Merge branch 'master' into siosulli-wps

windows/deployment/update/waas-delivery-optimization.md

@@ -141,11 +141,11 @@ For the payloads (optional):
 **How does Delivery Optimization handle VPNs?**
 Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
 
-If the connection is identified as a VPN, Delivery Optimization will not use any peer-to-peer activity. However, you can allow peer-to-peer activity over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn)	policy.
+If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn)	policy.
 
-If you have defined a boundary group in Configuration Manager and have for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN.
+If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected via VPN, it can still leverage peer-to-peer with the default of LAN.
 
-With split tunnelling, it's best to exclude the boundary group for the VPN devices to exclude it from using peer-to-peer. (In this case, those devices won't get the policy and will default to using LAN.) If you're using split tunnelling, you should allow direct access for these endpoints:
+With split tunneling, make sure to allow direct access to these endpoints:
 
 Delivery Optimization service endpoint:
 - `https://*.prod.do.dsp.mp.microsoft.com`
@@ -161,7 +161,7 @@ Windows Update and Microsoft Store backend services and Windows Update and Micro
 - `https://*.update.microsoft.com`
 - `https://tsfe.trafficshaping.dsp.mp.microsoft.com`
 
-For more information about this if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
+For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
 
 ## Troubleshooting
 

windows/security/threat-protection/TOC.md

@@ -20,6 +20,13 @@
 ### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
 ### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
 
+## [Migration guides]()
+### [Migrate from Symantec to Microsoft Defender ATP]()
+#### [Get an overview of migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md)
+#### [Prepare for your migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md)
+#### [Set up Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md)
+#### [Onboard to Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md)
+
 ## [Security administration]()
 ### [Threat & Vulnerability Management]()
 #### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
@@ -575,7 +582,6 @@
 ###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
 ###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
 
-
 #### [Raw data streaming API]()
 ##### [Raw data streaming](microsoft-defender-atp/raw-data-export.md)
 ##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
@@ -590,7 +596,6 @@
 ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
 ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
 
-
 #### [Partners & APIs]()
 ##### [Partner applications](microsoft-defender-atp/partner-applications.md)
 ##### [Connected applications](microsoft-defender-atp/connected-applications.md)

windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md

@@ -31,7 +31,7 @@ This subcategory contains events about issued TGSs and failed TGS requests.
 
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
 |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF              | Yes             | Yes              | Yes              | Expected volume is very high on domain controllers.<br><br>IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
+| Domain Controller | IF              | Yes             | Yes              | Yes              | Expected volume is very high on domain controllers.<br><br>IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see our [***Security Monitoring Recommendations***](https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events).<br /><br />We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
 | Member Server     | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
 | Workstation       | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
 
@@ -42,4 +42,3 @@ This subcategory contains events about issued TGSs and failed TGS requests.
 -   [4770](event-4770.md)(S): A Kerberos service ticket was renewed.
 
 -   [4773](event-4773.md)(F): A Kerberos service ticket request failed.
-

windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md

@@ -54,7 +54,7 @@ You can disable the automatic exclusion lists with Group Policy, PowerShell cmdl
 
 ### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and 2019
 
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). Right-click the Group Policy Object you want to configure, and then click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**.
 
 2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**.
 
@@ -72,18 +72,18 @@ Set-MpPreference -DisableAutoExclusions $true
 
 [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md).
 
-[Use PowerShell with Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
+[Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/).
 
 ### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019
 
-Use the **Set** method of the [MSFT_MpPreference](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
+Use the **Set** method of the [MSFT_MpPreference](https://docs.microsoft.com/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties:
 
 ```WMI
 DisableAutoExclusions
 ```
 
 See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
+- [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
 
 ## List of automatic exclusions
 
@@ -95,110 +95,110 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
 
 #### Windows "temp.edb" files
 
-- *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
+- `%windir%\SoftwareDistribution\Datastore\*\tmp.edb`
 
-- *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
+- `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log`
 
 #### Windows Update files or Automatic Update files
 
-- *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
+- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb`
 
-- *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
+- `%windir%\SoftwareDistribution\Datastore\*\edb.chk`
 
-- *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
+- `%windir%\SoftwareDistribution\Datastore\*\edb\*.log`
 
