diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
index 0d95a0d4e0..7cc627a141 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
@@ -29,7 +29,7 @@ ms.topic: article
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index 9cb8182798..181ff9b9dd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -64,7 +64,7 @@ DeviceEvents
You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
-1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
index 0a85cb240c..d08c4e2bba 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
@@ -28,7 +28,7 @@ Creates new [Alert](alerts.md) on top of **Event**.
**Microsoft Defender ATP Event** is required for the alert creation.
You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
You can use an event found in Advanced Hunting API or Portal.
-
If there existing an open alert on the same Machine with the same Title, the new created alert will be merged with it.
+
If there existing an open alert on the same Device with the same Title, the new created alert will be merged with it.
An automatic investigation starts automatically on alerts created via the API.
@@ -48,7 +48,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
+>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
@@ -71,7 +71,7 @@ Property | Type | Description
:---|:---|:---
eventTime | DateTime(UTC) | The precise time of the event as string, as obtained from advanced hunting. e.g. ```2018-08-03T16:45:21.7115183Z``` **Required**.
reportId | String | The reportId of the event, as obtained from advanced hunting. **Required**.
-machineId | String | Id of the machine on which the event was identified. **Required**.
+machineId | String | Id of the device on which the event was identified. **Required**.
severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
title | String | Title for the alert. **Required**.
description | String | Description of the alert. **Required**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index b2fc09e758..c73456bd03 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -23,7 +23,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
+Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
> [!NOTE]
> To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
@@ -36,9 +36,9 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an
#### Required columns in the query results
To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
-There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine.
+There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
-The sample query below counts the number of unique machines (`DeviceId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
+The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
```kusto
DeviceEvents
@@ -72,19 +72,19 @@ When saved, a new or edited custom detection rule immediately runs and checks fo
Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
-### 3. Specify actions on files or machines.
-Your custom detection rule can automatically take actions on files or machines that are returned by the query.
+### 3. Specify actions on files or devices.
+Your custom detection rule can automatically take actions on files or devices that are returned by the query.
-#### Actions on machines
-These actions are applied to machines in the `DeviceId` column of the query results:
-- **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network)
-- **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines)
-- **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the machine
-- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the machine
+#### Actions on devices
+These actions are applied to devices in the `DeviceId` column of the query results:
+- **Isolate device** — applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
+- **Collect investigation package** — collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
+- **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the device
+- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the device
#### Actions on files
These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
-- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected machine groups. This scope is independent of the scope of the rule.
+- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
- **Quarantine file** — deletes the file from its current location and places a copy in quarantine
### 4. Click **Create** to save and turn on the rule.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
index 3216d16b87..35e3b7eb95 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
@@ -113,7 +113,7 @@ An allowed application or service only has write access to a controlled folder a
### Use Group Policy to allow specific apps
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
index 30dd08b49c..13358eb288 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
@@ -25,7 +25,7 @@ manager: dansimp
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
-You configure these settings using the Windows Security app on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
+You configure these settings using the Windows Security app on an individual device, and then export the configuration as an XML file that you can deploy to other devices. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
@@ -136,7 +136,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
-Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
+Exporting the configuration as an XML file allows you to copy the configuration from one device onto other devices.
## PowerShell reference
@@ -145,7 +145,7 @@ Exporting the configuration as an XML file allows you to copy the configuration
The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
>[!IMPORTANT]
- >Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overridden.
+ >Any changes that are deployed to a device through Group Policy will override the local configuration. When setting up an initial configuration, use a device that will not have a Group Policy configuration applied to ensure your changes aren't overridden.
You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
index eec05ff19b..c4c4d72473 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
@@ -30,16 +30,16 @@ This section covers some of the most frequently asked questions regarding privac
## What data does Microsoft Defender ATP collect?
-Microsoft Defender ATP will collect and store information from your configured machines in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes.
+Microsoft Defender ATP will collect and store information from your configured devices in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes.
-Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version).
+Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and device details (such as device identifiers, names, and the operating system version).
Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578).
This data enables Microsoft Defender ATP to:
- Proactively identify indicators of attack (IOAs) in your organization
- Generate alerts if a possible attack was detected
-- Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.
+- Provide your security operations with a view into devices, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.
