Merge branch 'master' into MDBranchCommonMistakesWithAntivirusExclusions

windows/client-management/mdm/policy-csp-update.md

@@ -3256,7 +3256,7 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
 > [!NOTE]
-> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
+> This policy is *only* recommended for managing mobile devices. If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. 
 
 
 Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.

windows/client-management/mdm/update-csp.md

@@ -17,7 +17,7 @@ ms.date: 02/23/2018
 The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
 
 > [!Note]
-> All aspects of the Update CSP aside from Rollback are not recommended for managing desktop devices. To manage desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation. Rollback can be used for desktop devices on 1803 and above. 
+> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies. 
 
 The following diagram shows the Update configuration service provider in tree format.
 

windows/client-management/mdm/vpnv2-profile-xsd.md

@@ -1,6 +1,6 @@
 ---
 title: ProfileXML XSD
-description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples.
+description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples.
 ms.assetid: 2F32E14B-F9B9-4760-AE94-E57F1D4DFDB3
 ms.reviewer:
 manager: dansimp
@@ -9,17 +9,15 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date: 02/05/2018
+ms.date: 07/14/2020
 ---
 
 # ProfileXML XSD
 
-
+Here's the XSD for the ProfileXML node in the VPNv2 CSP and VpnManagementAgent::AddProfileFromXmlAsync for Windows 10 and some profile examples.
-Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples.
 
 ## XSD for the VPN profile
 
-
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
@@ -27,6 +25,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
   <xs:element name="VPNProfile">
     <xs:complexType>
       <xs:sequence>
+        <xs:element name="ProfileName" type="xs:string" minOccurs="0" maxOccurs="1" />
         <xs:element name="EdpModeId" type="xs:string" minOccurs="0" maxOccurs="1" />
         <xs:element name="RememberCredentials" type="xs:boolean" minOccurs="0" maxOccurs="1" />
         <xs:element name="AlwaysOn" type="xs:boolean" minOccurs="0" maxOccurs="1" />
@@ -36,6 +35,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
         <xs:element name="DeviceTunnel" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
         <xs:element name="RegisterDNS" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
         <xs:element name="ByPassForLocal" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
+        <xs:element name="RequireVpnClientAppUI" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
         <xs:element name="Proxy" minOccurs="0" maxOccurs="1">
           <xs:complexType>
             <xs:sequence>
@@ -89,7 +89,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
             </xs:sequence>
           </xs:complexType>
         </xs:element>
-        <xs:element name="AppTrigger" minOccurs="0" maxOccurs="1">
+        <xs:element name="AppTrigger" minOccurs="0" maxOccurs="unbounded">
           <xs:complexType>
             <xs:sequence>
               <xs:element name="App" minOccurs="1" maxOccurs="1">
@@ -109,13 +109,20 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
               <xs:element name="DnsServers" type="xs:string" minOccurs="0" maxOccurs="1"/>
               <xs:element name="WebProxyServers" type="xs:string" minOccurs="0" maxOccurs="1"/>
               <xs:element name="AutoTrigger" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
+              <xs:element name="Persistent" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
             </xs:sequence>
           </xs:complexType>
         </xs:element>
         <xs:element name="TrafficFilter" minOccurs="0" maxOccurs="unbounded">
           <xs:complexType>
             <xs:sequence>
-              <xs:element name="App" type="xs:string" minOccurs="0" maxOccurs="1"/>
+              <xs:element name="App" minOccurs="0" maxOccurs="1">
+                <xs:complexType>
+                  <xs:sequence>
+                    <xs:element name="Id" type="xs:string" minOccurs="1" maxOccurs="1"/>
+                  </xs:sequence>
+                </xs:complexType>
+              </xs:element>
               <xs:element name="Claims" type="xs:string" minOccurs="0" maxOccurs="1"/>
               <xs:element name="Protocol" type="xs:string" minOccurs="0" maxOccurs="1"/>
               <xs:element name="LocalPortRanges" type="xs:string" minOccurs="0" maxOccurs="1"/>
@@ -123,6 +130,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
               <xs:element name="LocalAddressRanges" type="xs:string" minOccurs="0" maxOccurs="1"/>
               <xs:element name="RemoteAddressRanges" type="xs:string" minOccurs="0" maxOccurs="1"/>
               <xs:element name="RoutingPolicyType" type="xs:string" minOccurs="0" maxOccurs="1"/>
+              <xs:element name="Direction" type="xs:string" minOccurs="0" maxOccurs="1"/>
             </xs:sequence>
           </xs:complexType>
         </xs:element>
@@ -134,6 +142,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
               <xs:element name="NativeProtocolType" type="xs:string" minOccurs="0" maxOccurs="1"/>
               <xs:element name="L2tpPsk" type="xs:string" minOccurs="0" maxOccurs="1"/>
               <xs:element name="DisableClassBasedDefaultRoute" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
+              <xs:element name="PlumbIKEv2TSAsRoutes" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
               <xs:element name="CryptographySuite" minOccurs="0" maxOccurs="1">
                 <xs:complexType>
                   <xs:sequence>
@@ -148,10 +157,10 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
               </xs:element>
               <xs:element name="Authentication" minOccurs="1" maxOccurs="1">
                 <xs:complexType>
+                  <xs:choice>
                     <xs:sequence>
                       <xs:element name="UserMethod" type="xs:string" minOccurs="0" maxOccurs="1" />
-                    <xs:element name="MachineMethod" type="xs:string" minOccurs="0" maxOccurs="1" />
+                      <xs:element name="Eap" minOccurs="0" maxOccurs="1">
-                    <xs:element name="Eap" minOccurs="1" maxOccurs="1">
                         <xs:complexType>
                           <xs:sequence>
                             <xs:element name="Configuration" minOccurs="1" maxOccurs="1">
@@ -165,17 +174,20 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
                         </xs:complexType>
                       </xs:element>
                     </xs:sequence>
+                    <xs:element name="MachineMethod" type="xs:string" minOccurs="0" maxOccurs="1" />
+                  </xs:choice>
                 </xs:complexType>
               </xs:element>
             </xs:sequence>
           </xs:complexType>
         </xs:element>
-        <xs:element minOccurs="0" maxOccurs="unbounded" name="Route">
+        <xs:element name="Route" minOccurs="0" maxOccurs="unbounded">
           <xs:complexType>
             <xs:sequence>
               <xs:element name="Address" type="xs:string" minOccurs="1" maxOccurs="1"/>
               <xs:element name="PrefixSize" type="xs:unsignedByte" minOccurs="1" maxOccurs="1"/>
               <xs:element name="ExclusionRoute" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
+              <xs:element name="Metric" type="xs:unsignedInt" minOccurs="0" maxOccurs="1"/>
             </xs:sequence>
           </xs:complexType>
         </xs:element>
@@ -187,12 +199,75 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
 
