diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 9904301173..362aae37c3 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -289,9 +289,9 @@ The following table show the mapping of information to the AppLocker publisher r
Here is an example AppLocker publisher rule:
``` syntax
-FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Reader" BinaryName="*">
+
-
+
```
You can get the publisher name and product name of apps using a web API.
@@ -299,7 +299,7 @@ You can get the publisher name and product name of apps using a web API.
**To find publisher and product name for Microsoft apps in Microsoft Store for Business**
1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
-2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https:<\span>//www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**.
+2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**.
3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
@@ -313,14 +313,11 @@ You can get the publisher name and product name of apps using a web API.
-
-
-~~~
Here is the example for Microsoft OneNote:
Request
@@ -339,7 +336,6 @@ Result
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}
```
-~~~
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index b30f0e06e5..040bf33710 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -410,16 +410,45 @@ Valid values are:
- 1 – Enable.
- 0 (default) – Disable.
-**Configuration/DisableCpuThrottleOnIdleScans**
-Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.
+**Configuration/DisableCpuThrottleOnIdleScans**
+Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+- 1 – Enable.
+- 0 (default) – Disable.
+
+**Configuration/MeteredConnectionUpdates**
+Allow managed devices to update through metered connections. Data charges may apply.
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
-- 1 – Enable.
-- 0 (default) – Disable.
+- 1 – Enable.
+- 0 (default) – Disable.
+
+**Configuration/AllowNetworkProtectionOnWinServer**
+This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored.
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+- 1 – Enable.
+- 0 (default) – Disable.
+
+**Configuration/ExclusionIpAddress**
+Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
+
+The data type is string.
+
+Supported operations are Add, Delete, Get, Replace.
**Configuration/EnableFileHashComputation**
Enables or disables file hash computation feature.
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index 047006fce2..4f28ec54ab 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -1,6 +1,6 @@
---
title: Alter Windows 10 Start and taskbar via mobile device management
-description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and tasbkar layout to users.
+description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users.
ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4
ms.reviewer:
manager: dansimp
@@ -51,6 +51,9 @@ Two features enable Start layout control:
- In Microsoft Intune, you select the Start layout XML file and add it to a device configuration profile.
+ >[!NOTE]
+ >Please do not include XML Prologs like \ in the Start layout XML file. The settings may not be reflected correctly.
+
## Create a policy for your customized Start layout
diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md
index 49b83d23f1..ae68206cec 100644
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@@ -42,29 +42,30 @@ The following resources provide additional information about using Windows Updat
``` console
cmd
```
-2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+2. Stop the **BITS service**, the **Windows Update service** and the **Cryptographic service**. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
net stop bits
net stop wuauserv
+ net stop cryptsvc
```
-3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER:
+3. Delete the **qmgr\*.dat** files. To do this, type the following command at a command prompt, and then press ENTER:
``` console
Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
```
4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above.
1. Rename the following folders to *.BAK:
``` console
- %systemroot%\SoftwareDistribution\DataStore
- %systemroot%\SoftwareDistribution\Download
- %systemroot%\system32\catroot2
+ %Systemroot%\SoftwareDistribution\DataStore
+ %Systemroot%\SoftwareDistribution\Download
+ %Systemroot%\System32\catroot2
```
To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
- Ren %systemroot%\SoftwareDistribution\DataStore *.bak
- Ren %systemroot%\SoftwareDistribution\Download *.bak
- Ren %systemroot%\system32\catroot2 *.bak
+ Ren %Systemroot%\SoftwareDistribution\DataStore DataStore.bak
+ Ren %Systemroot%\SoftwareDistribution\Download Download.bak
+ Ren %Systemroot%\System32\catroot2 catroot2.bak
```
- 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+ 2. Reset the **BITS service** and the **Windows Update service** to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
@@ -73,7 +74,7 @@ The following resources provide additional information about using Windows Updat
``` console
cd /d %windir%\system32
```
-6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+6. Reregister the **BITS** files and the **Windows Update** files. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
regsvr32.exe atl.dll
@@ -114,7 +115,7 @@ The following resources provide additional information about using Windows Updat
regsvr32.exe wuwebv.dll
```
-7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER:
+7. Reset **Winsock**. To do this, type the following command at a command prompt, and then press ENTER:
``` console
netsh winsock reset
```
@@ -122,13 +123,13 @@ The following resources provide additional information about using Windows Updat
``` console
proxycfg.exe -d
```
-9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+9. Restart the **BITS service**, the **Windows Update service** and the **Cryptographic service**. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
net start bits
-
- net start wuauserv
+ net start wuauserv
+ net start cryptsvc
```
-10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER:
+10. If you are running Windows Vista or Windows Server 2008, clear the **BITS** queue. To do this, type the following command at a command prompt, and then press ENTER:
``` console
bitsadmin.exe /reset /allusers
```
diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md
index d449b47b4c..0d7d37c2fe 100644
--- a/windows/privacy/manage-windows-20H2-endpoints.md
+++ b/windows/privacy/manage-windows-20H2-endpoints.md
@@ -85,6 +85,7 @@ The following methodology was used to derive these network endpoints:
|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index 90a4a08397..b69fe341ce 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -42,9 +42,9 @@ As the depth and breadth of protections provided by Windows Defender Credential
### Saved Windows Credentials Protected
Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites are not protected since the applications require your cleartext password. If the application does not need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
- - Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed."
