied policy to set policy rules:
+
+ ```powershell
+ Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
+ Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy
+ Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu
+ Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
+ Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
+ Set-RuleOption -FilePath $LamnaPolicy -Option 14 # ISG
+ Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot
+ Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental
+ Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
+ ```
+
+6. Add rules to allow windir and Program Files directories:
+
+ ```powershell
+ $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
+ $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
+ $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
+ Merge-CIPolicy -OutputFilePath = $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
+ ```
+
+7. If appropriate, add additional signer or file rules to further customize the policy for your organization.
+
+8. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
+
+ > [!NOTE]
+ > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
+
+ ```powershell
+ $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
+ ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
+ ```
+
+9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
+
+At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
+
+## Security considerations of this lightly-managed policy
+
+In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include:
+
+- **Users with administrative access**
+ By far the most impactful security trade-off, this allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+
+ Possible mitigations:
+ - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
+ - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
+ - Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
+- **Unsigned policies**
+ Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
+
+ Possible mitigations:
+ - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
+ - Limit who can elevate to administrator on the device.
+- **Managed installer**
+ See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer)
+
+ Possible mitigations:
+ - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
+ - Limit who can elevate to administrator on the device.
+- **Intelligent Security Graph (ISG)**
+ See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph)
+
+ Possible mitigations:
+ - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature based rules.
+ - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
+- **Supplemental policies**
+ Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
+
+ Possible mitigations:
+ - Use signed WDAC policies which allow authorized signed supplemental policies only.
+ - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
+- **FilePath rules**
+ See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
+
+ Possible mitigations:
+ - Limit who can elevate to administrator on the device.
+ - Migrate from filepath rules to managed installer or signature-based rules.
+
+## Up next
+
+- [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md)
+- [Prepare to deploy WDAC policies](windows-defender-application-control-deployment-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index d70793409e..13547435c1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -1,5 +1,5 @@
---
-title: Deploy multiple Windows Defender Application Control Policies (Windows 10)
+title: Use multiple Windows Defender Application Control Policies (Windows 10)
description: Windows Defender Application Control supports multiple code integrity policies for one device.
keywords: whitelisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -17,7 +17,7 @@ manager: dansimp
ms.date: 05/17/2019
---
-# Deploy multiple Windows Defender Application Control Policies
+# Use multiple Windows Defender Application Control Policies
**Applies to:**
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
new file mode 100644
index 0000000000..e51e5b06af
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -0,0 +1,39 @@
+---
+title: Example WDAC base policies (Windows 10)
+description: When creating a WDAC policy for an organization, start from one of the many available example base policies.
+keywords: whitelisting, security, malware
+ms.topic: article
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 11/15/2019
+---
+
+# Windows Defender Application Control example base policies
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 and above
+
+When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start from an existing base policy and then add or remove rules to build your own custom policy XML files. Windows includes several example policies which can be used, or organizations which use the Device Guard Signing Service can download a starter policy from that service.
+
+## Example Base Policies
+
+| **Example Base Policy** | **Description** | **Where it can be found** |
+|----------------------------|---------------------------------------------------------------|--------|
+| **DefaultWindows.xml** | This example policy is available in either audit or enforce mode. It includes the rules necessary to ensure that Windows, 3rd party hardware and software kernel drivers, and Windows Store apps will run. Used as the basis for all [Microsoft Endpoint Manager(MEM)](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **AllowAll.xml** | This example policy is useful when creating a block list policy. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://docs.microsoft.com/windows/security/threat-protection/device-guard/memory-integrity) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **DenyAllAudit.xml** | This example policy should only be deployed in audit mode and can be used to audit all binaries running on critical systems or to comply with regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [DGSS in the Microsoft Store for Business](https://businessstore.microsoft.com/manage/settings/devices) |
+| **MEM Configuration Manager** | Customers who use MEM Configuration Manager (MEMCM), formerly known as System Center Configuration Manager, can deploy a policy to a device using MEMCM's built-in integration with WDAC and then copy the resulting policy XML to use as a custom base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 6e77768954..4a8db44a9f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -54,7 +54,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. |
| **3 Enabled:Audit Mode (Default)** | Enables the execution of binaries outside of the WDAC policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To begin enforcing a WDAC policy, delete this option. |
| **4 Disabled:Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds. |
-| **5 Enabled:Inherit Default Policy** | This option is not currently supported. |
+| **5 Enabled:Inherit Default Policy** | This option is reserved for future use. |
| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
| **7 Allowed:Debug Policy Augmented** | This option is not currently supported. |
| **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
index 6a955009ea..d6e8fa89a5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
@@ -1,5 +1,5 @@
---
-title: Types of devices (Windows 10)
+title: Common WDAC deployment scenarios (Windows 10)
description: Typically, deployment of Windows Defender Application Control happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices.
