diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 1fe80284d7..0c4909bd02 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -15038,6 +15038,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/deployment/windows-10-architecture-posters.md",
+"redirect_url": "/windows/deployment/windows-10-deployment-scenarios",
+"redirect_document_id": true
+},
+{
"source_path": "windows/device-security/index.md",
"redirect_url": "/windows/security/threat-protection",
"redirect_document_id": true
diff --git a/devices/surface-hub/surface-hub-2s-manage-intune.md b/devices/surface-hub/surface-hub-2s-manage-intune.md
index 6c4f69a022..1853f3264d 100644
--- a/devices/surface-hub/surface-hub-2s-manage-intune.md
+++ b/devices/surface-hub/surface-hub-2s-manage-intune.md
@@ -35,11 +35,11 @@ Select Windows 10 Team for preset device restriction settings for Surface Hub an
-These settings include user experience and app behavior, Azure Log Analytics registration, Maintenance windows configuration, Session settings, and Miracast settings. For a complete list of configuration service providers (CSPs) for the Windows 10 Team operating system, see [Surface Hub CSPs in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/surfacehub-csp)
+These settings include user experience and app behavior, Azure Log Analytics registration, Maintenance windows configuration, Session settings, and Miracast settings. For a complete list of available Windows 10 Team settings, see [SurfaceHub CSP](https://docs.microsoft.com/windows/client-management/mdm/surfacehub-csp).
-## Additional supported configuration service providers
+## Additional supported configuration service providers (CSPs)
-For addtional supported CSPs, see [SurfaceHub CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference#surfacehubcspsuppor).
+For additional supported CSPs, see [Surface Hub CSPs in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#surfacehubcspsupport).
## Quality of Service (QoS) settings
diff --git a/windows/deployment/windows-10-architecture-posters.md b/windows/deployment/windows-10-architecture-posters.md
deleted file mode 100644
index f0245f7e83..0000000000
--- a/windows/deployment/windows-10-architecture-posters.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-title: Deploy Windows 10 - architectural posters
-description: Provides architural planning posters for Windows 10 in the enterprise
-ms.prod: w10
-ms.author: greg-lindsay
-author: greg-lindsay
-ms.date: 09/28/2017
-ms.reviewer:
-manager: laurawi
-ms.tgt_pltfrm: na
-ms.topic: article
-ms.localizationpriority: medium
----
-# Architectural planning posters for Windows 10
-
-You can download the following posters for architectural information about deploying Windows 10 in the enterprise.
-
-- [Deploy Windows 10 - Clean installation](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf)
- Learn about the options and steps for a new installation of Windows 10.
-- [Deploy Windows 10 - In-place upgrade](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf)
- Learn about the steps to upgrade from a previous version of Windows.
-- [Deploy Windows 10 - Windows Autopilot](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf)
- Learn how you can set up and pre-configure Windows 10 devices.
-- [Deploy Windows 10 - Windows servicing](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/WindowsServicing.pdf)
- Learn how to keep Windows up to date.
-- [Deploy Windows 10 - Protection solutions](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf)
- Learn about the two tiers of protection available for Windows 10 devices.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 4e0e71aa57..eaf63601ae 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -66,6 +66,9 @@ After a successful key registration, Windows creates a certificate request using
The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
+> [!NOTE]
+> In order for AD FS to verify the key used in the certificate request, it needs to be able to access the https://enterpriseregistration.windows.net endpoint.
+
The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index da3bf064e5..c4d3011a16 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -28,6 +28,9 @@ The Windows Server 2016 Active Directory Federation Server Certificate Registrat
The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.
+> [!NOTE]
+> In order for AD FS to verify user certificate requests for Windows Hello for Business, it needs to be able to access the https://enterpriseregistration.windows.net endpoint.
+
### Configure the Registration Authority
Sign-in the AD FS server with *Domain Admin* equivalent credentials.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 6e3126b3c7..3a8ba5db87 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -55,7 +55,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
8. Close the console.
-#### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template
+#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
@@ -77,6 +77,9 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
+>[!NOTE]
+>The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail.
+
### Enrollment Agent certificate template
Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate life-cycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
@@ -183,6 +186,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise
4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
+
### Section Review
> [!div class="checklist"]
> * Domain Controller certificate template
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 0c6d6de655..bda944c54a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -77,6 +77,8 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
+>[!NOTE]
+>The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail.
### Publish Certificate Templates to a Certificate Authority
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
index da4a174d2c..5d013d5737 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@@ -63,6 +63,30 @@ So, for example:
- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
+#### Understanding alert categories
+We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will retain the previous category names.
+
+The table below lists the current categories and how they generally map to previous categories.