- - Applications that extract Windows credentials fail.
- - When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials.
+* Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed."
+* Applications that extract Windows credentials fail.
+* When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials.
## Clearing TPM Considerations
Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index 34008453ad..714d9c0db7 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -82,6 +82,9 @@ Microsoft recommends that BitLocker Device Encryption be enabled on any systems
Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
+> [!NOTE]
+> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. In case you need to use a different encryption method and/or cipher strength, the device must be configured and decrypted (if already encrypted) first. After that, different BitLocker settings can be applied.
+
## Used Disk Space Only encryption
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index cfcd3b4102..58b2c201b8 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -18,6 +18,11 @@ ms.technology: mde
---
# Threat Protection
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 683610ed5c..3c97136983 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -56,12 +56,12 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh
If you are using Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
-- Name: `ForceDefenderPassiveMode`
+- Name: `ForcePassiveMode`
- Type: `REG_DWORD`
- Value: `1`
> [!NOTE]
-> The `ForceDefenderPassiveMode` registry key is not supported on Windows Server 2016.
+> The `ForcePassiveMode` registry key is not supported on Windows Server 2016.
(2) On Windows Server 2016, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In addition, Microsoft Defender Antivirus is not supported in passive mode. In those cases, [disable/uninstall Microsoft Defender Antivirus manually](microsoft-defender-antivirus-on-windows-server-2016.md#are-you-using-windows-server-2016) to prevent problems caused by having multiple antivirus products installed on a server.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
index 0f1c9bbc2f..4eb54041c7 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
@@ -177,7 +177,7 @@ If you are using a non-Microsoft antivirus product as your primary antivirus sol
If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
-- Name: `ForceDefenderPassiveMode`
+- Name: `ForcePassiveMode`
- Type: `REG_DWORD`
- Value: `1`
diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
index 94eacf9749..6cfe7fc064 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
@@ -13,7 +13,7 @@ ms.topic: article
author: dansimp
ms.author: dansimp
ms.custom: nextgen
-ms.date: 02/04/2021
+ms.date: 02/18/2021
ms.reviewer:
manager: dansimp
ms.technology: mde
@@ -31,13 +31,11 @@ Applies to:
> [!IMPORTANT]
> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender for Endpoint. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.
-> [!WARNING]
-> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported.
-
Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity.
## Before you begin
-Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts.
+
+See [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts.
> [!NOTE]
> Depending on your choice of onboarding method, devices can appear in Microsoft Defender Security Center as either:
@@ -77,31 +75,27 @@ This scenario uses a centrally located script and runs it using a domain-based g
#### Use Group Policy management console to run the script when the virtual machine starts
1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
-1. In the Group Policy Management Editor, go to **Computer configuration** \> **Preferences** \> **Control panel settings**.
-1. Right-click **Scheduled tasks**, click **New**, and then click **Immediate Task** (At least Windows 7).
-1. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
-1. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
-1. Go to the **Actions** tab and click **New**. Ensure that **Start a program** is selected in the Action field.
-Enter the following:
-
-> Action = "Start a program"
-> Program/Script = C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
-> Add Arguments (optional) = -ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1"
-
-Click **OK** and close any open GPMC windows.
+2. In the Group Policy Management Editor, go to **Computer configuration** > **Preferences** > **Control panel settings**.
+3. Right-click **Scheduled tasks**, click **New**, and then select **Immediate Task** (At least Windows 7).