-- *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
+- `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs`
 
-- *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
+- `%windir%\SoftwareDistribution\Datastore\*\Res\*.log`
 
 #### Windows Security files
 
-- *%windir%*\Security\database\\*.chk
+- `%windir%\Security\database\*.chk`
 
-- *%windir%*\Security\database\\*.edb
+- `%windir%\Security\database\*.edb`
 
-- *%windir%*\Security\database\\*.jrs
+- `%windir%\Security\database\*.jrs`
 
-- *%windir%*\Security\database\\*.log
+- `%windir%\Security\database\*.log`
 
-- *%windir%*\Security\database\\*.sdb
+- `%windir%\Security\database\*.sdb`
 
 #### Group Policy files
 
-- *%allusersprofile%*\NTUser.pol
+- `%allusersprofile%\NTUser.pol`
 
-- *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
+- `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol`
 
-- *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
+- `%SystemRoot%\System32\GroupPolicy\User\registry.pol`
 
 #### WINS files
 
-- *%systemroot%*\System32\Wins\\*\\\*.chk
+- `%systemroot%\System32\Wins\*\*.chk`
 
-- *%systemroot%*\System32\Wins\\*\\\*.log
+- `%systemroot%\System32\Wins\*\*.log`
 
-- *%systemroot%*\System32\Wins\\*\\\*.mdb
+- `%systemroot%\System32\Wins\*\*.mdb`
 
-- *%systemroot%*\System32\LogFiles\
+- `%systemroot%\System32\LogFiles\`
 
-- *%systemroot%*\SysWow64\LogFiles\
+- `%systemroot%\SysWow64\LogFiles\`
 
 #### File Replication Service (FRS) exclusions
 
 - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
 
-  - *%windir%*\Ntfrs\jet\sys\\*\edb.chk
+  - `%windir%\Ntfrs\jet\sys\*\edb.chk`
 
-  - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
+  - `%windir%\Ntfrs\jet\*\Ntfrs.jdb`
 
-  - *%windir%*\Ntfrs\jet\log\\*\\\*.log
+  - `%windir%\Ntfrs\jet\log\*\*.log`
 
-- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
+- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory`
 
-  - *%windir%*\Ntfrs\\*\Edb\*.log
+  - `%windir%\Ntfrs\*\Edb\*.log`
 
-- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
+- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
 
-  - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
+  - `%systemroot%\Sysvol\*\Nntfrs_cmp*\`
 
 - The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
 
-  - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
+  - `%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\`
 
-- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
+- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
 
   > [!NOTE]
-  > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus#opt-out-of-automatic-exclusions). 
+  > For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions).
 
-  - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
+  - `%systemdrive%\System Volume Information\DFSR\$db_normal$`
 
-  - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
+  - `%systemdrive%\System Volume Information\DFSR\FileIDTable_*`
 
-  - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
+  - `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*`
 
-  - *%systemdrive%*\System Volume Information\DFSR\\*.XML
+  - `%systemdrive%\System Volume Information\DFSR\*.XML`
 
-  - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
+  - `%systemdrive%\System Volume Information\DFSR\$db_dirty$`
 
-  - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
+  - `%systemdrive%\System Volume Information\DFSR\$db_clean$`
 
-  - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
+  - `%systemdrive%\System Volume Information\DFSR\$db_lostl$`
 
-  - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
+  - `%systemdrive%\System Volume Information\DFSR\Dfsr.db`
 
-  - *%systemdrive%*\System Volume Information\DFSR\\*.frx
+  - `%systemdrive%\System Volume Information\DFSR\*.frx`
 
-  - *%systemdrive%*\System Volume Information\DFSR\\*.log
+  - `%systemdrive%\System Volume Information\DFSR\*.log`
 
-  - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
+  - `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs`
 
-  - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
+  - `%systemdrive%\System Volume Information\DFSR\Tmp.edb`
 
 #### Process exclusions
 
-- *%systemroot%*\System32\dfsr.exe
+- `%systemroot%\System32\dfsr.exe`
 
-- *%systemroot%*\System32\dfsrs.exe
+- `%systemroot%\System32\dfsrs.exe`
 
 #### Hyper-V exclusions
 
@@ -206,59 +206,59 @@ This section lists the file type exclusions, folder exclusions, and process excl
 