 ## Native profile example
 
-
+```xml
-```
 <VPNProfile>
+  <EdpModeId>corp.contoso.com</EdpModeId>
+  <RememberCredentials>true</RememberCredentials>
+  <AlwaysOn>false</AlwaysOn>
+  <DnsSuffix>corp.contoso.com</DnsSuffix>
+  <TrustedNetworkDetection>contoso.com</TrustedNetworkDetection>
+
+  <Proxy>
+    <AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
+    <Manual>
+      <Server>HelloServer</Server>
+    </Manual>
+  </Proxy>
+
+  <DeviceCompliance>
+    <Enabled>true</Enabled>
+    <Sso>
+      <Enabled>true</Enabled>
+      <Eku>This is my Eku</Eku>
+      <IssuerHash>This is my issuer hash</IssuerHash>
+    </Sso>
+  </DeviceCompliance>
+
+  <AppTrigger>
+    <App>
+      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
+    </App>
+  </AppTrigger>
+  <AppTrigger>
+    <App>
+      <Id>C:\windows\system32\ping.exe</Id>
+    </App>
+  </AppTrigger>
+
+  <DomainNameInformation>
+    <DomainName>hrsite.corporate.contoso.com</DomainName>
+    <DnsServers>1.2.3.4,5.6.7.8</DnsServers>
+    <WebProxyServers>5.5.5.5</WebProxyServers>
+    <AutoTrigger>true</AutoTrigger>
+  </DomainNameInformation>
+  <DomainNameInformation>
+    <DomainName>.corp.contoso.com</DomainName>
+    <DnsServers>10.10.10.10,20.20.20.20</DnsServers>
+    <WebProxyServers>100.100.100.100</WebProxyServers>
+  </DomainNameInformation>
+
+  <TrafficFilter>
+    <App>
+      <Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
+    </App>
+    <Protocol>6</Protocol>
+    <LocalPortRanges>10,20-50,100-200</LocalPortRanges>
+    <RemotePortRanges>20-50,100-200,300</RemotePortRanges>
+    <RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>
+    <RoutingPolicyType>ForceTunnel</RoutingPolicyType>
+  </TrafficFilter>
+  <TrafficFilter>
+    <App>
+      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
+    </App>
+    <LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>
+  </TrafficFilter>
+
   <NativeProfile>
     <Servers>testServer.VPN.com</Servers>
+    <RoutingPolicyType>SplitTunnel</RoutingPolicyType>
     <NativeProtocolType>IKEv2</NativeProtocolType>
+    <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
     <Authentication>
       <UserMethod>Eap</UserMethod>
       <Eap>
@@ -263,8 +338,6 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
         </Configuration>
       </Eap>
     </Authentication>
-    <RoutingPolicyType>SplitTunnel</RoutingPolicyType>  
-    <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>  
   </NativeProfile>
 
   <Route>
@@ -275,90 +348,44 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
     <Address>10.10.0.0</Address>
     <PrefixSize>16</PrefixSize>
   </Route>
-  
-  <AppTrigger>  
-    <App>  
-      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>  
-    </App>  
-  </AppTrigger>  
-  <AppTrigger>  
-    <App>  
-      <Id>C:\windows\system32\ping.exe</Id>  
-    </App>  
-  </AppTrigger>  
-  
-  
-  <TrafficFilter>  
-    <App>  
-      <Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>  
-    </App>  
-    <Protocol>6</Protocol>  
-    <LocalPortRanges>10,20-50,100-200</LocalPortRanges>  
-    <RemotePortRanges>20-50,100-200,300</RemotePortRanges>  
-    <RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>  
-    <RoutingPolicyType>ForceTunnel</RoutingPolicyType>  
-  </TrafficFilter>  
-  <TrafficFilter>  
-    <App>  
-      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>  
-    </App>  
-    <LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>  
-  </TrafficFilter>  
-  
-  
-  <DomainNameInformation>  
-    <DomainName>hrsite.corporate.contoso.com</DomainName>  
-    <DnsServers>1.2.3.4,5.6.7.8</DnsServers>  
-    <WebProxyServers>5.5.5.5</WebProxyServers>  
-    <AutoTrigger>true</AutoTrigger>  
-  </DomainNameInformation>  
-  <DomainNameInformation>  
-    <DomainName>.corp.contoso.com</DomainName>  
-    <DnsServers>10.10.10.10,20.20.20.20</DnsServers>  
-    <WebProxyServers>100.100.100.100</WebProxyServers>  
-  </DomainNameInformation>  
-  
-  <EdpModeId>corp.contoso.com</EdpModeId>  
-  <RememberCredentials>true</RememberCredentials>  
-  <AlwaysOn>false</AlwaysOn>  
-  <DnsSuffix>corp.contoso.com</DnsSuffix>  
-  <TrustedNetworkDetection>contoso.com</TrustedNetworkDetection>  
-  <Proxy>  
-    <Manual>  
-      <Server>HelloServer</Server>  
-    </Manual>  
-    <AutoConfigUrl>Helloworld.Com</AutoConfigUrl>  
-  </Proxy>  
-  
-  <DeviceCompliance>  
-        <Enabled>true</Enabled>  
-        <Sso>  
-            <Enabled>true</Enabled>  
-            <Eku>This is my Eku</Eku>  
-            <IssuerHash>This is my issuer hash</IssuerHash>  
-        </Sso>  
-    </DeviceCompliance>  
 </VPNProfile>
 ```
 
 ## Plug-in profile example
 