+
+| New category | Previous categories | Detected threat activity or component |
+|----------------------|----------------------|-------------|
+| Collection | - | Locating and collecting data for exfiltration |
+| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands |
+| Credential access | CredentialTheft | Obtaining valid credentials to extend control over devices and other resources in the network |
+| Defense evasion | - | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits |
+| Discovery | Reconnaissance, WebFingerprinting | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers |
+| Execution | Delivery, MalwareDownload | Launching attacker tools and malicious code, including RATs and backdoors |
+| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location |
+| Exploit | Exploit | Exploit code and possible exploitation activity |
+| Initial access | SocialEngineering, WebExploit, DocumentExploit | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails |
+| Lateral movement | LateralMovement, NetworkPropagation | Moving between devices in the target network to reach critical resources or gain network persistence |
+| Malware | Malware, Backdoor, Trojan, TrojanDownloader, CredentialStealing, Weaponization, RemoteAccessTool | Backdoors, trojans, and other types of malicious code |
+| Persistence | Installation, Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts |
+| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account |
+| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access |
+| Suspicious activity | General, None, NotApplicable, EnterprisePolicy, SuspiciousNetworkTraffic | Atypicaly activity that could be malware activity or part of an attack |
+| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) |
+
### Status
You can choose to limit the list of alerts based on their status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
index 05fcb78399..3817d34a9a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@@ -46,7 +46,7 @@ status | Enum | Specifies the current status of the alert. Possible values are:
investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' .
classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
-category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General' .
+category| String | Category of the alert. Possible values are: 'Collection', 'Command and control', 'Credential access', 'Defense evasion', 'Discovery', 'Execution', 'Exfiltration', 'Exploit', 'Initial access', 'Lateral movement', 'Malware', 'Persistence', 'Privilege escalation', 'Ransomware', 'Suspicious activity', 'Unwanted software'.
detectionSource | string | Detection source.
threatFamilyName | string | Threat family.
title | string | Alert title.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
new file mode 100644
index 0000000000..fd571e3bb9
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
@@ -0,0 +1,360 @@
+---
+title: Set preferences for Microsoft Defender ATP for Mac
+ms.reviewer:
+description: Describes how to configure Microsoft Defender ATP for Mac in enterprises.
+keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, mojave, high sierra, sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Set preferences for Microsoft Defender ATP for Mac
+
+>[!IMPORTANT]
+>This topic contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise environments. If you are interested in configuring the product on a device from the command-line, please refer to the [Resources](microsoft-defender-atp-mac-resources.md#configuring-from-the-command-line) page.
+
+In enterprise environments, Microsoft Defender ATP for Mac can be managed through a configuration profile. This profile is deployed from management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
+
+This topic describes the structure of this profile (including a recommended profile that you can use to get started) and instructions for how to deploy the profile.
+
+## Configuration profile structure
+
+The configuration profile is a .plist file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences.
+
+The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
+
+### Antivirus engine preferences
+
+The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of the product.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | antivirusEngine |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+#### Enable / disable real-time protection
+
+Whether real-time protection (scan files as they are accessed) is enabled or not.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | enableRealTimeProtection |
+| **Data type** | Boolean |
+| **Possible values** | true (default)
false |
+
+#### Scan exclusions
+
+Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | exclusions |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+**Type of exclusion**
+
+Specifies the type of content excluded from the scan.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | $type |
+| **Data type** | String |
+| **Possible values** | excludedPath
excludedFileExtension
excludedFileName |
+
+**Path to excluded content**
+
+Used to exclude content from the scan by full file path.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | path |
+| **Data type** | String |
+| **Possible values** | valid paths |
+| **Comments** | Applicable only if *$type* is *excludedPath* |
+
+**Path type (file / directory)**
+
+Indicates if the *path* property refers to a file or directory.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | isDirectory |
+| **Data type** | Boolean |
+| **Possible values** | false (default)
true |
+| **Comments** | Applicable only if *$type* is *excludedPath* |
+
+**File extension excluded from the scan**
+
+Used to exclude content from the scan by file extension.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | extension |
+| **Data type** | String |
+| **Possible values** | valid file extensions |
+| **Comments** | Applicable only if *$type* is *excludedFileExtension* |
+
+**Name of excluded content**
+
+Used to exclude content from the scan by file name.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | name |
+| **Data type** | String |
+| **Possible values** | any string |
+| **Comments** | Applicable only if *$type* is *excludedFileName* |
+
+#### Threat type settings
+
+The *threatTypeSettings* preference in the antivirus engine is used to control how certain threat types are handled by the product.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | threatTypeSettings |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+**Threat type**
+
+Type of the threat for which the behavior is configured.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | key |
+| **Data type** | String |
+| **Possible values** | potentially_unwanted_application
archive_bomb |
+
+**Action to take**
+
+Action to take when coming across a threat of the type specified in the preceding section. Can be:
+
+- **Audit**: your device is not protected against this type of threat, but an entry about the threat is logged.