Microsoft does not use your data for advertising.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
index a8b1269d9c..5876d6af46 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
@@ -35,12 +35,12 @@ The Microsoft Defender Advanced Threat Protection agent depends on Windows Defen
>[!IMPORTANT]
>Microsoft Defender ATP does not adhere to the Windows Defender Antivirus Exclusions settings.
-You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
+You must configure Security intelligence updates on the Microsoft Defender ATP devices whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
-If an onboarded machine is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.
+If an onboarded device is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.
Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
-The Windows Defender Antivirus interface will be disabled, and users on the machine will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options.
+The Windows Defender Antivirus interface will be disabled, and users on the device will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options.
For more information, see the [Windows Defender Antivirus and Microsoft Defender ATP compatibility topic](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
index a04a30abf0..5daf2b2aa2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
@@ -33,7 +33,7 @@ There are three phases in deploying Microsoft Defender ATP:
The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP.
-There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
+There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md).
## In Scope
diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
index 942f37ced7..8e7931626c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
@@ -73,15 +73,15 @@ The following image shows an instance of unwanted software that was detected and
### Will EDR in block mode have any impact on a user's antivirus protection?
-No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Windows Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
+No. EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Windows Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
### Why do I need to keep Windows Defender Antivirus up to date?
-Because Windows Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest machine learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Windows Defender Antivirus up to date.
+Because Windows Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Windows Defender Antivirus up to date.
### Why do we need cloud protection on?
-Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and machine learning models.
+Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index f78270d508..98fd86e3f7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -34,7 +34,7 @@ You can enable controlled folder access by using any of these methods:
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
-[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
+[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the device.
Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
@@ -91,7 +91,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
## Group Policy
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 9c926b6d06..b0cad379e8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -41,9 +41,9 @@ You can enable each mitigation separately by using any of these methods:
Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
-You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
+You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other devices.
-You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
+You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the device.
## Windows Security app
@@ -132,7 +132,7 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
## Group Policy
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
index 382f789aa7..f827607d8a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
@@ -29,7 +29,7 @@ Enable security information and event management (SIEM) integration so you can p
>[!NOTE]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
## Prerequisites
diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
index 1741fdf531..1d8f56f5e3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
@@ -1,5 +1,5 @@
---
-title: Enable Microsoft Defender ATP Insider Machine
+title: Enable Microsoft Defender ATP Insider Device
description: Install and use Microsoft Defender ATP for Mac.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh
@@ -17,9 +17,9 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Enable Microsoft Defender ATP Insider Machine
+# Enable Microsoft Defender ATP Insider Device
-Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac machine to be an "Insider" machine as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune).
+Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune).
>[!IMPORTANT]
>Make sure you have enabled [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-atp-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md) and [manual deployment](mac-install-manually.md) instructions.
@@ -125,7 +125,7 @@ h. Select **Manage > Assignments**. In the **Include** tab, select *
>[!WARNING]
>You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
-## Enable the Insider program manually on a single machine
+## Enable the Insider program manually on a single device
In terminal, run:
@@ -145,16 +145,16 @@ For versions earlier than 100.78.0, run:
To get the latest version of the Microsoft Defender ATP for Mac, set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate).
-To verify you are running the correct version, run ‘mdatp --health’ on the machine.
+To verify you are running the correct version, run ‘mdatp --health’ on the device.
* The required version is 100.72.15 or later.
* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running ‘defaults read com.microsoft.autoupdate2’ from terminal.
* To change update settings use documentation in [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1).
* If you are not using Office for Mac, download and run the AutoUpdate tool.
-### A machine still does not appear on Microsoft Defender Security Center
+### A device still does not appear on Microsoft Defender Security Center
-After a successful deployment and onboarding of the correct version, check that the machine has connectivity to the cloud service by running ‘mdatp --connectivity-test’.
+After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running ‘mdatp --connectivity-test’.
* Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
index a77a399d92..980238995f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@@ -47,7 +47,7 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
```
> [!TIP]
-> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
index 1d9da1a791..ae0a15fe7f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
@@ -45,7 +45,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
```
> [!TIP]
-> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).
You can also use Group Policy, Intune, MDM, or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
## Review controlled folder access events in Windows Event Viewer
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index 83b638059c..bb935d1b6f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -21,9 +21,9 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
+Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and device configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
-The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
+The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUM]
@@ -31,7 +31,7 @@ With the simplified set-up experience, you can focus on running your own test sc
You'll have full access to the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP offers.
