Merge branch 'master' into tvm-updates

2025-06-23 14:23:38 +00:00 · 2020-07-10 13:26:38 -07:00
parent 3e72f56509 53df2924f3
commit 05b914549d
48 changed files with 949 additions and 365 deletions
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@ -169,7 +169,7 @@ When Active Directory is installed on the first domain controller in the domain,
 ## <a href="" id="sec-guest"></a>Guest account


-The Guest account is a default local account has limited access to the computer and is disabled by default. The Guest account cannot be deleted or disabled, and the account name cannot be changed. By default, the Guest account password is left blank. A blank password allows the Guest account to be accessed without requiring the user to enter a password.
+The Guest account is a default local account that has limited access to the computer and is disabled by default. By default, the Guest account password is left blank. A blank password allows the Guest account to be accessed without requiring the user to enter a password.

 The Guest account enables occasional or one-time users, who do not have an individual account on the computer, to sign in to the local server or domain with restricted rights and permissions. The Guest account can be enabled, and the password can be set up if needed, but only by a member of the Administrator group on the domain.

--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@ -26,13 +26,16 @@ ms.reviewer:
 Enterprise certificate pinning is a Windows feature for remembering, or “pinning,” a root issuing certificate authority or end entity certificate to a given domain name. 
 Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.

->[!NOTE]
+> [!NOTE]
 > External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning.

 Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site’s server authentication certificate chain matches a restricted set of certificates. 
 These restrictions are encapsulated in a Pin Rules Certificate Trust List (CTL) that is configured and deployed to Windows 10 computers. 
 Any site certificate triggering a name mismatch causes Windows to write an event to the CAPI2 event log and prevents the user from navigating to the web site using Microsoft Edge or Internet Explorer.

+> [!NOTE]
+> Enterprise Certificate Pinning feature triggering doesn't cause clients other than Microsoft Edge or Internet Explorer to block the connection.
+
 ## Deployment

 To deploy enterprise certificate pinning, you need to:
--- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
@ -31,6 +31,9 @@ In a mobile-first, cloud-first world, Azure Active Directory enables single sign

 To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain applications even for the right people? For example, it might be OK for you if the right people are accessing certain applications from a trusted network; however, you might not want them to access these applications from a network you don't trust. You can address these questions using conditional access.

+> [!NOTE]
+> For more details about the way Windows Hello for Business interacts with Azure Multi Factor Authentication and Conditional Access, see [this article](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompted-for-mfa-as-expected/ba-p/1449032).
+
 Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access.  Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access.

 ## Related topics
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -570,6 +570,7 @@
 ###### [Vulnerability]()
 ####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
 ####### [List vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
+####### [List vulnerabilities by Machine and Software](microsoft-defender-atp/get-all-vulnerabilities-by-machines.md)
 ####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md)
 ####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md)

--- a/windows/security/threat-protection/intelligence/developer-faq.md
+++ b/windows/security/threat-protection/intelligence/developer-faq.md
@ -47,4 +47,4 @@ This is not related to Microsoft Defender Antivirus and other Microsoft antimalw

 ## Why does the Windows Defender SmartScreen say my program is not commonly downloaded?

-This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website.
+This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more from the [SmartScreen website.](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
@ -12,7 +12,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 06/25/2020
+ms.date: 07/08/2020
 ms.reviewer: 
 manager: dansimp
 ---
@ -47,13 +47,15 @@ See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defend

 After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.

-Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
+Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. 
+
+The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.


 | **Service**| **Description** |**URL** |
 | :--: | :-- | :-- |
 | Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com` <br/> `*.wdcpalt.microsoft.com` <br/> `*.wd.microsoft.com`|
-| Microsoft Update Service (MU) <br/> Windows Update Service (WU)|	Security intelligence and product updates	|`*.update.microsoft.com` <br/> `*.delivery.mp.microsoft.com`<br/> `*.windowsupdate.com` <br/> for details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
+| Microsoft Update Service (MU) <br/> Windows Update Service (WU)|	Security intelligence and product updates	|`*.update.microsoft.com` <br/> `*.delivery.mp.microsoft.com`<br/> `*.windowsupdate.com` <br/><br/> For details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
 |Security intelligence updates Alternate Download Location (ADL)|	Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)|	`*.download.microsoft.com`  </br> `*.download.windowsupdate.com`</br> `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
 | Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission	| `ussus1eastprod.blob.core.windows.net` <br/>    `ussus1westprod.blob.core.windows.net` <br/>    `usseu1northprod.blob.core.windows.net` <br/>    `usseu1westprod.blob.core.windows.net` <br/>    `ussuk1southprod.blob.core.windows.net` <br/>    `ussuk1westprod.blob.core.windows.net` <br/>    `ussas1eastprod.blob.core.windows.net` <br/>    `ussas1southeastprod.blob.core.windows.net` <br/>    `ussau1eastprod.blob.core.windows.net` <br/>    `ussau1southeastprod.blob.core.windows.net` |
 | Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL	| `https://www.microsoft.com/pkiops/crl/` <br/> `https://www.microsoft.com/pkiops/certs` <br/>   `https://crl.microsoft.com/pki/crl/products` <br/> `https://www.microsoft.com/pki/certs` |
--- a/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@ -58,6 +58,28 @@ All our updates contain:
 * serviceability improvements
 * integration improvements (Cloud, MTP)  
 <br/>
+<details>
+<summary> June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2)</summary>
+
+&ensp;Security intelligence update version: **1.319.20.0**  
+&ensp;Released: **June 22, 2020**  
+&ensp;Platform: **4.18.2006.10**  
+&ensp;Engine: **1.1.17200.2**  
+&ensp;Support phase: **Security and Critical Updates**
+    
+### What's new
+* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
+* Skipping aggressive catchup scan in Passive mode.
+* Allow Defender to update on metered connections
+* Fixed performance tuning when caching is disabled 
+* Fixed registry query 
+* Fixed scantime randomization in ADMX
+
+### Known Issues
+No known issues  
+<br/>
+</details>
+
 <details>
 <summary> May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)</summary>