keywords: whitelisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -21,21 +21,32 @@ ms.date: 03/01/2018
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows Server 2016 and above
-Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization.
+Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is very common for organizations to have device use cases across each of the categories described.
+
+## Types of devices
| **Type of device** | **How WDAC relates to this type of device** |
|------------------------------------|------------------------------------------------------|
-| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. |
-| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
WDAC policies are supported by the HVCI service. |
| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | WDAC can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. |
-| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. |
+| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
WDAC policies are supported by the HVCI service. |
+| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. |
+| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a block-list only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. |
+## An introduction to Lamna Healthcare Company
-## Related topics
+In the next set of topics, we will explore each of the above scenarios using a fictional organization called Lamna Healthcare Company.
-- [Windows Defender Application Control Design Guide](windows-defender-application-control-design-guide.md)
-- [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md)
+Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff.
+Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (MDATP) for better endpoint detection and response.
+> [!NOTE]
+> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM)
+
+Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized a number of new security IT responses, including tightening policies for application use and introducing application control.
+
+## Up next
+
+- [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 62085ad482..18194e489d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -1,5 +1,5 @@
---
-title: Deploy Windows Defender Application Control with Intelligent Security Graph (ISG) (Windows 10)
+title: Authorize reputable apps with the Intelligent Security Graph (ISG) (Windows 10)
description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation.
keywords: whitelisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -17,12 +17,12 @@ manager: dansimp
ms.date: 06/14/2018
---
-# Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph
+# Authorize reputable apps with the Intelligent Security Graph (ISG)
**Applies to:**
- Windows 10
-- Windows Server 2016
+- Windows Server 2016 and above
Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system.
In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task.
@@ -89,7 +89,7 @@ appidtel start
For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the SCCM WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through SCCM then this step is required.
-## Security considerations with using the Intelligent Security Graph
+## Security considerations with the Intelligent Security Graph
Since the ISG is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Windows Defender Advanced Threat Protection to help provide optics into what users are doing.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
index aac3df82fc..e22de90c86 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
@@ -1,5 +1,5 @@
---
-title: Deploy Managed Installer for Windows Defender Device Guard (Windows 10)
+title: Authorize apps deployed with a WDAC managed installer (Windows 10)
description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager.
keywords: whitelisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -17,12 +17,12 @@ manager: dansimp
ms.date: 06/13/2018
---
-# Deploy Managed Installer for Windows Defender Application Control
+# Authorize apps deployed with a WDAC managed installer
**Applies to:**
- Windows 10
-- Windows Server 2016
+- Windows Server 2016 and above
Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC).
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
index 605383ec22..36a49771c4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
@@ -41,8 +41,8 @@ Once these business factors are in place, you are ready to begin planning your W
| Topic | Description |
| - | - |
-| [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
-| [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. |
| [Plan for WDAC policy management](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
+| [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
+| [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. |
After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
index 63342cb030..aa8c80886a 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
@@ -44,7 +44,7 @@ Application Guard has been created to target several types of systems:
|Article |Description |
|------|------------|
-|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard.|
+|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.|
|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
|