+4. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. `NT AUTHORITY\SYSTEM` appears as the user account under which the task will run.
+5. Select **Run whether user is logged on or not** and select the **Run with highest privileges** option.
+6. Go to the **Actions** tab and select **New**. Confirm that **Start a program** is selected in the **Action** field.
+7. Specify the following:
+ - Action = **Start a program**
+ - Program/Script = `C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe`
+ - Add Arguments (optional) = `-ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1"`
+8. Select **OK** and close any open GPMC windows.
### Scenario 3: Onboarding using management tools
-If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager.
-
-For more information, see: [Onboard Windows 10 devices using Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
-
-> [!WARNING]
-> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), please note that rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
-
> [!TIP]
> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
+If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager. For more information, see: [Onboard Windows 10 devices using Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
+
+> [!WARNING]
+> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), the rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
+
## Tagging your machines when building your image
As part of your onboarding, you may want to consider setting a machine tag to be able to differentiate WVD machines more easily in the Microsoft Security Center. For more information, see
diff --git a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
index e7059f44d9..969ca1a11c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
@@ -20,6 +20,10 @@ ms.technology: mde
# Access the Microsoft Defender Security Center MSSP customer portal
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
index 41a3a471ac..4b005be826 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
@@ -19,18 +19,18 @@ ms.technology: mde
# Add or Remove Machine Tags API
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
## API description
Adds or remove tag to a specific [Machine](machine.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index 0230069f42..0239279f5e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -1,7 +1,7 @@
---
-title: Configure advanced features in Microsoft Defender ATP
-description: Turn on advanced features such as block file in Microsoft Defender Advanced Threat Protection.
-keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, azure atp, office 365, azure information protection, intune
+title: Configure advanced features in Microsoft Defender for Endpoint
+description: Turn on advanced features such as block file in Microsoft Defender for Endpoint.
+keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, microsoft defender for identity, office 365, azure information protection, intune
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
@@ -20,14 +20,14 @@ ms.technology: mde
# Configure advanced features in Defender for Endpoint
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with.
@@ -61,15 +61,15 @@ Enabling this feature allows you to run unsigned scripts in a live response sess
## Autoresolve remediated alerts
-For tenants created on or after Windows 10, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature.
+For tenants created on or after Windows 10, version 1809, the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature.
->[!TIP]
->For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.
+> [!TIP]
+> For tenants created prior to that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.
->[!NOTE]
+> [!NOTE]
>
->- The result of the auto-resolve action may influence the Device risk level calculation which is based on the active alerts found on a device.
->- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
+> - The result of the auto-resolve action may influence the Device risk level calculation which is based on the active alerts found on a device.
+> - If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
## Allow or block file
@@ -100,8 +100,8 @@ To use this feature, devices must be running Windows 10 version 1709 or later. T
For more information, see [Manage indicators](manage-indicators.md).
->[!NOTE]
->Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Defender for Endpoint data.
+> [!NOTE]
+> Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Defender for Endpoint data.
## Show user details
@@ -117,15 +117,15 @@ For more information, see [Investigate a user account](investigate-user.md).
Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
->[!NOTE]
+> [!NOTE]
> When a device is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when devices are in isolation mode.
## Azure Advanced Threat Protection integration
The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the device-based investigation capability by pivoting across the network from an identify point of view.
->[!NOTE]
->You'll need to have the appropriate license to enable this feature.
+> [!NOTE]
+> You'll need to have the appropriate license to enable this feature.
## Office 365 Threat Intelligence connection
@@ -133,24 +133,24 @@ This feature is only available if you have an active Office 365 E5 or the Threat
When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices.
->[!NOTE]
->You'll need to have the appropriate license to enable this feature.
+> [!NOTE]
+> You'll need to have the appropriate license to enable this feature.
-To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
+To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Threat investigation and response](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-ti).
## Microsoft Threat Experts
Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Defender for Endpoint portal's alerts dashboard and via email if you configure it.
->[!NOTE]
->The Microsoft Threat Experts capability in Defender for Endpoint is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).
+> [!NOTE]
+> The Microsoft Threat Experts capability in Defender for Endpoint is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).
## Microsoft Cloud App Security
Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
->[!NOTE]
->This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.
+> [!NOTE]
+> This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)), or later Windows 10 versions.
## Azure Information Protection
@@ -158,13 +158,13 @@ Turning on this setting allows signals to be forwarded to Azure Information Prot
## Microsoft Secure Score
-Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data.