--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@ -102,19 +102,21 @@ See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/

 ## Enable access to Microsoft Defender ATP service URLs in the proxy server

-If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed below to the allowed domains list.
+If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list.
+
+
+
+|**Item**|**Description**|
+|:-----|:-----|
+|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)<br/> [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)  | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. 
+
+
 If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning.

 > [!NOTE]
 > settings-win.data.microsoft.com is only needed if you have Windows 10 devices running version 1803 or earlier.<br>
 > URLs that include v20 in them are only needed if you have Windows 10 devices running version 1803 or later. For example, ```us-v20.events.data.microsoft.com``` is needed for a Windows 10 device running version 1803 or later and onboarded to US Data Storage region.

- Service location | Microsoft.com DNS record
-|-
-Common URLs for all locations | ```crl.microsoft.com/pki/crl/*```<br> ```ctldl.windowsupdate.com``` <br>```www.microsoft.com/pkiops/*```<br>```events.data.microsoft.com```<br>```notify.windows.com```<br> ```settings-win.data.microsoft.com```
-European Union | ```eu.vortex-win.data.microsoft.com``` <br> ```eu-v20.events.data.microsoft.com``` <br> ```usseu1northprod.blob.core.windows.net```  <br>```usseu1westprod.blob.core.windows.net``` <br> ```winatp-gw-neu.microsoft.com``` <br> ```winatp-gw-weu.microsoft.com``` <br>```wseu1northprod.blob.core.windows.net``` <br>```wseu1westprod.blob.core.windows.net``` <br>```automatedirstrprdweu.blob.core.windows.net``` <br>```automatedirstrprdneu.blob.core.windows.net```
-United Kingdom | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com``` <br>```ussuk1southprod.blob.core.windows.net``` <br>```ussuk1westprod.blob.core.windows.net``` <br>```winatp-gw-uks.microsoft.com``` <br>```winatp-gw-ukw.microsoft.com``` <br>```wsuk1southprod.blob.core.windows.net``` <br>```wsuk1westprod.blob.core.windows.net``` <br>```automatedirstrprduks.blob.core.windows.net``` <br>```automatedirstrprdukw.blob.core.windows.net```  
-United States | ```us.vortex-win.data.microsoft.com``` <br> ```ussus1eastprod.blob.core.windows.net``` <br> ```ussus1westprod.blob.core.windows.net``` <br> ```ussus2eastprod.blob.core.windows.net``` <br> ```ussus2westprod.blob.core.windows.net``` <br> ```ussus3eastprod.blob.core.windows.net``` <br> ```ussus3westprod.blob.core.windows.net``` <br> ```ussus4eastprod.blob.core.windows.net``` <br> ```ussus4westprod.blob.core.windows.net``` <br> ```us-v20.events.data.microsoft.com``` <br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com``` <br> ```wsus1eastprod.blob.core.windows.net``` <br> ```wsus1westprod.blob.core.windows.net``` <br> ```wsus2eastprod.blob.core.windows.net``` <br> ```wsus2westprod.blob.core.windows.net``` <br> ```automatedirstrprdcus.blob.core.windows.net``` <br> ```automatedirstrprdeus.blob.core.windows.net```

 > [!NOTE]
 > If you are using Microsoft Defender Antivirus in your environment, please refer to the following article for details on allowing connections to the Microsoft Defender Antivirus cloud service: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus
--- a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx
+++ b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
@ -0,0 +1,104 @@
+---
+title: Get all vulnerabilities by Machine and Software
+description: Retrieves a list of all the vulnerabilities affecting the organization by Machine and Software
+keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# List vulnerabilities by Machine and Software
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Retrieves a list of all the vulnerabilities affecting the organization per [Machine](machine.md) and [Software](software.md).
+<br>If the vulnerability has a fixing KB, it will appear in the response.
+<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
+<br>The OData ```$filter``` is supported on all properties.
+
+>[!Tip]
+>This is great API for [Power BI integration](api-power-bi.md).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Vulnerability.Read.All |	'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read |	'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities/machinesVulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of vulnerabilities in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/vulnerabilities/machinesVulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+    "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicAssetVulnerabilityDto)",
+    "value": [
+        {
+            "id": "5afa3afc92a7c63d4b70129e0a6f33f63a427e21-_-CVE-2020-6494-_-microsoft-_-edge_chromium-based-_-81.0.416.77-_-",
+            "cveId": "CVE-2020-6494",
+            "machineId": "5afa3afc92a7c63d4b70129e0a6f33f63a427e21",
+            "fixingKbId": null,
+            "productName": "edge_chromium-based",
+            "productVendor": "microsoft",
+            "productVersion": "81.0.416.77",
+            "severity": "Low"
+        },
+        {
+            "id": "7a704e17d1c2977c0e7b665fb18ae6e1fe7f3283-_-CVE-2016-3348-_-microsoft-_-windows_server_2012_r2-_-6.3.9600.19728-_-3185911",
+            "cveId": "CVE-2016-3348",
+            "machineId": "7a704e17d1c2977c0e7b665fb18ae6e1fe7f3283",
+            "fixingKbId": "3185911",
+            "productName": "windows_server_2012_r2",
+            "productVendor": "microsoft",
+            "productVersion": "6.3.9600.19728",
+            "severity": "Low"
+        },
+		...
+    ]
+
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
--- a/windows/security/threat-protection/microsoft-defender-atp/images/mac-approved-system-extensions.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/mac-approved-system-extensions.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune2.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune2.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-privacy.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-privacy.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-urls.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-urls.png
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
@ -33,7 +33,7 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet

 ## Prerequisites and system requirements

-Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
+ For a description of prerequisites and system requirements for the current software version, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md).

 In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Please refer to the [Puppet documentation](https://puppet.com/docs) for details.

@ -205,7 +205,7 @@ If the product is not healthy, the exit code (which can be checked through `echo

 ## Log installation issues

-See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
+ For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Log installation issues](linux-resources.md#log-installation-issues).

 ## Operating system upgrades

--- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
@ -86,10 +86,10 @@ The following table lists commands for some of the most common scenarios. Run `m
 |Configuration         |Turn on/off product diagnostics                         |`mdatp config cloud-diagnostic --value [enabled|disabled]`             |
 |Configuration         |Turn on/off automatic sample submission                 |`mdatp config cloud-automatic-sample-submission [enabled|disabled]`    |
 |Configuration         |Turn on/off AV passive mode                             |`mdatp config passive-mode [enabled|disabled]`                         |
-|Configuration         |Add/remove an antivirus exclusion for a file extension  |`mdatp exclusion extension [add|remove] --name <extension>`            |
-|Configuration         |Add/remove an antivirus exclusion for a file            |`mdatp exclusion file [add|remove] --path <path-to-file>`              |
-|Configuration         |Add/remove an antivirus exclusion for a directory       |`mdatp exclusion folder [add|remove] --path <path-to-directory>`       |
-|Configuration         |Add/remove an antivirus exclusion for a process         |`mdatp exclusion process [add|remove] --path <path-to-process>`<br/>`mdatp exclusion process [add|remove] --name <process-name>`   |
+|Configuration         |Add/remove an antivirus exclusion for a file extension  |`mdatp exclusion extension [add|remove] --name [extension]`            |
+|Configuration         |Add/remove an antivirus exclusion for a file            |`mdatp exclusion file [add|remove] --path [path-to-file]`              |
+|Configuration         |Add/remove an antivirus exclusion for a directory       |`mdatp exclusion folder [add|remove] --path [path-to-directory]`       |
+|Configuration         |Add/remove an antivirus exclusion for a process         |`mdatp exclusion process [add|remove] --path [path-to-process]`<br/>`mdatp exclusion process [add|remove] --name [process-name]`   |
 |Configuration         |List all antivirus exclusions                           |`mdatp exclusion list`                                                 |
 |Configuration         |Turn on PUA protection                                  |`mdatp threat policy set --type potentially_unwanted_application --action block` |
 |Configuration         |Turn off PUA protection                                 |`mdatp threat policy set --type potentially_unwanted_application --action off` |
@ -103,12 +103,12 @@ The following table lists commands for some of the most common scenarios. Run `m
 |Protection            |Cancel an ongoing on-demand scan                        |`mdatp scan cancel`                                                    |
 |Protection            |Request a security intelligence update                  |`mdatp definitions update`                                             |
 |Protection history    |Print the full protection history                       |`mdatp threat list`                                                    |
-|Protection history    |Get threat details                                      |`mdatp threat get --id <threat-id>`                                    |
+|Protection history    |Get threat details                                      |`mdatp threat get --id [threat-id]`                                    |
 |Quarantine management |List all quarantined files                              |`mdatp threat quarantine list`                                         |
 |Quarantine management |Remove all files from the quarantine                    |`mdatp threat quarantine remove-all`                                   |
-|Quarantine management |Add a file detected as a threat to the quarantine       |`mdatp threat quarantine add --id <threat-id>`                         |
-|Quarantine management |Remove a file detected as a threat from the quarantine  |`mdatp threat quarantine add --id <threat-id>`                         |
-|Quarantine management |Restore a file from the quarantine                      |`mdatp threat quarantine add --id <threat-id>`                         |
+|Quarantine management |Add a file detected as a threat to the quarantine       |`mdatp threat quarantine add --id [threat-id]`                         |
+|Quarantine management |Remove a file detected as a threat from the quarantine  |`mdatp threat quarantine add --id [threat-id]`                         |
+|Quarantine management |Restore a file from the quarantine                      |`mdatp threat quarantine add --id [threat-id]`                         |

 ## Microsoft Defender ATP portal information

--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
@ -44,7 +44,7 @@ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https:

 The output from this command should be similar to:

-```
+```bash
 OK https://x.cp.wd.microsoft.com/api/report
 OK https://cdn.x.cp.wd.microsoft.com/ping
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
@ -27,23 +27,26 @@ ms.topic: conceptual
 ## Verify if installation succeeded

 An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, one can obtain and check the installation logs using:
-```bash
-$ sudo journalctl | grep 'microsoft-mdatp'  > installation.log
-$ grep 'postinstall end' installation.log

-microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
-```
+ ```bash
+ $ sudo journalctl | grep 'microsoft-mdatp'  > installation.log
+ $ grep 'postinstall end' installation.log
+
+ microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
+ ```
+
 An output from the previous command with correct date and time of installation indicates success.