 - File type exclusions:
 
-  - *.vhd
+  - `*.vhd`
 
-  - *.vhdx
+  - `*.vhdx`
 
-  - *.avhd
+  - `*.avhd`
 
-  - *.avhdx
+  - `*.avhdx`
 
-  - *.vsv
+  - `*.vsv`
 
-  - *.iso
+  - `*.iso`
 
-  - *.rct
+  - `*.rct`
 
-  - *.vmcx
+  - `*.vmcx`
 
-  - *.vmrs
+  - `*.vmrs`
 
 - Folder exclusions:
 
-  - *%ProgramData%*\Microsoft\Windows\Hyper-V
+  - `%ProgramData%\Microsoft\Windows\Hyper-V`
 
-  - *%ProgramFiles%*\Hyper-V
+  - `%ProgramFiles%\Hyper-V`
 
-  - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
+  - `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots`
 
-  - *%Public%*\Documents\Hyper-V\Virtual Hard Disks
+  - `%Public%\Documents\Hyper-V\Virtual Hard Disks`
 
 - Process exclusions:
 
-  - *%systemroot%*\System32\Vmms.exe
+  - `%systemroot%\System32\Vmms.exe`
 
-  -   *%systemroot%*\System32\Vmwp.exe
+  - `%systemroot%\System32\Vmwp.exe`
 
 #### SYSVOL files
 
-- *%systemroot%*\Sysvol\Domain\\*.adm
+- `%systemroot%\Sysvol\Domain\*.adm`
 
-- *%systemroot%*\Sysvol\Domain\\*.admx
+- `%systemroot%\Sysvol\Domain\*.admx`
 
-- *%systemroot%*\Sysvol\Domain\\*.adml
+- `%systemroot%\Sysvol\Domain\*.adml`
 
-- *%systemroot%*\Sysvol\Domain\Registry.pol
+- `%systemroot%\Sysvol\Domain\Registry.pol`
 
-- *%systemroot%*\Sysvol\Domain\\*.aas
+- `%systemroot%\Sysvol\Domain\*.aas`
 
-- *%systemroot%*\Sysvol\Domain\\*.inf
+- `%systemroot%\Sysvol\Domain\*.inf`
 
-- *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
+- `%systemroot%\Sysvol\Domain\*.Scripts.ini`
 
-- *%systemroot%*\Sysvol\Domain\\*.ins
+- `%systemroot%\Sysvol\Domain\*.ins`
 
-- *%systemroot%*\Sysvol\Domain\Oscfilter.ini
+- `%systemroot%\Sysvol\Domain\Oscfilter.ini`
 
 ### Active Directory exclusions
 
@@ -268,51 +268,51 @@ This section lists the exclusions that are delivered automatically when you inst
 
 The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
 
-- %windir%\Ntds\ntds.dit
+- `%windir%\Ntds\ntds.dit`
 
-- %windir%\Ntds\ntds.pat
+- `%windir%\Ntds\ntds.pat`
 
 #### The AD DS transaction log files
 
 The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
 
-- %windir%\Ntds\EDB*.log
+- `%windir%\Ntds\EDB*.log`
 
-- %windir%\Ntds\Res*.log
+- `%windir%\Ntds\Res*.log`
 
-- %windir%\Ntds\Edb*.jrs
+- `%windir%\Ntds\Edb*.jrs`
 
-- %windir%\Ntds\Ntds*.pat
+- `%windir%\Ntds\Ntds*.pat`
 
-- %windir%\Ntds\TEMP.edb
+- `%windir%\Ntds\TEMP.edb`
 
 #### The NTDS working folder
 
 This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
 
-- %windir%\Ntds\Temp.edb
+- `%windir%\Ntds\Temp.edb`
 
-- %windir%\Ntds\Edb.chk
+- `%windir%\Ntds\Edb.chk`
 
 #### Process exclusions for AD DS and AD DS-related support files
 
-- %systemroot%\System32\ntfrs.exe
+- `%systemroot%\System32\ntfrs.exe`
 
-- %systemroot%\System32\lsass.exe
+- `%systemroot%\System32\lsass.exe`
 
 ### DHCP Server exclusions
 
 This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
 
-- *%systemroot%*\System32\DHCP\\*\\\*.mdb
+- `%systemroot%\System32\DHCP\*\*.mdb`
 