-
 ```xml
 <VPNProfile>
+  <!--<EdpModeId>corp.contoso.com</EdpModeId>-->
+  <RememberCredentials>true</RememberCredentials>
+  <AlwaysOn>false</AlwaysOn>
+  <DnsSuffix>corp.contoso.com</DnsSuffix>
+  <TrustedNetworkDetection>contoso.com,test.corp.contoso.com</TrustedNetworkDetection>
+  <DeviceTunnel>false</DeviceTunnel>
+  <RegisterDNS>false</RegisterDNS>
+
+  <Proxy>
+    <AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
+    <Manual>
+      <Server>HelloServer</Server>
+    </Manual>
+
+  </Proxy>
+
+  <APNBinding>
+    <ProviderId></ProviderId>
+    <AccessPointName></AccessPointName>
+    <UserName></UserName>
+    <Password></Password>
+    <IsCompressionEnabled>true</IsCompressionEnabled>
+    <AuthenticationType></AuthenticationType>
+  </APNBinding>
+
   <PluginProfile>
     <ServerUrlList>testserver1.contoso.com;testserver2.contoso..com</ServerUrlList>
-        <PluginPackageFamilyName>JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy</PluginPackageFamilyName>
     <CustomConfiguration><pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema></CustomConfiguration>
+    <PluginPackageFamilyName>JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy</PluginPackageFamilyName>
   </PluginProfile>
-    <Route>
+
-        <Address>192.168.0.0</Address>
-        <PrefixSize>24</PrefixSize>
-    </Route>
-    <Route>
-        <Address>10.10.0.0</Address>
-        <PrefixSize>16</PrefixSize>
-    </Route>
   <AppTrigger>
     <App>
       <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
@@ -369,6 +396,19 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
       <Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
     </App>
   </AppTrigger>
+
+  <DomainNameInformation>
+    <DomainName>corp.contoso.com</DomainName>
+    <DnsServers>1.2.3.4,5.6.7.8</DnsServers>
+    <WebProxyServers>5.5.5.5</WebProxyServers>
+    <AutoTrigger>false</AutoTrigger>
+  </DomainNameInformation>
+  <DomainNameInformation>
+    <DomainName>corp.contoso.com</DomainName>
+    <DnsServers>10.10.10.10,20.20.20.20</DnsServers>
+    <WebProxyServers>100.100.100.100</WebProxyServers>
+  </DomainNameInformation>
+
   <TrafficFilter>
     <App>
       <Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
@@ -392,47 +432,14 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
     <Claims>O:SYG:SYD:(A;;CC;;;AU)</Claims>
     <!--<RoutingPolicyType>SplitTunnel</RoutingPolicyType>-->
   </TrafficFilter>
-    <DomainNameInformation>
+
-        <DomainName>corp.contoso.com</DomainName>
+  <Route>
-        <DnsServers>1.2.3.4,5.6.7.8</DnsServers>
+    <Address>192.168.0.0</Address>
-        <WebProxyServers>5.5.5.5</WebProxyServers>
+    <PrefixSize>24</PrefixSize>
-        <AutoTrigger>false</AutoTrigger>
+  </Route>
-    </DomainNameInformation>
+  <Route>
-    <DomainNameInformation>
+    <Address>10.10.0.0</Address>
-        <DomainName>corp.contoso.com</DomainName>
+    <PrefixSize>16</PrefixSize>
-        <DnsServers>10.10.10.10,20.20.20.20</DnsServers>
+  </Route>
-        <WebProxyServers>100.100.100.100</WebProxyServers>
-    </DomainNameInformation>
-    <!--<EdpModeId>corp.contoso.com</EdpModeId>-->
-    <RememberCredentials>true</RememberCredentials>
-    <AlwaysOn>false</AlwaysOn>
-    <DeviceTunnel>false</DeviceTunnel>
-    <RegisterDNS>false</RegisterDNS>
-    <DnsSuffix>corp.contoso.com</DnsSuffix>
-    <TrustedNetworkDetection>contoso.com,test.corp.contoso.com</TrustedNetworkDetection>
-    <Proxy>
-        <Manual>
-            <Server>HelloServer</Server>
-        </Manual>
-        <AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
-    </Proxy>
-    <APNBinding>
-                <ProviderId></ProviderId>
-                <AccessPointName></AccessPointName>
-                <UserName></UserName>
-                <Password></Password>
-                <IsCompressionEnabled></IsCompressionEnabled>
-                <AuthenticationType></AuthenticationType>
-    </APNBinding>
 </VPNProfile>
 ```
-
- 
-
- 
-
-
-
-
-
-

windows/deployment/windows-autopilot/windows-autopilot-scenarios.md

@@ -35,6 +35,12 @@ The following Windows Autopilot scenarios are described in this guide:
 | Pre-provision a device with up-to-date applications, policies and settings.| [White glove](white-glove.md) |
 | Deploy Windows 10 on an existing Windows 7 or 8.1 device | [Windows Autopilot for existing devices](existing-devices.md) |
 
+These scenarios are summarized in the following video.
+
+ 
+
+> [!video https://www.microsoft.com/videoplayer/embed/RE4Ci1b?autoplay=false]
+
 ## Windows Autopilot capabilities
 
 ### Windows Autopilot is self-updating during OOBE

windows/deployment/windows-autopilot/windows-autopilot.md

@@ -25,7 +25,11 @@ ms.topic: article
 
 Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices. This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
 
-Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. See the following diagram:
+Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. See the following video and diagram:
+
+ 
+
+> [!video https://www.microsoft.com/videoplayer/embed/RE4C7G9?autoplay=false]
 
 ![Process overview](images/image1.png)
 
@@ -40,16 +44,6 @@ Windows Autopilot enables you to:
 * Create and auto-assign devices to configuration groups based on a device's profile.
 * Customize OOBE content specific to the organization.
 
-## Windows Autopilot walkthrough
-
-The following video shows the process of setting up Windows Autopilot:
-
-</br>
-
-<iframe width="560" height="315" src="https://www.youtube.com/embed/4K4hC5NchbE" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
-
-This video is also available [here](https://www.microsoft.com/videoplayer/embed/RE4ATOx).
-
 ## Benefits of Windows Autopilot
 
 Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach.

windows/privacy/manage-windows-2004-endpoints.md

@@ -85,6 +85,7 @@ The following methodology was used to derive these network endpoints:
 |||HTTPS|*ow1.res.office365.com|
 |||HTTPS|office.com|
 |||HTTPS|blobs.officehome.msocdn.com|
+|||HTTPS|self.events.data.microsoft.com|
 |OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
 |||TLSv1.2|*g.live.com|
 |||TLSv1.2|oneclient.sfx.ms|

windows/security/identity-protection/credential-guard/credential-guard-manage.md

@@ -8,11 +8,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 author: dulcemontemayor
-ms.author: dansimp
+ms.author: v-tea
 manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.reviewer: 
+ms.custom: 
+- CI 120967
+- CSSTroubleshooting
 ---
 
 # Manage Windows Defender Credential Guard
@@ -154,14 +157,25 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
 
 -   You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
     -   **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
-    -   **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: 0x1, 0
+    -   **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0**
-        -   The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means it's not configured to run.
+        -   The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run.
-        -   The second variable: 0 means it's configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
+        -   The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
     -   **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
     -   **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
     -   **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]  
     You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
-        -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+        -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.  
+  - You can use Windows Powershell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated Powershell window and run the following command:
+  
+    ```powershell
+    (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
+    ```
+
+    This command generates the following output:  
+    - **0**: Windows Defender Credential Guard is disabled (not running)
+    - **1**: Windows Defender Credential Guard is enabled (running)
+    > [!NOTE]  
+    > Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running.
 
 ## Disable Windows Defender Credential Guard
 

windows/security/identity-protection/hello-for-business/hello-overview.md

@@ -99,7 +99,9 @@ Windows Hello for Business with a key does not support RDP. RDP does not support
 
 ## Learn more
 
-[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/implementing-windows-hello-for-business-at-microsoft)
+[Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/en-us/itshowcase/implementing-strong-user-authentication-with-windows-hello-for-business)
+
+[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft)
 