 Also check the [Client configuration](linux-install-manually.md#client-configuration) to verify the health of the product and detect the EICAR text file.

 ## Installation failed

-Check if the mdatp service is running
-```bash
-$ systemctl status mdatp
+Check if the mdatp service is running:

-● mdatp.service - Microsoft Defender ATP
+```bash
+ $ systemctl status mdatp
+
+ ● mdatp.service - Microsoft Defender ATP
   Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago
 Main PID: 1966 (wdavdaemon)
@ -52,71 +55,71 @@ $ systemctl status mdatp
           ├─1966 /opt/microsoft/mdatp/sbin/wdavdaemon
           ├─1967 /opt/microsoft/mdatp/sbin/wdavdaemon
           └─1968 /opt/microsoft/mdatp/sbin/wdavdaemon
-```
+ ```

 ## Steps to troubleshoot if mdatp service isn't running

-1. Check if “mdatp” user exists:
-```bash
-$ id “mdatp”
-```
-If there’s no output, run
-```bash
-$ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
-```
+1. Check if "mdatp" user exists:
+    ```bash
+    $ id "mdatp"
+    ```
+    If there’s no output, run
+    ```bash
+    $ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
+    ```

 2. Try enabling and restarting the service using:
-```bash
-$ sudo systemctl enable mdatp
-$ sudo systemctl restart mdatp
-```
+    ```bash
+    $ sudo systemctl enable mdatp
+    $ sudo systemctl restart mdatp
+    ```

 3. If mdatp.service isn't found upon running the previous command, run
-```bash
-$ sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path>
+    ```bash
+    $ sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path>

-where <systemd_path> is
-/lib/systemd/system for Ubuntu and Debian distributions
-/usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES
-```
-and then rerun step 2.
+    where <systemd_path> is
+    /lib/systemd/system for Ubuntu and Debian distributions
+    /usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES
+    ```
+    and then rerun step 2.

 4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
 Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot.

 5. Ensure that the daemon has executable permission.
-```bash
-$ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
+    ```bash
+    $ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon

-rwxr-xr-x 2 root root 15502160 Mar  3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
-```
-If the daemon doesn't have executable permissions, make it executable using:
-```bash
-$ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
-```
-and retry running step 2.
+    -rwxr-xr-x 2 root root 15502160 Mar  3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
+    ```
+    If the daemon doesn't have executable permissions, make it executable using:
+    ```bash
+    $ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
+    ```
+    and retry running step 2.

-6. Ensure that the file system containing wdavdaemon isn't mounted with “noexec”.
+6. Ensure that the file system containing wdavdaemon isn't mounted with "noexec".

 ## If mdatp service is running, but EICAR text file detection doesn't work

 1. Check the file system type using:
-```bash
-$ findmnt -T <path_of_EICAR_file>
-```
-Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned.
+    ```bash
+    $ findmnt -T <path_of_EICAR_file>
+    ```
+    Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned.

 ## Command-line tool “mdatp” isn't working

 1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command:
-```bash
-$  sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
-```
-and try again.
+    ```bash
+    $  sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
+    ```
+    and try again.

-If none of the above steps help, collect the diagnostic logs:
-```bash
-$ sudo mdatp diagnostic create
-Diagnostic file created: <path to file>
-```
-Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.
+    If none of the above steps help, collect the diagnostic logs:
+    ```bash
+    $ sudo mdatp diagnostic create
+    Diagnostic file created: <path to file>
+    ```
+    Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
@ -81,4 +81,4 @@ The following steps can be used to troubleshoot and mitigate these issues:

 4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.

-    See [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md) for details.
+    For more details, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
@ -27,7 +27,7 @@ ms.topic: conceptual
 ## 101.00.75

 - Added support for the following file system types: `ecryptfs`, `fuse`, `fuseblk`, `jfs`, `nfs`, `overlay`, `ramfs`, `reiserfs`, `udf`, and `vfat`
- New syntax for the command-line tool. For more information, see [this page](linux-resources.md#configure-from-the-command-line).
+- New syntax for the [command-line tool](linux-resources.md#configure-from-the-command-line).
 - Performance improvements & bug fixes

 ## 100.90.70
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
@ -0,0 +1,281 @@
+---
+title: New configuration profiles for macOS Catalina and newer versions of macOS
+description: This topic describes the changes that are must be made in order to benefit from the system extensions, which are a replacement for kernel extensions on macOS Catalina and newer versions of macOS.
+keywords: microsoft, defender, atp, mac, kernel, system, extensions, catalina
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+ROBOTS: noindex,nofollow
+---
+
+# New configuration profiles for macOS Catalina and newer versions of macOS
+
+In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS.
+
+If you have deployed Microsoft Defender ATP for Mac in a managed environment (through JAMF, Intune, or another MDM solution), you must deploy new configuration profiles. Failure to do these steps will result in users getting approval prompts to run these new components.
+
+## JAMF
+
+### System Extensions Policy
+
+To approve the system extensions, create the following payload:
+
+1. In **Computers > Configuration Profiles** select **Options > System Extensions**.
+2. Select **Allowed System Extensions** from the **System Extension Types** drop-down list.
+3. Use **UBF8T346G9** for Team Id.
+4. Add the following bundle identifiers to the **Allowed System Extensions** list:
+
+    - **com.microsoft.wdav.epsext**
+    - **com.microsoft.wdav.netext**
+
+    ![Approved system extensions screenshot](images/mac-approved-system-extensions.png)
+
+### Privacy Preferences Policy Control
+
+Add the following JAMF payload to grant Full Disk Access to the Microsoft Defender ATP Endpoint Security Extension. This policy is a pre-requisite for running the extension on your device.
+
+1. Select **Options** > **Privacy Preferences Policy Control**.
+2. Use `com.microsoft.wdav.epsext` as the **Identifier** and `Bundle ID` as **Bundle type**.
+3. Set Code Requirement to `identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`
+4. Set **App or service** to **SystemPolicyAllFiles** and access to **Allow**.
+
+    ![Privacy Preferences Policy Control](images/mac-system-extension-privacy.png)
+
+### Web Content Filtering Policy
+
+A web content filtering policy is needed to run the network extension. Add the following web content filtering policy:
+
+>[!NOTE]
+>JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
+>As such, the following steps provide a workaround that involve signing the web content filtering configuration profile.
+
+1. Save the following content to your device as `com.apple.webcontent-filter.mobileconfig`
+
+    ```xml
+    <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+    <plist version="1">
+        <dict>
+            <key>PayloadUUID</key>
+            <string>DA2CC794-488B-4AFF-89F7-6686A7E7B8AB</string>
+            <key>PayloadType</key>
+            <string>Configuration</string>
+            <key>PayloadOrganization</key>
+            <string>Microsoft Corporation</string>
+            <key>PayloadIdentifier</key>
+            <string>DA2CC794-488B-4AFF-89F7-6686A7E7B8AB</string>
+            <key>PayloadDisplayName</key>
+            <string>Microsoft Defender ATP Content Filter</string>
+            <key>PayloadDescription</key>
+            <string/>
+            <key>PayloadVersion</key>
+            <integer>1</integer>
+            <key>PayloadEnabled</key>
+            <true/>
+            <key>PayloadRemovalDisallowed</key>
+            <true/>
+            <key>PayloadScope</key>
+            <string>System</string>
+            <key>PayloadContent</key>
+            <array>
+                <dict>
+                    <key>PayloadUUID</key>
+                    <string>2BA070D9-2233-4827-AFC1-1F44C8C8E527</string>
+                    <key>PayloadType</key>
+                    <string>com.apple.webcontent-filter</string>
+                    <key>PayloadOrganization</key>
+                    <string>Microsoft Corporation</string>
+                    <key>PayloadIdentifier</key>
+                    <string>CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A</string>
+                    <key>PayloadDisplayName</key>
+                    <string>Approved Content Filter</string>
+                    <key>PayloadDescription</key>
+                    <string/>
+                    <key>PayloadVersion</key>
+                    <integer>1</integer>
+                    <key>PayloadEnabled</key>
+                    <true/>
+                    <key>FilterType</key>
+                    <string>Plugin</string>
+                    <key>UserDefinedName</key>
+                    <string>Microsoft Defender ATP Content Filter</string>