-You can add Windows 10 or Windows Server 2019 machines that come pre-configured to have the latest OS versions and the right security components in place as well as Office 2019 Standard installed.
+You can add Windows 10 or Windows Server 2019 devices that come pre-configured to have the latest OS versions and the right security components in place as well as Office 2019 Standard installed.
You can also install threat simulators. Microsoft Defender ATP has partnered with industry leading threat simulation platforms to help you test out the Microsoft Defender ATP capabilities without having to leave the portal.
@@ -43,7 +43,7 @@ You'll need to fulfill the [licensing requirements](minimum-requirements.md#lice
You must have **Manage security settings** permissions to:
- Create the lab
-- Create machines
+- Create devices
- Reset password
- Create simulations
@@ -58,12 +58,12 @@ You can access the lab from the menu. In the navigation menu, select **Evaluatio
>[!NOTE]
->- Each environment is provisioned with a limited set of test machines.
->- Depending the type of environment structure you select, machines will be available for the specified number of hours from the day of activation.
->- When you've used up the provisioned machines, no new machines are provided. A deleted machine does not refresh the available test machine count.
->- Given the limited resources, it’s advisable to use the machines carefully.
+>- Each environment is provisioned with a limited set of test devices.
+>- Depending the type of environment structure you select, devices will be available for the specified number of hours from the day of activation.
+>- When you've used up the provisioned devices, no new devices are provided. A deleted device does not refresh the available test device count.
+>- Given the limited resources, it’s advisable to use the devices carefully.
-Already have a lab? Make sure to enable the new threat simulators and have active machines.
+Already have a lab? Make sure to enable the new threat simulators and have active devices.
## Setup the evaluation lab
@@ -71,7 +71,7 @@ Already have a lab? Make sure to enable the new threat simulators and have activ
-2. Depending on your evaluation needs, you can choose to setup an environment with fewer machines for a longer period or more machines for a shorter period. Select your preferred lab configuration then select **Next**.
+2. Depending on your evaluation needs, you can choose to setup an environment with fewer devices for a longer period or more devices for a shorter period. Select your preferred lab configuration then select **Next**.
@@ -83,28 +83,28 @@ Already have a lab? Make sure to enable the new threat simulators and have activ
>[!IMPORTANT]
>You'll first need to accept and provide consent to the terms and information sharing statements.
-4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the machines you add.
+4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the devices you add.
5. Review the summary and select **Setup lab**.
-After the lab setup process is complete, you can add machines and run simulations.
+After the lab setup process is complete, you can add devices and run simulations.
-## Add machines
-When you add a machine to your environment, Microsoft Defender ATP sets up a well-configured machine with connection details. You can add Windows 10 or Windows Server 2019 machines.
+## Add devices
+When you add a device to your environment, Microsoft Defender ATP sets up a well-configured device with connection details. You can add Windows 10 or Windows Server 2019 devices.
-The machine will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals.
+The device will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals.
>[!TIP]
- > Need more machines in your lab? Submit a support ticket to have your request reviewed by the Microsoft Defender ATP team.
+ > Need more devices in your lab? Submit a support ticket to have your request reviewed by the Microsoft Defender ATP team.
-If you chose to add a threat simulator during the lab setup, all machines will have the threat simulator agent installed in the machines that you add.
+If you chose to add a threat simulator during the lab setup, all devices will have the threat simulator agent installed in the devices that you add.
-The machine will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side.
+The device will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side.
- The following security components are pre-configured in the test machines:
+ The following security components are pre-configured in the test devices:
- [Attack Surface Reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
- [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
@@ -116,35 +116,35 @@ The machine will automatically be onboarded to your tenant with the recommended
- [Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview)
>[!NOTE]
-> Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+> Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the device through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md).
>[!NOTE]
->The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
+>The connection to the test devices is done using RDP. Make sure that your firewall settings allow RDP connections.
-1. From the dashboard, select **Add machine**.
+1. From the dashboard, select **Add device**.
-2. Choose the type of machine to add. You can choose to add Windows 10 or Windows Server 2019.
+2. Choose the type of device to add. You can choose to add Windows 10 or Windows Server 2019.