 [Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
 

windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md

@@ -27,7 +27,7 @@ manager: dansimp
 Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
 - If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode.
 - If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.)
-- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/shadow-protection) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
+- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
 
 ## Antivirus and Microsoft Defender ATP
 

windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md

@@ -95,7 +95,7 @@ Microsoft Defender Application Guard accesses files from a VHD mounted on the ho
 
 ### Why do the Network Isolation policies in Group Policy and CSP look different?
 
-There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatary network isolation policies to deploy WDAG are different between CSP and GP.
+There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
 
 Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
 Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
@@ -107,3 +107,7 @@ Windows Defender Application Guard accesses files from a VHD mounted on the host
 
 If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. 
 
+### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
+
+Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. 
+

windows/security/threat-protection/microsoft-defender-atp/alerts.md

@@ -49,9 +49,9 @@ lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that
 firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that device.
 lastUpdateTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was last updated.
 resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
-incidentId | Nullable Long | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert.
+incidentId | Nullable Long | The [Incident](view-incidents-queue.md) ID of the Alert.
-investigationId | Nullable Long | The [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) ID related to the Alert.
+investigationId | Nullable Long | The [Investigation](automated-investigations.md) ID related to the Alert.
-investigationState | Nullable Enum | The current state of the [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
+investigationState | Nullable Enum | The current state of the [Investigation](automated-investigations.md). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
 assignedTo | String | Owner of the alert.
 severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
 status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
@@ -61,6 +61,8 @@ category| String | Category of the alert.
 detectionSource | String | Detection source.
 threatFamilyName | String | Threat family.
 machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
+computerDnsName | String | [machine](machine.md) fully qualified name.
+aadTenantId | String | The Azure Active Directory ID.
 comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time.
 
 ### Response example for getting single alert:

windows/security/threat-protection/microsoft-defender-atp/android-configure.md

@@ -29,8 +29,8 @@ Directory enables enforcing Device compliance and Conditional Access policies
 based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense
 (MTD) solution that you can deploy to leverage this capability via Intune.
 
-For more information on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
+For more information about how to set up Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
-Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android).
+Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
 
 
 ## Configure custom indicators  

windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md

@@ -60,19 +60,21 @@ For more information about disabling local list merging, see [Prevent or allow u
 ## Intune
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-1. Click **Device configuration** > **Profiles** > **Create profile**.
-1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
-   ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
-1. Click **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**.
-1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
 
-   ![Enable controlled folder access in Intune](../images/enable-cfa-intune.png)
+2. Click **Device configuration** > **Profiles** > **Create profile**.
+
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. <br/> ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png) <br/>
+
+4. Click **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**.
+
+5. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.<br/> ![Enable controlled folder access in Intune](../images/enable-cfa-intune.png)<br/>
 
    > [!NOTE]
    > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
 
-1. Click **OK** to save each open blade and click **Create**.
+6. Click **OK** to save each open blade and click **Create**.
-1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
+
+7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
 
 ## MDM
 
@@ -81,12 +83,17 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
 ## Microsoft Endpoint Configuration Manager
 
 1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+
 2. Click **Home** > **Create Exploit Guard Policy**.
+
 3. Enter a name and a description, click **Controlled folder access**, and click **Next**.
+
 4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
    > [!NOTE]
    > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
+
 5. Review the settings and click **Next** to create the policy.
+
 6. After the policy is created, click **Close**.
 
 ## Group Policy

windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md

@@ -108,13 +108,18 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab
 ## Intune
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
+
 2. Click **Device configuration** > **Profiles** > **Create profile**.
-3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+
-   ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.<br/>
+   ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)<br/>
+
 4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.  
-5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:  
+
-   ![Enable network protection in Intune](../images/enable-ep-intune.png)
+5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:<br/>![Enable network protection in Intune](../images/enable-ep-intune.png)<br/>
+
 6. Click **OK** to save each open blade and click **Create**.
+
 7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
 
 ## MDM
@@ -124,19 +129,26 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
 ## Microsoft Endpoint Configuration Manager
 
 1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-1. Click **Home** > **Create Exploit Guard Policy**.
+
-1. Enter a name and a description, click **Exploit protection**, and click **Next**.
+2. Click **Home** > **Create Exploit Guard Policy**.
-1. Browse to the location of the exploit protection XML file and click **Next**.
+
-1. Review the settings and click **Next** to create the policy.
+3. Enter a name and a description, click **Exploit protection**, and click **Next**.
-1. After the policy is created, click **Close**.
+
+4. Browse to the location of the exploit protection XML file and click **Next**.
+
+5. Review the settings and click **Next** to create the policy.
+
+6. After the policy is created, click **Close**.
 
 ## Group Policy
 
 1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
+
-3. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
+3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
+
+4. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
 
 ## PowerShell
 

windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md

@@ -29,45 +29,113 @@ Not all properties are filterable.
 
 ## Properties that supports $filter:
 
-- [Alert](alerts.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category.
+- [Alert](alerts.md): ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category```.
-- [Machine](machine.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId.
+- [Machine](machine.md): ```ComputerDnsName```, ```LastSeen```, ```HealthStatus```, ```OsPlatform```, ```RiskScore``` and ```RbacGroupId```.
-- [MachineAction](machineaction.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc.
+- [MachineAction](machineaction.md): ```Status```, ```MachineId```, ```Type```, ```Requestor``` and ```CreationDateTimeUtc```.
+- [Indicator](ti-indicator.md): ```indicatorValue```, ```indicatorType```, ```creationTimeDateTimeUtc```, ```createdBy```, ```severity ``` and ```action ```.
 
 ### Example 1
 
-Get all the devices with the tag 'ExampleTag'
+Get 10 latest Alerts with related Evidence
 