+Forwards Microsoft Defender for Endpoint signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the device's security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data.
-### Enable the Microsoft Defender ATP integration from the Azure ATP portal
+### Enable the Microsoft Defender for Endpoint integration from the Microsoft Defender for Identity portal
-To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
+To receive contextual device integration in Microsoft Defender for Identity, you'll also need to enable the feature in the Microsoft Defender for Identity portal.
-1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
+1. Log in to the [Microsoft Defender for Identity portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
2. Click **Create your instance**.
@@ -176,8 +176,8 @@ After completing the integration steps on both portals, you'll be able to see re
Defender for Endpoint can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement.
->[!IMPORTANT]
->You'll need to enable the integration on both Intune and Defender for Endpoint to use this feature. For more information on specific steps, see [Configure Conditional Access in Defender for Endpoint](configure-conditional-access.md).
+> [!IMPORTANT]
+> You'll need to enable the integration on both Intune and Defender for Endpoint to use this feature. For more information on specific steps, see [Configure Conditional Access in Defender for Endpoint](configure-conditional-access.md).
This feature is only available if you have the following:
@@ -188,7 +188,7 @@ This feature is only available if you have the following:
When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It should not be deleted.
->[!NOTE]
+> [!NOTE]
> The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints.
## Preview features
@@ -207,4 +207,3 @@ After configuring the [Security policy violation indicators](https://docs.micros
- [Update data retention settings](data-retention-settings.md)
- [Configure alert notifications](configure-email-notifications.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md
index 2d0e83a1c6..ec9f2b383d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md
@@ -23,9 +23,11 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-**Applies to:**
+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
+**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
index d287cdbb3b..3d5528fced 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@@ -23,8 +23,8 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
index e3c67bd93e..dfd47ce5c3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
@@ -23,10 +23,10 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
index 71741e06aa..85121c67e1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
@@ -22,10 +22,9 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
index d3f4b6a040..9d8a944f7b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
@@ -23,10 +23,10 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
index e80863221a..1f725b1953 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
@@ -22,10 +22,10 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
index 6a341b969b..2403e7dca0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
@@ -22,10 +22,10 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
index 8f18931852..e9bb4da83c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
@@ -22,10 +22,10 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
index 7f162f6d82..8d7bb09379 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
@@ -22,10 +22,10 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
index cf5f540d22..606738f0a5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
@@ -22,10 +22,10 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
index 3983f87831..469cf50647 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
@@ -22,10 +22,10 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
index eff542c7ae..3f8c20ce5c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
@@ -22,10 +22,10 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
index 8e3b625f9b..91bf57e992 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
@@ -22,10 +22,9 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
index 7030a063ab..1a30b1c1d8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
@@ -22,10 +22,9 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
index 7238db9c90..33b5554fd4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
@@ -22,10 +22,9 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
index c4e032f3e4..9a7862714a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
@@ -22,14 +22,12 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
[!include[Prerelease information](../../includes/prerelease.md)]
The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
index 7c4190748d..bbbfb435dc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
@@ -22,10 +22,9 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md
index 2a99d2648b..ffff09c519 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md
@@ -24,10 +24,10 @@ ms.technology: mde
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit [predefined limits](advanced-hunting-limits.md). Refer to the table below for tips on how to resolve or avoid errors.
| Error type | Cause | Resolution | Error message examples |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md
index 0b15378b40..e1120e33aa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md
@@ -24,8 +24,8 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-
-- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
[Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md
index bea6b0caac..ca6bab10ed 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md
@@ -22,8 +22,7 @@ ms.technology: mde
# FileProfile()
**Applies to:**
-
-- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md
index f340f5f99e..b8df03089a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md
@@ -24,8 +24,12 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+**Applies to:**
- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+
With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity.
The *go hunt* action is available in various sections of the security center whenever event or entity details are displayed. For example, you can use *go hunt* from the following sections:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
index 3d01e56992..062ccc2962 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
@@ -22,7 +22,6 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
index 05d0ff1e4e..17f6ebfe5d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
@@ -23,7 +23,6 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
index 6c96b5ea1e..5fe6c98c25 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
@@ -24,8 +24,13 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts.
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts.
## In this section
Topic | Description
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
index e89b4dc429..8978316dd4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@@ -23,10 +23,8 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
index 9d282cfc4b..16357997f1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@@ -22,17 +22,15 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
## Methods
Method |Return Type |Description
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
index 55e9ca48c5..89f8619d4e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
@@ -29,6 +29,9 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+
Learn how to deploy Defender for Endpoint for Android on Intune
Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll your
device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal).