-- *%systemroot%*\System32\DHCP\\*\\\*.pat
+- `%systemroot%\System32\DHCP\*\*.pat`
 
-- *%systemroot%*\System32\DHCP\\*\\\*.log
+- `%systemroot%\System32\DHCP\*\*.log`
 
-- *%systemroot%*\System32\DHCP\\*\\\*.chk
+- `%systemroot%\System32\DHCP\*\*.chk`
 
-- *%systemroot%*\System32\DHCP\\*\\\*.edb
+- `%systemroot%\System32\DHCP\*\*.edb`
 
 ### DNS Server exclusions
 
@@ -320,27 +320,27 @@ This section lists the file and folder exclusions and the process exclusions tha
 
 #### File and folder exclusions for the DNS Server role
 
-- *%systemroot%*\System32\Dns\\*\\\*.log
+- `%systemroot%\System32\Dns\*\*.log`
 
-- *%systemroot%*\System32\Dns\\*\\\*.dns
+- `%systemroot%\System32\Dns\*\*.dns`
 
-- *%systemroot%*\System32\Dns\\*\\\*.scc
+- `%systemroot%\System32\Dns\*\*.scc`
 
-- *%systemroot%*\System32\Dns\\*\BOOT
+- `%systemroot%\System32\Dns\*\BOOT`
 
 #### Process exclusions for the DNS Server role
 
-- *%systemroot%*\System32\dns.exe
+- `%systemroot%\System32\dns.exe`
 
 ### File and Storage Services exclusions
 
 This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
 
-- *%SystemDrive%*\ClusterStorage
+- `%SystemDrive%\ClusterStorage`
 
-- *%clusterserviceaccount%*\Local Settings\Temp
+- `%clusterserviceaccount%\Local Settings\Temp`
 
-- *%SystemDrive%*\mscs
+- `%SystemDrive%\mscs`
 
 ### Print Server exclusions
 
@@ -348,19 +348,19 @@ This section lists the file type exclusions, folder exclusions, and the process
 
 #### File type exclusions
 
-- *.shd
+- `*.shd`
 
-- *.spl
+- `*.spl`
 
 #### Folder exclusions
 
 This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
 
-- *%system32%*\spool\printers\\*
+- `%system32%\spool\printers\*`
 
 #### Process exclusions
 
-- spoolsv.exe
+- `spoolsv.exe`
 
 ### Web Server exclusions
 
@@ -368,35 +368,35 @@ This section lists the folder exclusions and the process exclusions that are del
 
 #### Folder exclusions
 
-- *%SystemRoot%*\IIS Temporary Compressed Files
+- `%SystemRoot%\IIS Temporary Compressed Files`
 
-- *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
+- `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files`
 
-- *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
+- `%SystemDrive%\inetpub\temp\ASP Compiled Templates`
 
-- *%systemDrive%*\inetpub\logs
+- `%systemDrive%\inetpub\logs`
 
-- *%systemDrive%*\inetpub\wwwroot
+- `%systemDrive%\inetpub\wwwroot`
 
 #### Process exclusions
 
-- *%SystemRoot%*\system32\inetsrv\w3wp.exe
+- `%SystemRoot%\system32\inetsrv\w3wp.exe`
 
-- *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
+- `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe`
 
-- *%SystemDrive%*\PHP5433\php-cgi.exe
+- `%SystemDrive%\PHP5433\php-cgi.exe`
 
 ### Windows Server Update Services exclusions
 
 This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
 
-- *%systemroot%*\WSUS\WSUSContent
+- `%systemroot%\WSUS\WSUSContent`
 
-- *%systemroot%*\WSUS\UpdateServicesDBFiles
+- `%systemroot%\WSUS\UpdateServicesDBFiles`
 
-- *%systemroot%*\SoftwareDistribution\Datastore
+- `%systemroot%\SoftwareDistribution\Datastore`
 
-- *%systemroot%*\SoftwareDistribution\Download
+- `%systemroot%\SoftwareDistribution\Download`
 
 ## Related articles
 

windows/security/threat-protection/microsoft-defender-atp/android-configure.md

@@ -29,7 +29,7 @@ Directory enables enforcing Device compliance and Conditional Access policies
 based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense
 (MTD) solution that you can deploy to leverage this capability via Intune.
 