- 
+ 
>[!NOTE]
- >If something goes wrong with the machine creation process, you'll be notified and you'll need to submit a new request. If the machine creation fails, it will not be counted against the overall allowed quota.
+ >If something goes wrong with the device creation process, you'll be notified and you'll need to submit a new request. If the device creation fails, it will not be counted against the overall allowed quota.
-3. The connection details are displayed. Select **Copy** to save the password for the machine.
+3. The connection details are displayed. Select **Copy** to save the password for the device.
>[!NOTE]
>The password is only displayed once. Be sure to save it for later use.
- 
+ 
-4. Machine set up begins. This can take up to approximately 30 minutes.
+4. Device set up begins. This can take up to approximately 30 minutes.
-5. See the status of test machines, the risk and exposure levels, and the status of simulator installations by selecting the **Machines** tab.
+5. See the status of test devices, the risk and exposure levels, and the status of simulator installations by selecting the **Devices** tab.
- 
+ 
>[!TIP]
@@ -153,7 +153,7 @@ Automated investigation settings will be dependent on tenant settings. It will b
## Simulate attack scenarios
-Use the test machines to run your own attack simulations by connecting to them.
+Use the test devices to run your own attack simulations by connecting to them.
You can simulate attack scenarios using:
- The ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials)
@@ -166,11 +166,11 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself"
>[!NOTE]
->The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
+>The connection to the test devices is done using RDP. Make sure that your firewall settings allow RDP connections.
-1. Connect to your machine and run an attack simulation by selecting **Connect**.
+1. Connect to your device and run an attack simulation by selecting **Connect**.
- 
+ 
2. Save the RDP file and launch it by selecting **Connect**.
@@ -179,24 +179,24 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself"
>[!NOTE]
>If you don't have a copy of the password saved during the initial setup, you can reset the password by selecting **Reset password** from the menu:
> 
- > The machine will change it’s state to “Executing password reset", then you’ll be presented with your new password in a few minutes.
+ > The device will change it’s state to “Executing password reset", then you’ll be presented with your new password in a few minutes.
-3. Enter the password that was displayed during the machine creation step.
+3. Enter the password that was displayed during the device creation step.
-4. Run Do-it-yourself attack simulations on the machine.
+4. Run Do-it-yourself attack simulations on the device.
### Threat simulator scenarios
-If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab machines.
+If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab devices.
Running threat simulations using third-party platforms is a good way to evaluate Microsoft Defender ATP capabilities within the confines of a lab environment.
>[!NOTE]
>Before you can run simulations, ensure the following requirements are met:
->- Machines must be added to the evaluation lab
+>- Devices must be added to the evaluation lab
>- Threat simulators must be installed in the evaluation lab
1. From the portal select **Create simulation**.
@@ -249,7 +249,7 @@ Each simulation comes with an in-depth description of the attack scenario and re
## Evaluation report
-The lab reports summarize the results of the simulations conducted on the machines.
+The lab reports summarize the results of the simulations conducted on the devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
index 2fe02c746b..2ae42ae30e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
@@ -29,12 +29,12 @@ ms.date: 05/21/2018
-You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual machines.
+You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual devices.
-For example, if machines are not appearing in the **Machines list**, you might need to look for event IDs on the machines. You can then use this table to determine further troubleshooting steps.
+For example, if devices are not appearing in the **Devices list**, you might need to look for event IDs on the devices. You can then use this table to determine further troubleshooting steps.
> [!NOTE]
-> It can take several days for machines to begin reporting to the Microsoft Defender ATP service.
+> It can take several days for devices to begin reporting to the Microsoft Defender ATP service.
**Open Event Viewer and find the Microsoft Defender ATP service event log:**
@@ -67,7 +67,7 @@ For example, if machines are not appearing in the **Machines list**, you might n
| 2 |
Microsoft Defender Advanced Threat Protection service shutdown. |
-Occurs when the machine is shut down or offboarded. |
+Occurs when the device is shut down or offboarded. |
Normal operating notification; no action required. |
@@ -93,17 +93,17 @@ The service could not contact the external processing servers at that URL.
| 6 |
Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. |
-The machine did not onboard correctly and will not be reporting to the portal. |
+The device did not onboard correctly and will not be reporting to the portal. |
Onboarding must be run before starting the service.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. |
+See Onboard Windows 10 devices.
| 7 |
Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: variable. |
-Variable = detailed error description. The machine did not onboard correctly and will not be reporting to the portal. |
+Variable = detailed error description. The device did not onboard correctly and will not be reporting to the portal. |
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. |
+See Onboard Windows 10 devices.
| 8 |
@@ -111,28 +111,28 @@ See Onboard Windows 10 machines.