@@ -52,8 +55,7 @@ Learn how to deploy Defender for Endpoint for Android on Intune Company Portal -
center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
**Android Apps** \> **Add \> Android store app** and choose **Select**.
- 
-
+ 
2. On the **Add app** page and in the *App Information* section enter:
@@ -64,7 +66,7 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
Other fields are optional. Select **Next**.
- 
+ 
3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint for Android app. Choose **Select** and then **Next**.
@@ -72,14 +74,15 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
>The selected user group should consist of Intune enrolled users.
> [!div class="mx-imgBorder"]
- > 
+
+ > 
4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
In a few moments, the Defender for Endpoint app would be created successfully, and a notification would show up at the top-right corner of the page.
- 
+ 
5. In the app information page that is displayed, in the **Monitor** section,
@@ -87,7 +90,7 @@ select **Device install status** to verify that the device installation has
completed successfully.
> [!div class="mx-imgBorder"]
- > 
+ > 
### Complete onboarding and check status
@@ -124,14 +127,13 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
**Android Apps** \> **Add** and select **Managed Google Play app**.
> [!div class="mx-imgBorder"]
- > 
-
+ > 
2. On your managed Google Play page that loads subsequently, go to the search
box and lookup **Microsoft Defender.** Your search should display the Microsoft
Defender for Endpoint app in your Managed Google Play. Click on the Microsoft Defender for Endpoint app from the Apps search result.
- 
+ 
3. In the App description page that comes up next, you should be able to see app
details on Defender for Endpoint. Review the information on the page and then
@@ -181,7 +183,7 @@ Defender ATP should be visible in the apps list.
1. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.
- 
+ 
1. In the **Create app configuration policy** page, enter the following details:
@@ -201,19 +203,19 @@ Defender ATP should be visible in the apps list.
Then select **OK**.
> [!div class="mx-imgBorder"]
- > 
+ > 
1. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**.
> [!div class="mx-imgBorder"]
- > 
+ > 
1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.
> [!div class="mx-imgBorder"]
- > 
+ > 
1. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
@@ -221,7 +223,7 @@ Defender ATP should be visible in the apps list.
The app configuration policy for Defender for Endpoint autogranting the storage permission is now assigned to the selected user group.
> [!div class="mx-imgBorder"]
- > 
+ > 
10. Select **Microsoft Defender ATP** app in the list \> **Properties** \>
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md
index 218b71c7b4..10ddc13de9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md
@@ -24,6 +24,8 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
Defender for Endpoint for Android collects information from your configured
Android devices and stores it in the same tenant where you have Defender for Endpoint.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
index ae89af07b5..f301f7ead9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
@@ -25,13 +25,16 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
When onboarding a device, you might see sign in issues after the app is installed.
+
During onboarding, you might encounter sign in issues after the app is installed on your device.
This article provides solutions to help address the sign-on issues.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
index c39a6c1b13..1ab039d371 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
@@ -28,6 +28,9 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+
## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT
These license terms ("Terms") are an agreement between Microsoft Corporation (or
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
index aea24acd1f..cadef87218 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
@@ -24,8 +24,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
The Microsoft Defender for Endpoint API Explorer is a tool that helps you explore various Defender for Endpoint APIs interactively.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
index dd57d2e5d7..7793136a50 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
@@ -22,9 +22,9 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
index 015eeffdda..b5b277ed3b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
@@ -38,6 +38,7 @@ Microsoft Defender API has an official Flow Connector with many capabilities.
> [!NOTE]
> For more details about premium connectors licensing prerequisites, see [Licensing for premium connectors](https://docs.microsoft.com/power-automate/triggers-introduction#licensing-for-premium-connectors).
+
## Usage example
The following example demonstrates how to create a Flow that is triggered any time a new Alert occurs on your tenant.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
index c016af3404..1983cf9886 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
@@ -26,9 +26,14 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
Watch this video for a quick overview of Defender for Endpoint's APIs.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
index 18bee0fadf..047eae7fed 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
@@ -24,7 +24,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
index 475eaec908..da9a3daa46 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
@@ -22,7 +22,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index 5a9d398823..7e26356956 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -23,10 +23,11 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
## Why attack surface reduction rules are important
Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help!
diff --git a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
index 4b16ba2447..e851516dcb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
@@ -21,7 +21,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index c7281f84af..f227cf31b8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -33,7 +33,7 @@ ms.technology: mde
Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices).