+                    <key>PluginBundleID</key>
+                    <string>com.microsoft.wdav</string>
+                    <key>FilterSockets</key>
+                    <true/>
+                    <key>FilterDataProviderBundleIdentifier</key>
+                    <string>com.microsoft.wdav.netext</string>
+                    <key>FilterDataProviderDesignatedRequirement</key>
+                    <string>identifier &quot;com.microsoft.wdav.netext&quot; and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
+                </dict>
+            </array>
+        </dict>
+    </plist>
+    ```
+
+2. Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs `OK`:
+
+    ```bash
+    $ plutil -lint com.apple.webcontent-filter.mobileconfig
+    com.apple.webcontent-filter.mobileconfig: OK
+    ```
+
+3. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority
+
+4. After the certificate is created and installed to your device, run the following command from the Terminal:
+
+    ```bash
+    $ security cms -S -N "<certificate name>" -i com.apple.webcontent-filter.mobileconfig -o com.apple.webcontent-filter.signed.mobileconfig
+    ```
+
+5. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. Select `com.apple.webcontent-filter.signed.mobileconfig` when prompted for the file.
+
+## Intune
+
+### System Extensions Policy
+
+To approve the system extensions:
+
+1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
+3. In the `Basics` tab, give a name to this new profile.
+4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
+
+    Bundle identifier         | Team identifier
+    --------------------------|----------------
+    com.microsoft.wdav.epsext | UBF8T346G9
+    com.microsoft.wdav.netext | UBF8T346G9
+
+    ![System configuration profiles screenshot](images/mac-system-extension-intune2.png)
+
+5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
+6. Review and create this configuration profile.
+
+### Create and deploy the Custom Configuration Profile
+
+The following configuration profile enables the web content filter and grants Full Disk Access to the Endpoint Security system extension. 
+
+Save the following content to a file named **sysext.xml**:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1">
+    <dict>
+        <key>PayloadUUID</key>
+        <string>7E53AC50-B88D-4132-99B6-29F7974EAA3C</string>
+        <key>PayloadType</key>
+        <string>Configuration</string>
+        <key>PayloadOrganization</key>
+        <string>Microsoft Corporation</string>
+        <key>PayloadIdentifier</key>
+        <string>7E53AC50-B88D-4132-99B6-29F7974EAA3C</string>
+        <key>PayloadDisplayName</key>
+        <string>Microsoft Defender ATP System Extensions</string>
+        <key>PayloadDescription</key>
+        <string/>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+        <key>PayloadEnabled</key>
+        <true/>
+        <key>PayloadRemovalDisallowed</key>
+        <true/>
+        <key>PayloadScope</key>
+        <string>System</string>
+        <key>PayloadContent</key>
+        <array>
+            <dict>
+                <key>PayloadUUID</key>
+                <string>2BA070D9-2233-4827-AFC1-1F44C8C8E527</string>
+                <key>PayloadType</key>
+                <string>com.apple.webcontent-filter</string>
+                <key>PayloadOrganization</key>
+                <string>Microsoft Corporation</string>
+                <key>PayloadIdentifier</key>
+                <string>CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A</string>
+                <key>PayloadDisplayName</key>
+                <string>Approved Content Filter</string>
+                <key>PayloadDescription</key>
+                <string/>
+                <key>PayloadVersion</key>
+                <integer>1</integer>
+                <key>PayloadEnabled</key>
+                <true/>
+                <key>FilterType</key>
+                <string>Plugin</string>
+                <key>UserDefinedName</key>
+                <string>Microsoft Defender ATP Content Filter</string>
+                <key>PluginBundleID</key>
+                <string>com.microsoft.wdav</string>
+                <key>FilterSockets</key>
+                <true/>
+                <key>FilterDataProviderBundleIdentifier</key>
+                <string>com.microsoft.wdav.netext</string>
+                <key>FilterDataProviderDesignatedRequirement</key>
+                <string>identifier &quot;com.microsoft.wdav.netext&quot; and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
+            </dict>
+            <dict>
+                <key>PayloadUUID</key>
+                <string>56105E89-C7C8-4A95-AEE6-E11B8BEA0366</string>
+                <key>PayloadType</key>
+                <string>com.apple.TCC.configuration-profile-policy</string>
+                <key>PayloadOrganization</key>
+                <string>Microsoft Corporation</string>
+                <key>PayloadIdentifier</key>
+                <string>56105E89-C7C8-4A95-AEE6-E11B8BEA0366</string>
+                <key>PayloadDisplayName</key>
+                <string>Privacy Preferences Policy Control</string>
+                <key>PayloadDescription</key>
+                <string/>
+                <key>PayloadVersion</key>
+                <integer>1</integer>
+                <key>PayloadEnabled</key>
+                <true/>
+                <key>Services</key>
+                <dict>
+                    <key>SystemPolicyAllFiles</key>
+                    <array>
+                        <dict>
+                            <key>Identifier</key>
+                            <string>com.microsoft.wdav.epsext</string>
+                            <key>CodeRequirement</key>
+                            <string>identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
+                            <key>IdentifierType</key>
+                            <string>bundleID</string>
+                            <key>StaticCode</key>
+                            <integer>0</integer>
+                            <key>Allowed</key>
+                            <integer>1</integer>
+                        </dict>
+                    </array>
+                </dict>
+            </dict>
+        </array>
+    </dict>
+</plist>
+```
+
+Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs `OK`:
+
+    ```bash
+    $ plutil -lint sysext.xml
+    sysext.xml: OK
+    ```
+
+To deploy this custom configuration profile:
+
+1.	In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create profile**.
+2. Choose a name for the profile. Change **Platform=macOS** and **Profile type=Custom**. Select **Configure**.
+3.	Open the configuration profile and upload **sysext.xml**. This file was created in the preceding step.
+4.	Select **OK**.
+
+    ![System extension in Intune screenshot](images/mac-system-extension-intune.png)
+
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@ -136,4 +136,4 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf


 ## Related topic
-[Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats)
+[Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/microsoft-defender-atps-antivirus-capabilities-boost-malware-protection)
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