-For more infomation on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
+For more information on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
 Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android).
 
 
@@ -43,7 +43,7 @@ Microsoft Defender ATP for Android enables admins to configure custom indicators
 ## Configure web protection
 Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
 
-For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
+For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android).
 
 ## Related topics
 - [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)

windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md

@@ -0,0 +1,55 @@
+---
+title: Migrate from Symantec to Microsoft Defender ATP
+description: Make the switch from Symantec to Microsoft Defender ATP
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Migrate from Symantec to Microsoft Defender Advanced Threat Protection
+
+If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP), you're in the right place. Use this article as a guide to plan your migration.  
+
+## The migration process
+
+When you switch from Symantec to Microsoft Defender ATP, you follow a process that can be divided into three phases, as depicted in the following image:
+
+:::image type="content" source="images/SymantecMigration-DefenderATP-overview.png" alt-text="Phase 1 - Prepare. Phase 2 - Setup. Phase 3 - Onboard":::
+
+- During the [**Prepare** phase](symantec-to-microsoft-defender-atp-prepare.md), you get Microsoft Defender ATP, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender ATP.
+
+- During the [**Setup** phase](symantec-to-microsoft-defender-atp-setup.md), you configure settings and exclusions for Microsoft Defender Antivirus, Microsoft Defender ATP, and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.
+
+- During the [**Onboard** phase](symantec-to-microsoft-defender-atp-onboard.md), you onboard your devices to Microsoft Defender ATP and verify that those devices are communicating with Microsoft Defender ATP. Last, you uninstall Symantec and make sure protection through Microsoft Defender ATP is in place.
+
+## What's included in Microsoft Defender ATP?
+
+In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender ATP. However, Microsoft Defender ATP includes much more than antivirus and endpoint protection. Microsoft Defender ATP is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender ATP. 
+
+| Feature/Capability | Description |
+|---|---|
+| [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & Vulnerability Management capabilities helps identify, assess, and remediate weaknesses across your endpoints (such as devices). |
+| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
+| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
+| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches.  |
+| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
+| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
+| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
+| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
+
+**Want to learn more? See [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection).**
+
+## Next step
+
+- Proceed to [Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md).

windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md

@@ -0,0 +1,100 @@
+---
+title: Phase 3 - Onboard to Microsoft Defender ATP
+description: Make the switch from Symantec to Microsoft Defender ATP
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender ATP
+
+:::image type="content" source="images/SymantecMigration-DefenderATP-phase3.png" alt-text="Phase 3: Onboard":::
+
+**Welcome to Phase 3 of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This migration phase includes the following steps:
+
+1. [Onboard devices to Microsoft Defender ATP](#onboard-devices-to-microsoft-defender-atp).
+2. [Run a detection test](#run-a-detection-test).
+3. [Uninstall Symantec](#uninstall-symantec).
+4. [Make sure Microsoft Defender ATP is in active mode](#make-sure-microsoft-defender-atp-is-in-active-mode).
+
+## Onboard devices to Microsoft Defender ATP
+
+1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
+
+2. Choose **Settings** > **Device management** > **Onboarding**. 
+
+3. In the **Select operating system to start onboarding process** list, select an operating system. 
+
+4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods).
+
+### Onboarding methods
+ 
+Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
+
+|Operating system  |Method  |
+|---------|---------|
+|Windows 10     |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)<br/>- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)<br/>- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)<br/>- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script) <br/><br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune.         |
+|Windows 8.1 Enterprise <br/>Windows 8.1 Pro <br/>Windows 7 SP1 Enterprise <br/>Windows 7 SP1 Pro     | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)<br/><br/>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).        |
+|Windows Server 2019 and later <br/>Windows Server 2019 core edition <br/>Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script) <br/>- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp) <br/>- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) <br/>- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-machines-using-earlier-versions-of-system-center-configuration-manager) <br/>- [VDI onboarding scripts for non-persistent machines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi) <br/><br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune.    |
+|Windows Server 2016 <br/>Windows Server 2012 R2 <br/>Windows Server 2008 R2 SP1  |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)<br/>- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
+|macOS<br/>iOS<br/>Linux |[Onboard non-Windows machines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows)  |
+
+## Run a detection test
+
+To verify that your onboarded devices are properly connected to Microsoft Defender ATP, you can run a detection test.
+
+
+|Operating system  |Guidance  |
+|---------|---------|
+|- Windows 10 <br/>- Windows Server 2019 <br/>- Windows Server, version 1803 <br/>- Windows Server 2016 <br/>- Windows Server 2012 R2     |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test). <br/><br/>Visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario.         |
+|macOS<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave)<br/>- 10.13 (High Sierra)     |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <br/><br/>For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac).        |
+|Linux:<br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <br/><br/>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <br/><br/>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <br/><br/>For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). |
+
+## Uninstall Symantec
+
+Now that you have onboarded your organization's devices to Microsoft Defender ATP, your next step is to uninstall Symantec.
+
+1. [Disable Tamper Protection](https://knowledge.broadcom.com/external/article?legacyId=tech192023) in Symantec.
+
+2. Delete the uninstall password for Symantec:
+   1. On your Windows devices, open Registry Editor as an administrator.
+   2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`.
+   3. Look for an entry named **SmcInstData**. Right-click the item, and then choose **Delete**. 
+
+3. Remove Symantec from your devices. You can use SEP Manager to perform this task. See [Configuring client packages to uninstall existing security software](https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Managing-a-custom-installation/preparing-for-client-installation-v16742985-d21e7/configuring-client-packages-to-uninstall-existing-v73569396-d21e2634.html).
+  
+
+> [!TIP]
+> Need help? See the following Broadcom resources: 
+> - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html).
+> -  Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040).
+> - macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387).
+> - Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054). 
+
+## Make sure Microsoft Defender ATP is in active mode
+
+Now that you have uninstalled Symantec, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode.
+
+To do this, visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
+- Cloud-delivered protection
+- Potentially Unwanted Applications (PUA)
+- Network Protection (NP)
+
+## Next steps
+
+**Congratulations**! You have completed your [migration from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)! 
+
+- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). 
+
+- To learn more about Microsoft Defender ATP and how to configure or adjust various features and capabilities, see [Microsoft Defender ATP documentation](https://docs.microsoft.com/windows/security/threat-protection). 

windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md

@@ -0,0 +1,82 @@
+---
+title: Phase 1 - Prepare for your migration to Microsoft Defender ATP
+description: Phase 1 of "Make the switch from Symantec to Microsoft Defender ATP". Prepare for your migration.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Migrate from Symantec - Phase 1: Prepare for your migration
+
+:::image type="content" source="images/SymantecMigration-DefenderATP-phase1.png" alt-text="Prepare to migrate":::
+
+**Welcome to the Prepare phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. 
+
+This migration phase includes the following steps:
+1. [Get Microsoft Defender ATP](#get-microsoft-defender-atp).
+2. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
+3. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
+
+## Get Microsoft Defender ATP
+
+To get started, you must have Microsoft Defender ATP, with licenses assigned and provisioned.
+
+1. Buy or try Microsoft Defender ATP today. [Visit Microsoft Defender ATP to start a free trial or request a quote](https://aka.ms/mdatp). 
+
+2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
+
+3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender ATP. See [Microsoft Defender ATP setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
+
+4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender ATP setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
+ 
+At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). 
+
+> [!NOTE]
+> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender ATP portal. 
+
+## Grant access to the Microsoft Defender Security Center
+
+The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender ATP. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
+
+Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
+
+1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control).
+
+2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
+
+    If your organization requires a method other than Intune, choose one of the following options:
+    - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
+    - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm)
+    - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview)
+
+3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)).
+
+## Configure device proxy and internet connectivity settings
+
+To enable communication between your devices and Microsoft Defender ATP, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
+
+|Capabilities  | Operating System | Resources |
+|--|--|--|
+|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information) <br/>- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)  |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
+|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016) <br/>- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
+|EDR  |macOS: <br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) <br/>- 10.13 (High Sierra)  |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
+|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information) <br/>- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) <br/>- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)<br/> |
+|Antivirus |macOS: <br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) <br/>- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
+|Antivirus |Linux: <br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) 
+
+## Next step
+
+**Congratulations**! You have completed the **Prepare** phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
+
+- [Proceed to set up Microsoft Defender ATP](symantec-to-microsoft-defender-atp-setup.md).

windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md

@@ -0,0 +1,204 @@
+---
+title: Phase 2 - Set up Microsoft Defender ATP
+description: Phase 2 - Set up Microsoft Defender ATP
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Migrate from Symantec - Phase 2: Set up Microsoft Defender ATP
+
+:::image type="content" source="images/SymantecMigration-DefenderATP-phase2.png" alt-text="Phase 2 - Setup":::
+
+**Welcome to the Setup phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This phase includes the following steps:
+1. [Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)](#enable-or-reinstall-microsoft-defender-antivirus-for-certain-versions-of-windows).
+2. [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus).
+3. [Add Microsoft Defender ATP to the exclusion list for Symantec](#add-microsoft-defender-atp-to-the-exclusion-list-for-symantec).
+4. [Add Symantec to the exclusion list for Microsoft Defender Antivirus](#add-symantec-to-the-exclusion-list-for-microsoft-defender-antivirus).
+5. [Add Symantec to the exclusion list for Microsoft Defender ATP](#add-symantec-to-the-exclusion-list-for-microsoft-defender-atp).
+6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
+7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
+
+## Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)
+
+> [!TIP]
+> If you're running Windows 10, you do not need to perform this task. Proceed to **[Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus)**.
+
+On certain versions of Windows, Microsoft Defender Antivirus might have been uninstalled or disabled. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as Symantec. To learn more, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). 
+
+Now that you're moving from Symantec to Microsoft Defender ATP, you'll need to enable or reinstall Microsoft Defender Antivirus, and set it to passive mode. 
+
+### Reinstall Microsoft Defender Antivirus on Windows Server
+
+> [!NOTE]
+> The following procedure applies only to endpoints or devices that are running the following versions of Windows:
+> - Windows Server 2019
+> - Windows Server, version 1803 (core-only mode)
+> - Windows Server 2016
+> 
+> Microsoft Defender Antivirus is built into Windows 10, but it might be disabled. In this case, proceed to [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus).
+
+1. As a local administrator on the endpoint or device, open Windows PowerShell.
+
+2. Run the following PowerShell cmdlets: <br/>
+   `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features` <br/>
+   `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` <br/>
+
+3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/>
+   `Get-Service -Name windefend`
+
+> [!TIP]
+> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
+
+### Set Microsoft Defender Antivirus to passive mode on Windows Server
+
+Because your organization is still using Symantec, you must set Microsoft Defender Antivirus to passive mode. That way, Symantec and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender ATP.
+
+1. Open Registry Editor, and then navigate to <br/>
+   `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
+
+2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
+   - Set the DWORD's value to **1**.
+   - Under **Base**, select **Hexadecimal**.
+
+> [!NOTE]
+> You can use other methods to set the registry key, such as the following:
+>- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
+>- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
+>- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs)
+
+## Enable Microsoft Defender Antivirus
+
+Because your organization has been using Symantec as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus. 
+
+To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
+
+|Method  |What to do  |
+|---------|---------|
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/><br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/><br/>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).<br/><br/>3. Select **Properties**, and then select **Configuration settings: Edit**.<br/><br/>4. Expand **Microsoft Defender Antivirus**. <br/><br/>5. Enable **Cloud-delivered protection**.<br/><br/>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<br/><br/>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<br/><br/>8. Select **Review + save**, and then choose **Save**.<br/><br/>For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
+|Control Panel in Windows     |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows). <br/><br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.        |
+|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus)  |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`. <br/><br/>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<br/> <br/>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <br/><br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+
+### Verify that Microsoft Defender Antivirus is in passive mode
+
+Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
+
+|Method  |What to do  |
+|---------|---------|
+|Command Prompt     |1. On a Windows device, open Command Prompt as an administrator. <br/><br/>2. Type `sc query windefend`, and then press Enter.<br/><br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode.         |
+|PowerShell     |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus?view=win10-ps) cmdlet. <br/><br/>3. In the list of results, look for **AntivirusEnabled: True**.          |
+
+> [!NOTE]
+> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
+
+## Add Microsoft Defender ATP to the exclusion list for Symantec
+
+This step of the setup process involves adding Microsoft Defender ATP to the exclusion list for Symantec and any other security products your organization is using. The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
+
+|OS |Exclusions |
+|--|--|