+See Onboard Windows 10 devices.
| 9 |
Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable. |
-During onboarding: The machine did not onboard correctly and will not be reporting to the portal.
During offboarding: Failed to change the service start type. The offboarding process continues. |
+During onboarding: The device did not onboard correctly and will not be reporting to the portal.
During offboarding: Failed to change the service start type. The offboarding process continues. |
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. |
+See Onboard Windows 10 devices.
| 10 |
Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable. |
-The machine did not onboard correctly and will not be reporting to the portal. |
+The device did not onboard correctly and will not be reporting to the portal. |
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. |
+See Onboard Windows 10 devices.
| 11 |
Onboarding or re-onboarding of Microsoft Defender Advanced Threat Protection service completed. |
-The machine onboarded correctly. |
+The device onboarded correctly. |
Normal operating notification; no action required.
-It may take several hours for the machine to appear in the portal. |
+It may take several hours for the device to appear in the portal.
| 12 |
@@ -142,7 +142,7 @@ It may take several hours for the machine to appear in the portal.
| 13 |
-Microsoft Defender Advanced Threat Protection machine ID calculated: variable. |
+Microsoft Defender Advanced Threat Protection device ID calculated: variable. |
Normal operating process. |
Normal operating notification; no action required. |
@@ -159,7 +159,7 @@ The service could not contact the external processing servers at that URL.
An error occurred with the Windows telemetry service. |
Ensure the diagnostic data service is enabled.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. |
+See Onboard Windows 10 devices.
| 18 |
@@ -183,25 +183,25 @@ If this error persists after a system restart, ensure all Windows updates have f
| 25 |
Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: variable. |
-The machine did not onboard correctly.
+ | The device did not onboard correctly.
It will report to the portal, however the service may not appear as registered in SCCM or the registry. |
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. |
+See Onboard Windows 10 devices.
| 26 |
Microsoft Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: variable. |
-The machine did not onboard correctly.
+ | The device did not onboard correctly.
It will report to the portal, however the service may not appear as registered in SCCM or the registry. |
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. |
+See Onboard Windows 10 devices.
| 27 |
Microsoft Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: variable. |
-Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP. |
+Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Microsoft Defender ATP. |
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines.
+See Onboard Windows 10 devices.
Ensure real-time antimalware protection is running properly. |
@@ -210,20 +210,20 @@ Ensure real-time antimalware protection is running properly.
| An error occurred with the Windows telemetry service. |
Ensure the diagnostic data service is enabled.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. |
+See Onboard Windows 10 devices.
| 29 |
Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 |
This event occurs when the system can't read the offboarding parameters. |
-Ensure the machine has Internet access, then run the entire offboarding process again. Ensure the offboarding package has not expired. |
+Ensure the device has Internet access, then run the entire offboarding process again. Ensure the offboarding package has not expired. |
| 30 |
Microsoft Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: variable. |
-Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP. |
+Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Microsoft Defender ATP. |
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines
+See Onboard Windows 10 devices
Ensure real-time antimalware protection is running properly. |
@@ -236,14 +236,14 @@ Ensure real-time antimalware protection is running properly.
| 32 |
Microsoft Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1 |
An error occurred during offboarding. |
-Reboot the machine. |
+Reboot the device. |
| 33 |
Microsoft Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: variable. |
-A unique identifier is used to represent each machine that is reporting to the portal.
-If the identifier does not persist, the same machine might appear twice in the portal. |
-Check registry permissions on the machine to ensure the service can update the registry. |
+A unique identifier is used to represent each device that is reporting to the portal.