@ -27,7 +27,7 @@ ms.topic: conceptual
 > 
 > As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
 > 
-> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Linux onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today.
+> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Android onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today. 

 This topic describes how to install, configure, update, and use Microsoft Defender ATP for Android.

--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@ -89,14 +89,15 @@ After you've enabled the service, you may need to configure your network or fire

 ### Network connections

-The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
+The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
+
+
+
+|**Item**|**Description**|
+|:-----|:-----|
+|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)<br/> [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)  | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. 
+

-| Service location                         | DNS record              |
-| ---------------------------------------- | ----------------------- |
-| Common URLs for all locations            |  x.cp.wd.microsoft.com <br/> cdn.x.cp.wd.microsoft.com <br/> eu-cdn.x.cp.wd.microsoft.com <br/> wu-cdn.x.cp.wd.microsoft.com <br/> officecdn-microsoft-com.akamaized.net <br/> crl.microsoft.com <br/>  events.data.microsoft.com |
-| European Union                           | europe.x.cp.wd.microsoft.com <br/> eu-v20.events.data.microsoft.com <br/> usseu1northprod.blob.core.windows.net <br/> usseu1westprod.blob.core.windows.net |
-| United Kingdom                           | unitedkingdom.x.cp.wd.microsoft.com <br/> uk-v20.events.data.microsoft.com <br/> ussuk1southprod.blob.core.windows.net <br/> ussuk1westprod.blob.core.windows.net |
-| United States                            | unitedstates.x.cp.wd.microsoft.com  <br/> us-v20.events.data.microsoft.com <br/> ussus1eastprod.blob.core.windows.net <br/> ussus1westprod.blob.core.windows.net |

 > [!NOTE]
 > For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@ -69,14 +69,15 @@ After you've enabled the service, you may need to configure your network or fire

 ### Network connections

-The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
+The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
+
+
+
+|**Item**|**Description**|
+|:-----|:-----|
+|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)<br/> [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)  | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. 
+

-| Service location                         | DNS record              |
-| ---------------------------------------- | ----------------------- |
-| Common URLs for all locations            |  x.cp.wd.microsoft.com <br/> cdn.x.cp.wd.microsoft.com <br/> eu-cdn.x.cp.wd.microsoft.com <br/> wu-cdn.x.cp.wd.microsoft.com <br/> officecdn-microsoft-com.akamaized.net <br/> crl.microsoft.com <br/>  events.data.microsoft.com |
-| European Union                           | europe.x.cp.wd.microsoft.com <br/> eu-v20.events.data.microsoft.com <br/> usseu1northprod.blob.core.windows.net <br/> usseu1westprod.blob.core.windows.net <br/> winatp-gw-weu.microsoft.com <br/> winatp-gw-neu.microsoft.com |
-| United Kingdom                           | unitedkingdom.x.cp.wd.microsoft.com <br/> uk-v20.events.data.microsoft.com <br/> ussuk1southprod.blob.core.windows.net <br/> ussuk1westprod.blob.core.windows.net <br/> winatp-gw-ukw.microsoft.com <br/> winatp-gw-uks.microsoft.com |
-| United States                            | unitedstates.x.cp.wd.microsoft.com  <br/> us-v20.events.data.microsoft.com <br/> ussus1eastprod.blob.core.windows.net <br/> ussus1westprod.blob.core.windows.net <br/> winatp-gw-cus.microsoft.com <br/> winatp-gw-eus.microsoft.com |

 Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
 - Proxy auto-config (PAC)
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@ -43,6 +43,9 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
 > [!NOTE]
 > Eligible Licensed Users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices.

+
+Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP).
+
 Microsoft Defender Advanced Threat Protection, on Windows Server, requires one of the following licensing options:

 - [Azure Security Center Standard plan](https://docs.microsoft.com/azure/security-center/security-center-pricing) (per node)
@ -89,7 +92,7 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo

 Devices on your network must be running one of these editions.

-The hardware requirements for Microsoft Defender ATP on devices is the same as those for the supported editions.
+The hardware requirements for Microsoft Defender ATP on devices are the same for the supported editions.

 > [!NOTE]
 > Machines running mobile versions of Windows are not supported.
@ -122,8 +125,8 @@ When you run the onboarding wizard for the first time, you must choose where you
 > [!NOTE]
 > Microsoft Defender ATP doesn't require any specific diagnostic level as long as it's enabled.

-You must ensure that the diagnostic data service is enabled on all the devices in your organization.
-By default, this service is enabled, but it&#39;s good practice to check to ensure that you&#39;ll get sensor data from them.
+Make sure that the diagnostic data service is enabled on all the devices in your organization.
+By default, this service is enabled. It's good practice to check to ensure that you'll get sensor data from them.

 **Use the command line to check the Windows 10 diagnostic data service startup type**:

@ -143,7 +146,8 @@ By default, this service is enabled, but it&#39;s good practice to check to ensu

    ![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)

-If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
+
+You'll need to set the service to automatically start if the **START_TYPE** is not set to **AUTO_START**.


 **Use the command line to set the Windows 10 diagnostic data service to automatically start:**
@ -170,7 +174,7 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
 #### Internet connectivity
 Internet connectivity on devices is required either directly or through proxy.

-The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.
+The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5 MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.

 For more information on additional proxy configuration settings, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).

@ -180,9 +184,11 @@ Before you onboard devices, the diagnostic data service must be enabled. The ser
 ## Microsoft Defender Antivirus configuration requirement
 The Microsoft Defender ATP agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them.

-You must configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
+Configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).

-When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Microsoft Defender Antivirus goes on passive mode. If your organization has disabled Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded to Microsoft Defender ATP must be excluded from this group policy.
+When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Microsoft Defender Antivirus goes on passive mode. 
+
+If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy.