+|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))<br/>- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/>- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/>  |
+|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2) <br/>- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)<br/>- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/><br/>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+
+## Add Symantec to the exclusion list for Microsoft Defender Antivirus
+
+During this step of the setup process, you add Symantec and your other security solutions to the Microsoft Defender Antivirus exclusion list. 
+
+When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
+- Path exclusions exclude specific files and whatever those files access.
+- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
+- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
+- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
+
+You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
+
+|Method | What to do|
+|--|--|
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/><br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/><br/>2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<br/><br/>3. Under **Manage**, select **Properties**. <br/><br/>4. Select **Configuration settings: Edit**.<br/><br/>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<br/><br/>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<br/><br/>7. Choose **Review + save**, and then choose **Save**.  |
+|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <br/><br/>2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
+|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.<br/><br/>2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.<br/><br/>3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/><br/>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<br/><br/>5. Click **OK**.<br/><br/>6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column.  Enter **0** in the **Value** column.<br/><br/>7. Click **OK**. |
+|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <br/><br/>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**. <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/><br/>3. Specify your path and process exclusions. |
+|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<br/><br/>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
+
+## Add Symantec to the exclusion list for Microsoft Defender ATP
+
+To add exclusions to Microsoft Defender ATP, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
+
+1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
+
+2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
+
+3.  On the **File hashes** tab, choose **Add indicator**.
+
+3. On the **Indicator** tab, specify the following settings:
+   - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
+   - Under **Expires on (UTC)**, choose **Never**.
+
+4. On the **Action** tab, specify the following settings:
+   - **Response Action**: **Allow**
+   - Title and description
+
+5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
+
+6. On the **Summary** tab, review the settings, and then click **Save**.
+
+### Find a file hash using CMPivot
+
+CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview).
+
+To use CMPivot to get your file hash, follow these steps:
+
+1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
+
+2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot). 
+
+3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
+
+4. Select the **Query** tab.
+ 
+5. In the **Device Collection** list, and choose **All Systems (default)**.
+
+6. In the query box, type the following query:<br/>
+
+```kusto
+File(c:\\windows\\notepad.exe)
+| project Hash
+```
+> [!NOTE]
+> In the query above, replace *notepad.exe* with the your third-party security product process name. 
+
+## Set up your device groups, device collections, and organizational units
+
+| Collection type | What to do |
+|--|--|
+|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<br/><br/> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/><br/>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<br/><br/>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.  <br/><br/>3. Choose **+ Add device group**.<br/><br/>4. Specify a name and description for the device group.<br/><br/>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).<br/><br/>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags). <br/><br/>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <br/><br/>8. Choose **Done**. |
+|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization. <br/><br/>Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
+|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<br/><br/> Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
+
+## Configure antimalware policies and real-time protection
+
+Using Configuration Manager and your device collection(s), configure your antimalware policies.
+
+- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
+
+- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
+
+> [!TIP]
+> You can deploy the policies before your organization's devices on onboarded.
+
+## Next step
+
+**Congratulations**! You have completed the Setup phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
+
+- [Proceed to Phase 3: Onboard to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-onboard.md)

windows/whats-new/whats-new-windows-10-version-2004.md

@@ -150,7 +150,7 @@ Windows Sandbox also has improved accessibility in this release, including:
 
 With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but would not shrink when no longer needed.
 
-[WSL2](https://docs.microsoft.com/windows/wsl/wsl2-index) support is has been added for ARM64 devices if your device supports virtualization.
+[WSL2](https://docs.microsoft.com/windows/wsl/wsl2-index) support has been added for ARM64 devices if your device supports virtualization.
 
 For a full list of updates to WSL, see the [WSL release notes](https://docs.microsoft.com/windows/wsl/release-notes).