 ```
-HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
+HTTP GET  https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
 ```
 
 **Response:**
 
-```
+```json
-HTTP/1.1 200 OK
-Content-type: application/json
 {
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
     "value": [
 		{
-            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+			"id": "da637306396589640224_1753239473",
-			"computerDnsName": "mymachine1.contoso.com",
+			"incidentId": 875832,
-			"firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"investigationId": 478434,
-			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+			"assignedTo": null,
-			"osPlatform": "Windows10",
+			"severity": "Low",
-			"version": "1709",
+			"status": "New",
-			"osProcessor": "x64",
+			"classification": null,
-			"lastIpAddress": "172.17.230.209",
+			"determination": null,
-			"lastExternalIpAddress": "167.220.196.71",
+			"investigationState": "PendingApproval",
-			"osBuild": 18209,
+			"detectionSource": "WindowsDefenderAv",
-			"healthStatus": "Active",
+			"category": "UnwantedSoftware",
-			"rbacGroupId": 140,
+			"threatFamilyName": "InstallCore",
-			"rbacGroupName": "The-A-Team",
+			"title": "An active 'InstallCore' unwanted software was detected",
-			"riskScore": "Low",
+			"description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
-			"exposureLevel": "Medium",
+			"alertCreationTime": "2020-07-18T03:27:38.9483995Z",
-			"isAadJoined": true,
+			"firstEventTime": "2020-07-18T03:25:39.6124549Z",
-			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"lastEventTime": "2020-07-18T03:26:18.4362304Z",
-			"machineTags": [ "test tag 1", "ExampleTag" ]
+			"lastUpdateTime": "2020-07-18T03:28:19.76Z",
+			"resolvedTime": null,
+			"machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
+			"computerDnsName": "temp2.redmond.corp.microsoft.com",
+			"rbacGroupName": "Ring0",
+			"aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+			"relatedUser": {
+				"userName": "temp2",
+				"domainName": "REDMOND"
+			},
+			"comments": [],
+			"evidence": [
+				{
+					"entityType": "File",
+					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+					"fileName": "Your File Is Ready To Download_1911150169.exe",
+					"filePath": "C:\\Users\\temp2\\Downloads",
+					"processId": null,
+					"processCommandLine": null,
+					"processCreationTime": null,
+					"parentProcessId": null,
+					"parentProcessCreationTime": null,
+					"ipAddress": null,
+					"url": null,
+					"accountName": null,
+					"domainName": null,
+					"userSid": null,
+					"aadUserId": null,
+					"userPrincipalName": null
+				},
+				{
+					"entityType": "Process",
+					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+					"fileName": "Your File Is Ready To Download_1911150169.exe",
+					"filePath": "C:\\Users\\temp2\\Downloads",
+					"processId": 24348,
+					"processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
+					"processCreationTime": "2020-07-18T03:25:38.5269993Z",
+					"parentProcessId": 16840,
+					"parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
+					"ipAddress": null,
+					"url": null,
+					"accountName": null,
+					"domainName": null,
+					"userSid": null,
+					"aadUserId": null,
+					"userPrincipalName": null
+				},
+				{
+					"entityType": "User",
+					"sha1": null,
+					"sha256": null,
+					"fileName": null,
+					"filePath": null,
+					"processId": null,
+					"processCommandLine": null,
+					"processCreationTime": null,
+					"parentProcessId": null,
+					"parentProcessCreationTime": null,
+					"ipAddress": null,
+					"url": null,
+					"accountName": "temp2",
+					"domainName": "REDMOND",
+					"userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
+					"aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
+					"userPrincipalName": "temp2@microsoft.com"
+				}
+			]
 		},
 		...
 	]
@@ -76,49 +144,55 @@ Content-type: application/json
 
 ### Example 2
 
-Get all the alerts that created after 2018-10-20 00:00:00
+Get all the alerts last updated after 2019-10-20 00:00:00
 