+- **Block**: your device is protected against this type of threat and you are notified in the user interface and the security console.
+- **Off**: your device is not protected against this type of threat and nothing is logged.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | value |
+| **Data type** | String |
+| **Possible values** | audit (default)
block
off |
+
+### Cloud delivered protection preferences
+
+The *cloudService* entry in the configuration profile is used to configure the cloud driven protection feature of the product.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | cloudService |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+#### Enable / disable cloud delivered protection
+
+Whether cloud delivered protection is enabled on the device or not. To improve the security of your services, we recommend keeping this feature turned on.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | enabled |
+| **Data type** | Boolean |
+| **Possible values** | true (default)
false |
+
+#### Diagnostic collection level
+
+Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | diagnosticLevel |
+| **Data type** | String |
+| **Possible values** | optional (default)
required |
+
+#### Enable / disable automatic sample submissions
+
+Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are prompted if the submitted file is likely to contain personal information.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | automaticSampleSubmission |
+| **Data type** | Boolean |
+| **Possible values** | true (default)
false |
+
+## Recommended configuration profile
+
+To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
+
+The following configuration profile will:
+- Enable real-time protection (RTP)
+- Specify how the following threat types are handled:
+ - **Potentially unwanted applications (PUA)** are blocked
+ - **Archive bombs** (file with a high compression rate) are audited to the product logs
+- Enable cloud delivered protection
+- Enable automatic sample submission
+
+```XML
+
+
+
+
+ antivirusEngine
+
+ enableRealTimeProtection
+
+ threatTypeSettings
+
+
+ key
+ potentially_unwanted_application
+ value
+ block
+
+
+ key
+ archive_bomb
+ value
+ audit
+
+
+
+ cloudService
+
+ enabled
+
+ automaticSampleSubmission
+
+
+
+
+```
+
+## Full configuration profile example
+
+The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.
+
+```XML
+
+
+
+
+ antivirusEngine
+
+ enableRealTimeProtection
+
+ exclusions
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /var/log/system.log
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /home
+
+
+ $type
+ excludedFileExtension
+ extension
+ pdf
+
+
+ allowedThreats
+
+ eicar
+
+ threatTypeSettings
+
+
+ key
+ potentially_unwanted_application
+ value
+ block
+
+
+ key
+ archive_bomb
+ value
+ audit
+
+
+
+ cloudService
+
+ enabled
+
+ diagnosticLevel
+ optional
+ automaticSampleSubmission
+
+
+
+
+```
+
+## Configuration profile deployment
+
+Once you've built the configuration profile for your enterprise, you can deploy it through the management console that your enterprise is using. The following sections provide instructions on how to deploy this profile using JAMF and Intune.
+
+### JAMF deployment
+
+From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with *com.microsoft.wdav* as the preference domain and upload the .plist produced earlier.
+
+>[!WARNING]
+>It is important that you enter the correct preference domain (*com.microsoft.wdav*), otherwise the preferences might not be recognized by the product.
+
+### Intune deployment
+
+1. Open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+
+2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select Configure.
+
+3. Save the .plist produced earlier as **com.microsoft.wdav.xml**.
+
+4. Enter **com.microsoft.wdav** as the **custom configuration profile name**.
+
+5. Open the configuration profile and upload **com.microsoft.wdav.xml**. This file was created in step 3.
+
+6. Select **OK**.
+
+7. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
+
+>[!WARNING]
+>It is important that you enter the correct custom configuration profile name, otherwise these preferences might not be recognized by the product.
+
+## Resources
+
+- [Configuration Profile Reference (Apple developer documentation)](https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
index 6794868296..79866deb5d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
@@ -55,6 +55,8 @@ In general you'll need to take the following steps:
Whichever method you choose, you will first need to visit the onboarding page in the Microsoft Defender ATP portal.
+Once installed, you can configure the product in your enterprise using the steps in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md).
+
### Prerequisites
You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
index 81599231f8..a194696c88 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
@@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
@@ -22,7 +21,9 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you may encounter problems or issues.
+You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx).
+
+When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you might encounter problems or issues.
Typically, the most common indicators of a problem are:
- You only see a small number or subset of all the devices you were expecting to see
@@ -52,7 +53,9 @@ In order for devices to properly show up in Update Compliance, you have to meet
> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level).
> - It has been 3 days since all requirements have been met
-If the above pre-requisites have all been met, you may need to proceed to the next step to collect diagnostic information and send it to us.
+“You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
+
+If the above pre-requisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
> [!div class="nextstepaction"]
> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data-update-compliance.md)