> [!NOTE]
-> Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you add it as an application you trust or allow with [certificate and file indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates).
+> Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you allow with [certificate and file indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates).
Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index b4ddf74520..65af61d64f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -93,6 +93,10 @@ When saved, a new custom detection rule immediately runs and checks for matches
- **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours
- **Every hour**—runs hourly, checking data from the past 2 hours
+> [!IMPORTANT]
+>When changing a query that is already scheduled as a Custom Detection, it's next immediate execution will have a lookback window of 30 days, exactly as if a new query was being created.
+>Changes to a large number of queries, and with time filters higher than the default lookback durantion for the selected frequency, might have an impact in the overall quota consumption of Advanced Hunting and resulting in exhausting the daily quota.
+
> [!TIP]
> Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
index 1517a11f36..7997959422 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
@@ -157,6 +157,9 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications]
Microsoft Defender for Endpoint certificate and file indicators can allow signed executable files to access protected folders. For implementation details, see [Create indicators based on certificates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates).
+> [!Note]
+> This does no apply to scripting engines, including Powershell
+
## Customize the notification
For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Configure alert notifications in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 87dd461c37..5aabbdddd6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -20,7 +20,7 @@ ms.collection:
- m365initiative-defender-endpoint
- m365solution-scenario
- m365scenario-fpfn
-ms.topic: conceptual
+ms.topic: how-to
ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree, jcedola
ms.custom: FPFN
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
index 71d79d264d..fe94731159 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
@@ -22,7 +22,6 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
@@ -50,7 +49,7 @@ Enable security information and event management (SIEM) integration so you can p
## Enabling SIEM integration
1. In the navigation pane, select **Settings** > **SIEM**.
- 
+ 
>[!TIP]
>If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.
@@ -61,7 +60,7 @@ Enable security information and event management (SIEM) integration so you can p
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
- 
+ 
3. Choose the SIEM type you use in your organization.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
index e0573cb79a..66707cf26c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
@@ -23,6 +23,11 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
[Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
index 3ae9907010..24fda19f6c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@@ -21,8 +21,10 @@ ms.technology: mde
**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. Set attack surface reduction rules for devices running any of the following editions and versions of Windows:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
index f03cb69dc5..6ae477dd83 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
@@ -19,10 +19,12 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
index 7c942f7f1c..158be3a882 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
@@ -1,5 +1,5 @@
---
-title: See how exploit protection works in a demo
+title: See how Exploit protection works in a demo
description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps.
keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation
search.product: eADQiWindows 10XVcnh
@@ -21,36 +21,38 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.)
-This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit protection, you can see what *would* have happened if you had enabled exploit protection in your production environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps, and you can see which suspicious or malicious events occur.
+Use exploit protection in audit mode to review related events in Event Viewer. By enabling audit mode, you'll see how mitigation works for certain apps in a test environment. Audit mode shows what *would* have happened if you enabled exploit protection in your production environment. This way, you can verify that exploit protection doesn't adversely affect your line-of-business apps, and see which suspicious or malicious events occur.
> [!TIP]
> You can also visit the Microsoft Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
## Enable exploit protection in audit mode
-You can set mitigation in audit mode for specific programs either by using the Windows Security app or Windows PowerShell.
+You can set mitigations in audit mode for specific programs by using the Windows Security app or Windows PowerShell.
### Windows Security app
-1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app. Select the shield icon in the task bar or search the start menu for **Defender**.
2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**.
3. Go to **Program settings** and choose the app you want to apply protection to:
1. If the app you want to configure is already listed, select it and then select **Edit**
- 2. If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
+ 2. If the app is not listed at the top of the list select **Add program to customize**. Then, choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
+4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You'll be notified if you need to restart the process, app, or Windows.
5. Repeat this procedure for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
@@ -65,7 +67,7 @@ Set-ProcessMitigation - -:
* `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
* \:
@@ -73,10 +75,10 @@ Where:
* `-Disable` to disable the mitigation
* \:
* The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
-
+```
|Mitigation | Audit mode cmdlet |
|---|---|
- |Arbitrary code guard (ACG) | `AuditDynamicCode` |
+ |Arbitrary Code Guard (ACG) | `AuditDynamicCode` |
|Block low integrity images | `AuditImageLoad`
|Block untrusted fonts | `AuditFont`, `FontAuditOnly` |
|Code integrity guard | `AuditMicrosoftSigned`, `AuditStoreSigned` |
@@ -89,20 +91,20 @@ For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
```
-You can disable audit mode by replacing `-Enable` with `-Disable`.