 If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md).

--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@ -32,9 +32,6 @@ ms.topic: article

 Microsoft Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.

-> [!IMPORTANT]
-> This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview.md).
-
 To onboard down-level Windows client endpoints to Microsoft Defender ATP, you'll need to:
 - Configure and update System Center Endpoint Protection clients.
 - Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP as instructed below.
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@ -228,16 +228,15 @@ is configured on these devices.
 URLs that include v20 in them are only needed if you have Windows 10, version
 1803 or later devices. For example, ```us-v20.events.data.microsoft.com``` is only
 needed if the device is on Windows 10, version 1803 or later.
+ 

-  Service location | Microsoft.com DNS record
-|-
-Common URLs for all locations | ```crl.microsoft.com/pki/crl/*```<br> ```ctldl.windowsupdate.com``` <br>```www.microsoft.com/pkiops/*```<br>```events.data.microsoft.com```<br>```notify.windows.com```<br> ```settings-win.data.microsoft.com```
-European Union | ```eu.vortex-win.data.microsoft.com``` <br> ```eu-v20.events.data.microsoft.com``` <br> ```usseu1northprod.blob.core.windows.net```  <br>```usseu1westprod.blob.core.windows.net``` <br> ```winatp-gw-neu.microsoft.com``` <br> ```winatp-gw-weu.microsoft.com``` <br>```wseu1northprod.blob.core.windows.net``` <br>```wseu1westprod.blob.core.windows.net``` <br>```automatedirstrprdweu.blob.core.windows.net``` <br>```automatedirstrprdneu.blob.core.windows.net```
-United Kingdom | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com``` <br>```ussuk1southprod.blob.core.windows.net``` <br>```ussuk1westprod.blob.core.windows.net``` <br>```winatp-gw-uks.microsoft.com``` <br>```winatp-gw-ukw.microsoft.com``` <br>```wsuk1southprod.blob.core.windows.net``` <br>```wsuk1westprod.blob.core.windows.net``` <br>```automatedirstrprduks.blob.core.windows.net``` <br>```automatedirstrprdukw.blob.core.windows.net```  
-United States | ```us.vortex-win.data.microsoft.com``` <br> ```ussus1eastprod.blob.core.windows.net``` <br> ```ussus1westprod.blob.core.windows.net``` <br> ```ussus2eastprod.blob.core.windows.net``` <br> ```ussus2westprod.blob.core.windows.net``` <br> ```ussus3eastprod.blob.core.windows.net``` <br> ```ussus3westprod.blob.core.windows.net``` <br> ```ussus4eastprod.blob.core.windows.net``` <br> ```ussus4westprod.blob.core.windows.net``` <br> ```us-v20.events.data.microsoft.com``` <br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com``` <br> ```wsus1eastprod.blob.core.windows.net``` <br> ```wsus1westprod.blob.core.windows.net``` <br> ```wsus2eastprod.blob.core.windows.net``` <br> ```wsus2westprod.blob.core.windows.net``` <br> ```automatedirstrprdcus.blob.core.windows.net``` <br> ```automatedirstrprdeus.blob.core.windows.net```
+If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the listed URLs.


-If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
+|**Item**|**Description**|
+|:-----|:-----|
+|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)<br/> [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)  | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. 
+

 ###  Microsoft Defender ATP service backend IP range

--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
@ -75,15 +75,11 @@ Now that you have onboarded your organization's devices to Microsoft Defender AT
   2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`.
   3. Look for an entry named **SmcInstData**. Right-click the item, and then choose **Delete**. 

-3. Remove Symantec from your devices. You can use SEP Manager to perform this task. See [Configuring client packages to uninstall existing security software](https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Managing-a-custom-installation/preparing-for-client-installation-v16742985-d21e7/configuring-client-packages-to-uninstall-existing-v73569396-d21e2634.html).
-  
-
-> [!TIP]
-> Need help? See the following Broadcom resources: 
-> - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html).
-> -  Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040).
-> - macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387).
-> - Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054). 
+3. Remove Symantec from your devices. If you need help with this, see the following Broadcom resources: 
+   - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html)
+   - Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040)
+   - macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387)
+   - Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054)

 ## Make sure Microsoft Defender ATP is in active mode

--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@ -46,7 +46,7 @@ WDAC policies apply to the managed computer as a whole and affects all users of
 ### WDAC System Requirements

 WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
-WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
+WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.

 ## AppLocker

--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@ -52,11 +52,10 @@ You can hide notifications that describe regular events related to the health an
 This can only be done in Group Policy.

 >[!IMPORTANT]
->### Requirements
 >
->You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
+> Requirement: You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 

-1. Download the latest [Administrative Templates (.admx) for Windows 10, v1809](https://www.microsoft.com/download/details.aspx?id=57576).
+1. Download the latest [Administrative Templates (.admx) for Windows 10, v2004](https://www.microsoft.com/download/101445).

 2.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.

@ -76,15 +75,17 @@ You can hide all notifications that are sourced from the Windows Security app. T
 This can only be done in Group Policy.

 >[!IMPORTANT]
->### Requirements
 >
->You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
+> Requirement: You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 

 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.

 3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.

-5.  Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below the path would       be **Windows components > Windows Defender Security Center > Notifications**
+5.  Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below the path would       be **Windows components > Windows Defender Security Center > Notifications**.
+
+    > [!NOTE]
+    > For Windows 10 version 2004 and above the path would be **Windows components > Windows Security > Notifications**.

 6.  Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.

@ -93,7 +94,7 @@ This can only be done in Group Policy.
    **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
    **"DisableNotifications"=dword:00000001**
    
-8.  Use the following registry key and DWORD value to **Hide not-critical notifications**
+8.  Use the following registry key and DWORD value to **Hide not-critical notifications**.

     **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
     **"DisableEnhancedNotifications"=dword:00000001**