Merge pull request #4543 from MicrosoftDocs/master

Publish 1/13/2020, 10:30 AM PT

.openpublishing.redirection.json

@@ -1534,6 +1534,11 @@
       "source_path": "windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection.md",
       "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection",
       "redirect_document_id": true
+    },
+	{
+      "source_path": "windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md",
+      "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list",
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md",

windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md

@@ -1,7 +1,7 @@
 ---
 title: Microsoft Defender Antivirus compatibility with other security products
-description: Microsoft Defender Antivirus operates in different ways depending on what other security products you have installed, and the operating system you are using.
+description: Get an overview of what to expect from Microsoft Defender Antivirus with other security products and the operating systems you are using.
-keywords: windows defender, atp, advanced threat protection, compatibility, passive mode
+keywords: windows defender, next-generation, atp, advanced threat protection, compatibility, passive mode
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.reviewer: pahuijbr, shwjha
+ms.reviewer: tewchen, pahuijbr, shwjha
 manager: dansimp
 ms.date: 01/11/2021
 ---
@@ -66,7 +66,10 @@ See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-def
 
 ## Functionality and features available in each state
 
-The following table summarizes the functionality and features that are available in each state:
+The table in this section summarizes the functionality and features that are available in each state. 
+
+> [!IMPORTANT]
+> The following table is informational, and it is designed to describe the features & capabilities that are turned on or off according to whether Microsoft Defender Antivirus is in Active mode, in Passive mode, or disabled/uninstalled. Do not turn off capabilities, such as real-time protection, if you are using Microsoft Defender Antivirus in passive mode or are using EDR in block mode. 
 
 |State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) |
 |--|--|--|--|--|--|
@@ -78,20 +81,20 @@ The following table summarizes the functionality and features that are available
 - In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
 - In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
 - When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
-- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
+- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended.
 
 ## Keep the following points in mind
 
-If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
+- If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
 
-When Microsoft Defender Antivirus is automatically disabled, it can automatically re-enabled if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
+- When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
 
-In passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+- When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have an up-to-date, non-Microsoft antivirus product providing real-time protection from malware.
 
-If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode.
+   If you uninstall the non-Microsoft antivirus product, and use Microsoft Defender Antivirus to provide protection to your devices, Microsoft Defender Antivirus will return to its normal active mode automatically.
 
 > [!WARNING]
-> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+> Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
 
 
 ## See also
@@ -100,5 +103,4 @@ If you uninstall the other product, and choose to use Microsoft Defender Antivir
 - [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md)
 - [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
 - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
-- [Configure Endpoint Protection on a standalone client](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure-standalone-client)
 - [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)

windows/security/threat-protection/microsoft-defender-atp/advanced-features.md

@@ -42,6 +42,12 @@ Turn on this feature so that users with the appropriate permissions can start a
 
 For more information about role assignments, see [Create and manage roles](user-roles.md).
 
+## Live response for servers
+Turn on this feature so that users with the appropriate permissions can start a live response session on servers.
+
+For more information about role assignments, see [Create and manage roles](user-roles.md).
+
+
 ## Live response unsigned script execution
 
 Enabling this feature allows you to run unsigned scripts in a live response session.

windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md

@@ -1,89 +0,0 @@
----
-title: Get RBAC machine groups collection API
-description: Learn how to use the Get KB collection API to retrieve a collection of RBAC device groups in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, RBAC, group
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: leonidzh
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
-ms.date: 10/07/2018
----
-
-# Get KB collection API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-Retrieves a collection of RBAC device groups.
-
-## Permissions
-User needs read permissions.
-
-## HTTP request
-```
-GET /testwdatppreview/machinegroups
-```
-
-## Request headers
-
-Header | Value 
-:---|:---
-Authorization | Bearer {token}. **Required**.
-Content type | application/json
-
-## Request body
-Empty
-
-## Response
-If successful - 200 OK.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://graph.microsoft.com/testwdatppreview/machinegroups
-Content-type: application/json
-```
-
-**Response**
-
-Here is an example of the response.
-Field id contains device group **id** and equal to field **rbacGroupId** in devices info. 
-Field **ungrouped** is true only for one group for all devices that have not been assigned to any group. This group as usual has name "UnassignedGroup".
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
-    "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineGroups",
-    "@odata.count":7,
-    "value":[
-        {
-            "id":86,
-            "name":"UnassignedGroup",
-            "description":"",
-            "ungrouped":true},
-        …
-}
-```

windows/security/threat-protection/microsoft-defender-atp/investigate-files.md

@@ -1,6 +1,6 @@
 ---
 title: Investigate Microsoft Defender Advanced Threat Protection files
-description: Use the investigation options to get details on files associated with alerts, behaviours, or events.
+description: Use the investigation options to get details on files associated with alerts, behaviors, or events.
 keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -20,7 +20,7 @@ ms.topic: article
 ms.date: 04/24/2018
 ---
 
-# Investigate a file associated with a Microsoft Defender ATP alert
+# Investigate a file associated with a Microsoft Defender for Endpoint alert
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 

windows/security/threat-protection/microsoft-defender-atp/live-response.md

@@ -43,25 +43,30 @@ With live response, analysts can do all of the following tasks:
 
 Before you can initiate a session on a device, make sure you fulfill the following requirements:
 
-- **Verify that you're running a supported version of Windows 10**. <br/>
+- **Verify that you're running a supported version of Windows**. <br/>
-Devices must be running one of the following versions of Windows 10:
+Devices must be running one of the following versions of Windows
-   - [1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later  
-   - [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
-   - [1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
-   - [1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
-   - [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
 
-- **Make sure to install appropriate security updates**.<br/>
+  - **Windows 10**
-   - 1903: [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)
+    - [Version 1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later  
-   - 1809 (RS5): [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
+    - [Version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) with [KB4515384](https://support.microsoft.com/en-us/help/4515384/windows-10-update-kb4515384)
-   - 1803 (RS4): [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
+    - [Version 1809 (RS 5)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) with [with KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
-   - 1709 (RS3): [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
+    - [Version 1803 (RS 4)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) with [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
+    - [Version 1709 (RS 3)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) with [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
+  
+  - **Windows Server 2019 - Only applicable for Public preview**
+    - Version 1903 or (with [KB4515384](https://support.microsoft.com/en-us/help/4515384/windows-10-update-kb4515384)) later 
+    - Version 1809 (with [KB4537818](https://support.microsoft.com/en-us/help/4537818/windows-10-update-kb4537818))
 
-- **Enable live response from the settings page**.<br>
+- **Enable live response from the advanced settings page**.<br>
 You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
 
     >[!NOTE]
     >Only users with manage security or global admin roles can edit these settings.
+
+- **Enable live response for servers from the advanced settings page** (recommended).<br>
+
+    >[!NOTE]
+    >Only users with manage security or global admin roles can edit these settings.
     
 - **Ensure that the device has an Automation Remediation level assigned to it**.<br>
 You'll need to enable, at least, the minimum Remediation Level for a given Device Group. Otherwise you won't be able to establish a Live Response session to a member of that group.