+You can disable **audit mode** by replacing `-Enable` with `-Disable`.
## Review exploit protection audit events
To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
-|Feature | Provider/source | Event ID | Description |
+| Feature | Provider/source | Event ID | Description |
|---|---|--|---|
- |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit |
- |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit |
- |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit |
- |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit |
- |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit |
- |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit |
+ | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit |
+ | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit |
+ | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit |
+ | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit |
+ | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit |
+ | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit |
## See also
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
index 17c2379974..8be04a87c7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
@@ -19,10 +19,9 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
[Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index bc826edaa6..608e465720 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -25,6 +25,10 @@ ms.technology: mde
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
+
Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and device configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
@@ -246,10 +250,10 @@ You can conveniently run any available simulation right from the catalog.
Each simulation comes with an in-depth description of the attack scenario and references such as the MITRE attack techniques used and sample Advanced hunting queries you run.
**Examples:**
-
+
-
+
## Evaluation report
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
index b85dafe7c7..6fbb30d6e3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
@@ -26,10 +26,11 @@ ms.technology: mde
**Applies to:**
-
- Event Viewer
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-views.md b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
index 33d619999f..e8b667e82c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-views.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
@@ -19,10 +19,11 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Review attack surface reduction events in Event Viewer to monitor what rules or settings are working. You can also determine if any settings are too "noisy" or impacting your day to day workflow.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
index 26798adfad..79a6fd80df 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
@@ -24,8 +24,10 @@ ms.technology: mde
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Exploit protection provides advanced protections for applications that the IT Pro can apply after the developer has compiled and distributed the software.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
index cad5a5587f..60c5bce436 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
@@ -24,8 +24,10 @@ ms.technology: mde
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server, version 1803.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
index 97fea96343..ca1f1ea37e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -23,9 +23,10 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
index 4addcba21f..664f1c63be 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
@@ -1,5 +1,5 @@
---
-title: Create an Application to access Microsoft Defender for Endpoint without a user
+title: Create an Application to access Microsoft Defender for Endpoint without a user
ms.reviewer:
description: Learn how to design a web app to get programmatic access to Microsoft Defender for Endpoint without a user.
keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query
@@ -25,7 +25,7 @@ ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
index 3118860e56..dc6a1df497 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
@@ -114,9 +114,9 @@ For more information on Azure AD tokens, see the [Azure AD tutorial](https://doc
### Use PowerShell
-```
-# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
-# Paste below your Tenant ID, App ID and App Secret (App key).
+```powershell
+# This script acquires the App Context Token and stores it in the variable $token for later use in the script.
+# Paste your Tenant ID, App ID, and App Secret (App key) into the indicated quotes below.
$tenantId = '' ### Paste your tenant ID here
$appId = '' ### Paste your Application ID here
@@ -132,8 +132,6 @@ $authBody = [Ordered] @{
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$token = $authResponse.access_token
-Out-File -FilePath "./Latest-token.txt" -InputObject $token
-return $token
```
### Use C#:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
index b63ffacc2f..e2ceff454e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
@@ -25,12 +25,13 @@ ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
[!include[Improve request performance](../../includes/improve-request-performance.md)]
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Full scenario using multiple APIs from Microsoft Defender for Endpoint.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index c326b0fb4e..1f9f6cb3b5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -22,8 +22,8 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -31,17 +31,18 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
+
If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/)
Not all properties are filterable.
-## Properties that supports $filter:
-
+## Properties that support $filter:
+```
- [Alert](alerts.md): ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category```.
- [Machine](machine.md): ```ComputerDnsName```, ```LastSeen```, ```HealthStatus```, ```OsPlatform```, ```RiskScore``` and ```RbacGroupId```.
- [MachineAction](machineaction.md): ```Status```, ```MachineId```, ```Type```, ```Requestor``` and ```CreationDateTimeUtc```.
- [Indicator](ti-indicator.md): ```indicatorValue```, ```indicatorType```, ```creationTimeDateTimeUtc```, ```createdBy```, ```severity ``` and ```action ```.