 ```
-HTTP GET  https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime+gt+2018-11-22T00:00:00Z
+HTTP GET  https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z
 ```
 
 **Response:**
 
-```
+```json
-HTTP/1.1 200 OK
-Content-type: application/json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "da637084217856368682_-292920499",
+            "id": "da637308392288907382_-880718168",
-			"incidentId": 66860,
+            "incidentId": 7587,
-			"investigationId": 4416234,
+            "investigationId": 723156,
-			"investigationState": "Running",
+            "assignedTo": "secop123@contoso.com",
-			"assignedTo": "secop@contoso.com",
             "severity": "Low",
             "status": "New",
             "classification": "TruePositive",
             "determination": null,
-			"detectionSource": "WindowsDefenderAtp",
+            "investigationState": "Queued",
-			"category": "CommandAndControl",
+            "detectionSource": "WindowsDefenderAv",
-			"threatFamilyName": null,
+            "category": "SuspiciousActivity",
-			"title": "Network connection to a risky host",
+            "threatFamilyName": "Meterpreter",
-			"description": "A network connection was made to a risky host which has exhibited malicious activity.",
+            "title": "Suspicious 'Meterpreter' behavior was detected",
-			"alertCreationTime": "2019-11-03T23:49:45.3823185Z",
+            "description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.",
-			"firstEventTime": "2019-11-03T23:47:16.2288822Z",
+            "alertCreationTime": "2020-07-20T10:53:48.7657932Z",
-			"lastEventTime": "2019-11-03T23:47:51.2966758Z",
+            "firstEventTime": "2020-07-20T10:52:17.6654369Z",
-			"lastUpdateTime": "2019-11-03T23:55:52.6Z",
+            "lastEventTime": "2020-07-20T10:52:18.1362905Z",
+            "lastUpdateTime": "2020-07-20T10:53:50.19Z",
             "resolvedTime": null,
-			"machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
+            "machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",
+            "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+            "rbacGroupName": "MiddleEast",
+            "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+            "relatedUser": {
+                "userName": "temp123",
+                "domainName": "MIDDLEEAST"
+            },
 			"comments": [
 				{
 					"comment": "test comment for docs",
-					"createdBy": "secop@contoso.com",
+					"createdBy": "secop123@contoso.com",
-					"createdTime": "2019-11-05T14:08:37.8404534Z"
+					"createdTime": "2020-07-21T01:00:37.8404534Z"
+				}
+			],
+            "evidence": []
 		}
-		  ]
-        },
 		...
 	]
 }
@@ -134,9 +208,7 @@ HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=riskScore+
 
 **Response:**
 
-```
+```json
-HTTP/1.1 200 OK
-Content-type: application/json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
@@ -175,9 +247,7 @@ HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=healthStat
 
 **Response:**
 
-```
+```json
-HTTP/1.1 200 OK
-Content-type: application/json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
@@ -216,9 +286,7 @@ HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=lastSeen g
 
 **Response:**
 
-```
+```json
-HTTP/1.1 200 OK
-Content-type: application/json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
@@ -257,10 +325,8 @@ HTTP GET  https://api.securitycenter.windows.com/api/machineactions?$filter=requ
 
 **Response:**
 
-```
+```json
-HTTP/1.1 200 OK
+json{
-Content-type: application/json
-{
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
     "value": [
         {
@@ -291,10 +357,7 @@ HTTP GET  https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415
 
 **Response:**
 
-```
+```json
-HTTP/1.1 200 OK
-Content-type: application/json
-
 4
 ```
 