+If the identifier does not persist, the same device might appear twice in the portal. |
+Check registry permissions on the device to ensure the service can update the registry. |
| 34 |
@@ -251,7 +251,7 @@ If the identifier does not persist, the same machine might appear twice in the p
An error occurred with the Windows telemetry service. |
Ensure the diagnostic data service is enabled.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. |
+See Onboard Windows 10 devices.
| 35 |
@@ -269,31 +269,31 @@ See [!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
+>- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
index 4fa6891d4f..5fed8ccf11 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
@@ -1,7 +1,7 @@
---
title: Get machines security states collection API
-description: Retrieve a collection of machine security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP.
-keywords: apis, graph api, supported apis, get, machine, security, state
+description: Retrieve a collection of device security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP.
+keywords: apis, graph api, supported apis, get, device, security, state
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Retrieves a collection of machines security states.
+Retrieves a collection of devices security states.
## Permissions
User needs read permissions.
@@ -60,7 +60,7 @@ Content-type: application/json
**Response**
Here is an example of the response.
-Field *id* contains machine id and equal to the field *id** in machines info.
+Field *id* contains device id and equal to the field *id** in devices info.
```
HTTP/1.1 200 OK
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
index 86ce1c9e6a..3b41ca66ef 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
@@ -1,7 +1,7 @@
---
-title: Get missing KBs by machine ID
-description: Retrieves missing KBs by machine Id
-keywords: apis, graph api, supported apis, get, list, file, information, machine id, threat & vulnerability management api, mdatp tvm api
+title: Get missing KBs by device ID
+description: Retrieves missing KBs by device Id
+keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -16,13 +16,13 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Get missing KBs by machine ID
+# Get missing KBs by device ID
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Retrieves missing KBs by machine Id
+Retrieves missing KBs by device Id
## HTTP request
@@ -42,7 +42,7 @@ Empty
## Response
-If successful, this method returns 200 OK, with the specified machine missing kb data in the body.
+If successful, this method returns 200 OK, with the specified device missing kb data in the body.
## Example
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
index 986c832afc..3ecec47c0d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
@@ -38,7 +38,7 @@ Delegated (work or school account) | Machine.CollectForensics | 'Collect forensi
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
+>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
index 449efaf986..9c2965fd9c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
@@ -1,7 +1,7 @@
---
-title: List machines by recommendation
-description: Retrieves a list of machines associated with the security recommendation.
-keywords: apis, graph api, supported apis, get, security recommendation for vulnerable machines, threat and vulnerability management, threat and vulnerability management api
+title: List devices by recommendation
+description: Retrieves a list of devices associated with the security recommendation.
+keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -16,13 +16,13 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# List machines by recommendation
+# List devices by recommendation
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
-Retrieves a list of machines associated with the security recommendation.
+Retrieves a list of devices associated with the security recommendation.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
@@ -48,7 +48,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
-If successful, this method returns 200 OK with the list of machines associated with the security recommendation.
+If successful, this method returns 200 OK with the list of devices associated with the security recommendation.
## Example
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
index 61ca64ff6b..67e29e0532 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
@@ -1,7 +1,7 @@
---
title: Get security recommendations
-description: Retrieves a collection of security recommendations related to a given machine ID.
-keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per machine, threat & vulnerability management api, mdatp tvm api
+description: Retrieves a collection of security recommendations related to a given device ID.
+keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -22,7 +22,7 @@ ms.topic: article
[!include[Prerelease information](../../includes/prerelease.md)]
-Retrieves a collection of security recommendations related to a given machine ID.
+Retrieves a collection of security recommendations related to a given device ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
index c57fe74368..2276c784bf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
@@ -1,6 +1,6 @@
---
title: Get software by Id
-description: Retrieves a list of exposure scores by machine group.
+description: Retrieves a list of exposure scores by device group.
keywords: apis, graph api, supported apis, get, software, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
index b2e2bce19f..0a052683b6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
@@ -44,7 +44,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
+>- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
index ec84fa1f38..e55f0b9188 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
@@ -1,6 +1,6 @@
---
title: Get user related machines API
-description: Retrieves a collection of machines related to a given user ID.
+description: Retrieves a collection of devices related to a given user ID.
keywords: apis, graph api, supported apis, get, user, user related alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -24,7 +24,7 @@ ms.topic: article
## API description
-Retrieves a collection of machines related to a given user ID.
+Retrieves a collection of devices related to a given user ID.
## Limitations
@@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
+>- Response will include only devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```