windows/security/threat-protection/microsoft-defender-atp/get-alerts.md

@@ -26,7 +26,11 @@ ms.topic: article
 ## API description
 Retrieves a collection of Alerts.
 <br>Supports [OData V4 queries](https://www.odata.org/documentation/).
-<br>The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
+<br>OData supported operators:
+<br>```$filter``` on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
+<br>```$top``` with max value of 10,000 
+<br>```$skip```
+<br>```$expand``` of ```evidence```
 <br>See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
 
 
@@ -70,14 +74,14 @@ Empty
 If successful, this method returns 200 OK, and a list of [alert](alerts.md) objects in the response body.
 
 
-## Example
+## Example 1 - Default
 
 **Request**
 
 Here is an example of the request.
 
 ```
-GET https://api.securitycenter.windows.com/api/alerts
+GET https://api.securitycenter.microsoft.com/api/alerts
 ```
 
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
@@ -93,41 +97,167 @@ Here is an example of the response.
 
 ```json
 {
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "da637084217856368682_-292920499",
+            "id": "da637308392288907382_-880718168",
-			"incidentId": 66860,
+            "incidentId": 7587,
-			"investigationId": 4416234,
+            "investigationId": 723156,
-			"assignedTo": "secop@contoso.com",
+            "assignedTo": "secop123@contoso.com",
             "severity": "Low",
             "status": "New",
             "classification": "TruePositive",
             "determination": null,
-			"investigationState": "Running",
+            "investigationState": "Queued",
-			"detectionSource": "WindowsDefenderAtp",
+            "detectionSource": "WindowsDefenderAv",
-			"category": "CommandAndControl",
+            "category": "SuspiciousActivity",
-			"threatFamilyName": null,
+            "threatFamilyName": "Meterpreter",
-			"title": "Network connection to a risky host",
+            "title": "Suspicious 'Meterpreter' behavior was detected",
-			"description": "A network connection was made to a risky host which has exhibited malicious activity.",
+            "description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.",
-			"alertCreationTime": "2019-11-03T23:49:45.3823185Z",
+            "alertCreationTime": "2020-07-20T10:53:48.7657932Z",
-			"firstEventTime": "2019-11-03T23:47:16.2288822Z",
+            "firstEventTime": "2020-07-20T10:52:17.6654369Z",
-			"lastEventTime": "2019-11-03T23:47:51.2966758Z",
+            "lastEventTime": "2020-07-20T10:52:18.1362905Z",
-			"lastUpdateTime": "2019-11-03T23:55:52.6Z",
+            "lastUpdateTime": "2020-07-20T10:53:50.19Z",
             "resolvedTime": null,
-			"machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
+            "machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",
+            "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+            "rbacGroupName": "MiddleEast",
+            "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+            "relatedUser": {
+                "userName": "temp123",
+                "domainName": "MIDDLEEAST"
+            },
 			"comments": [
 				{
 					"comment": "test comment for docs",
-					"createdBy": "secop@contoso.com",
+					"createdBy": "secop123@contoso.com",
-					"createdTime": "2019-11-05T14:08:37.8404534Z"
+					"createdTime": "2020-07-21T01:00:37.8404534Z"
 				}
-			]
+			],
+            "evidence": []
 		}
 		...
 	]
 }
 ```
 
+## Example 2 - Get 10 latest Alerts with related Evidence
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
+```
+
+
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity. All alerts will be returned from an actual call.
+
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
+    "value": [
+		{
+			"id": "da637306396589640224_1753239473",
+			"incidentId": 875832,
+			"investigationId": 478434,
+			"assignedTo": null,
+			"severity": "Low",
+			"status": "New",
+			"classification": null,
+			"determination": null,
+			"investigationState": "PendingApproval",
+			"detectionSource": "WindowsDefenderAv",
+			"category": "UnwantedSoftware",
+			"threatFamilyName": "InstallCore",
+			"title": "An active 'InstallCore' unwanted software was detected",
+			"description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
+			"alertCreationTime": "2020-07-18T03:27:38.9483995Z",
+			"firstEventTime": "2020-07-18T03:25:39.6124549Z",
+			"lastEventTime": "2020-07-18T03:26:18.4362304Z",
+			"lastUpdateTime": "2020-07-18T03:28:19.76Z",
+			"resolvedTime": null,
+			"machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
+			"computerDnsName": "temp2.redmond.corp.microsoft.com",
+			"rbacGroupName": "Ring0",
+			"aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+			"relatedUser": {
+				"userName": "temp2",
+				"domainName": "REDMOND"
+			},
+			"comments": [],
+			"evidence": [
+				{
+					"entityType": "File",
+					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+					"fileName": "Your File Is Ready To Download_1911150169.exe",
+					"filePath": "C:\\Users\\temp2\\Downloads",
+					"processId": null,
+					"processCommandLine": null,
+					"processCreationTime": null,
+					"parentProcessId": null,
+					"parentProcessCreationTime": null,
+					"ipAddress": null,
+					"url": null,
+					"accountName": null,
+					"domainName": null,
+					"userSid": null,
+					"aadUserId": null,
+					"userPrincipalName": null
+				},
+				{
+					"entityType": "Process",
+					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+					"fileName": "Your File Is Ready To Download_1911150169.exe",
+					"filePath": "C:\\Users\\temp2\\Downloads",
+					"processId": 24348,
+					"processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
+					"processCreationTime": "2020-07-18T03:25:38.5269993Z",
+					"parentProcessId": 16840,
+					"parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
+					"ipAddress": null,
+					"url": null,
+					"accountName": null,
+					"domainName": null,
+					"userSid": null,
+					"aadUserId": null,
+					"userPrincipalName": null
+				},
+				{
+					"entityType": "User",
+					"sha1": null,
+					"sha256": null,
+					"fileName": null,
+					"filePath": null,
+					"processId": null,
+					"processCommandLine": null,
+					"processCreationTime": null,
+					"parentProcessId": null,
+					"parentProcessCreationTime": null,
+					"ipAddress": null,
+					"url": null,
+					"accountName": "temp2",
+					"domainName": "REDMOND",
+					"userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
+					"aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
+					"userPrincipalName": "temp2@microsoft.com"
+				}
+			]
+		},
+		...
+	]
+}
+```
+
+
 ## Related topics
 - [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)

windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md

@@ -1,5 +1,5 @@
 ---
-title: Get all vulnerabilities by Machine and Software
+title: Get all vulnerabilities by machine and software
 description: Retrieves a list of all the vulnerabilities affecting the organization by Machine and Software
 keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
 search.product: eADQiWindows 10XVcnh
@@ -16,13 +16,14 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# List vulnerabilities by Machine and Software
+# List vulnerabilities by machine and software
+
 **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Retrieves a list of all the vulnerabilities affecting the organization per [Machine](machine.md) and [Software](software.md).
+Retrieves a list of all the vulnerabilities affecting the organization per [machine](machine.md) and [software](software.md).
-<br>If the vulnerability has a fixing KB, it will appear in the response.
+- If the vulnerability has a fixing KB, it will appear in the response.
-<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
+- Supports [OData V4 queries](https://www.odata.org/documentation/).
-<br>The OData ```$filter``` is supported on all properties.
+- The OData ```$filter``` is supported on all properties.
 
 >[!Tip]
 >This is great API for [Power BI integration](api-power-bi.md).
@@ -100,5 +101,6 @@ Here is an example of the response.
 ```
 
 ## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+
+- [Risk-based threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
 - [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)

windows/security/threat-protection/microsoft-defender-atp/get-machines.md

@@ -26,7 +26,7 @@ ms.topic: article
 ## API description
 Retrieves a collection of [Machines](machine.md) that have communicated with  Microsoft Defender ATP cloud on the last 30 days.
 <br>Supports [OData V4 queries](https://www.odata.org/documentation/).
-<br>The OData's ```$filter``` query is supported on: ```computerDnsName```, ```lastSeen```, ```lastIpAddress```, ```healthStatus```, ```osPlatform```, ```riskScore```, ```rbacGroupId``` and ```machineTags``` properties.
+<br>The OData's ```$filter``` query is supported on: ```computerDnsName```, ```lastSeen```, ```healthStatus```, ```osPlatform```, ```riskScore``` and ```rbacGroupId```.
 <br>See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
 
 

windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md

@@ -29,12 +29,20 @@ Managing incidents is an important part of every cybersecurity operation. You ca
 Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
 
 
-![Image of the incidents management pane](images/atp-incidents-mgt-pane.png)
+![Image of the incidents management pane](images/atp-incidents-mgt-pane-updated.png)
 
 You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
 
-![Image of incident detail page](images/atp-incident-details-page.png)
+> [!TIP]
+> For additional visibility at-a-glance, automatic incident naming, currently in public preview, generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident.
+>
+> For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
+>
+> Incidents that existed prior the rollout of automatic incident naming will not have their name changed.
+>
+> Learn more about [turning on preview features](preview.md#turn-on-preview-features).
 
+![Image of incident detail page](images/atp-incident-details-updated.png)
 
 ## Assign incidents
 If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.

windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md

@@ -110,6 +110,7 @@ See the following topics for related APIs:
 - [Score APIs](score.md)
 - [Software APIs](software.md)
 - [Vulnerability APIs](vulnerability.md)
+- [List vulnerabilities by machine and software](get-all-vulnerabilities-by-machines.md)
 
 ## Related topics
 

windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md

@@ -94,7 +94,7 @@ From the flyout, you can do any of the following:
 - [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet.
 
 >[!NOTE]
->When a change is made on a device, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center.
+>When a change is made on a device, it typically takes two hours for the data to be reflected in the Microsoft Defender Security Center. However, it may sometimes take longer.
 
 ### Investigate changes in machine exposure or impact
 

windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md

@@ -63,6 +63,17 @@ You can choose to limit the list of incidents shown based on their status to see
 ### Data sensitivity
 Use this filter to show incidents that contain sensitivity labels.
 
+## Incident naming
+
+To understand the incident's scope at-a-glance, automatic incident naming, currently in public preview, generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories.
+
+For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
+
+> [!NOTE]
+> Incidents that existed prior the rollout of automatic incident naming will not have their name changed.
+
+Learn more about [turning on preview features](preview.md#turn-on-preview-features).
+
 ## Related topics
 - [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
 - [Manage incidents](manage-incidents.md)