-
+```
### Example 1
Get 10 latest Alerts with related Evidence:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
index fd93f154f6..49256a6cd9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
@@ -25,7 +25,6 @@ ms.technology: mde
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
## Overview
diff --git a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
index 911867c4a9..97b76caa30 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
@@ -22,14 +22,11 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
-
>[!NOTE]
>This action is taken by the MSSP.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
index 6dc62b4bce..091e9c45de 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
index 69c4d573a8..301115a087 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
@@ -23,8 +23,9 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-fixsensor-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
index dbf5eaff6a..097719cb86 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
index 7cb8b5fe76..d533b2e0e7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
@@ -19,10 +19,8 @@ ms.technology: mde
# Get alert related domain information API
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
index d590669188..2ecf612da3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
@@ -3,7 +3,7 @@ title: Get machine by ID API
description: Learn how to use the Get machine by ID API to retrieve a machine by its device ID or computer name in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, devices, entity, id
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,25 +12,25 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# Get machine by ID API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
[!include[Improve request performance](../../includes/improve-request-performance.md)]
+
## API description
Retrieves specific [Machine](machine.md) by its device ID or computer name.
@@ -41,7 +41,7 @@ Retrieves specific [Machine](machine.md) by its device ID or computer name.
## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
@@ -91,39 +91,29 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29
Here is an example of the response.
-```json
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine",
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2021-01-25T07:27:36.052313Z",
+ "lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
+ "version": "1709",
"osProcessor": "x64",
- "version": "1901",
- "lastIpAddress": "10.166.113.46",
- "lastExternalIpAddress": "167.220.203.175",
- "osBuild": 19042,
+ "lastIpAddress": "172.17.230.209",
+ "lastExternalIpAddress": "167.220.196.71",
+ "osBuild": 18209,
"healthStatus": "Active",
- "deviceValue": "Normal",
+ "rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
- "exposureLevel": "Low",
- "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
- "machineTags": [
- "Tag1",
- "Tag2"
- ],
- "ipAddresses": [
- {
- "ipAddress": "10.166.113.47",
- "macAddress": "8CEC4B897E73",
- "operationalStatus": "Up"
- },
- {
- "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
- "macAddress": "8CEC4B897E73",
- "operationalStatus": "Up"
- }
- ]
+ "exposureLevel": "Medium",
+ "isAadJoined": true,
+ "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+ "machineTags": [ "test tag 1", "test tag 2" ]
}
+
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
index cc1ab0b0a4..cc2ba67cc2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
@@ -1,104 +1,103 @@
----
-title: List exposure score by device group
-description: Retrieves a list of exposure scores by device group.
-keywords: apis, graph api, supported apis, get, exposure score, device group, device group exposure score
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: levinec
-ms.author: ellevin
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List exposure score by device group
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of alerts related to a given domain address.
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-## HTTP request
-
-```
-GET /api/exposureScore/ByMachineGroups
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-
-Empty
-
-## Response
-
-If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
-
-## Example
-
-### Request
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/exposureScore/ByMachineGroups
-```
-
-### Response
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#ExposureScore",
- "value": [
- {
- "time": "2019-12-03T09:51:28.214338Z",
- "score": 41.38041766305988,
- "rbacGroupName": "GroupOne"
- },
- {
- "time": "2019-12-03T09:51:28.2143399Z",
- "score": 37.403726933165366,
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
+---
+title: List exposure score by device group
+description: Retrieves a list of exposure scores by device group.
+keywords: apis, graph api, supported apis, get, exposure score, device group, device group exposure score
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: levinec
+ms.author: ellevin
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List exposure score by device group
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
+
+[!include[Improve request performance](../../includes/improve-request-performance.md)]
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of alerts related to a given domain address.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+## HTTP request
+
+```
+GET /api/exposureScore/ByMachineGroups
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.microsoft.com/api/exposureScore/ByMachineGroups
+```
+
+### Response
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#ExposureScore",
+ "value": [
+ {
+ "time": "2019-12-03T09:51:28.214338Z",
+ "score": 41.38041766305988,
+ "rbacGroupName": "GroupOne"
+ },
+ {
+ "time": "2019-12-03T09:51:28.2143399Z",
+ "score": 37.403726933165366,
+ "rbacGroupName": "GroupTwo"
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
index 965e6713b5..6c8c2a7aa0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
@@ -3,7 +3,7 @@ title: Get machine logon users API
description: Learn how to use the Get machine logon users API to retrieve a collection of logged on users on a device in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, device, log on, users
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,9 +12,8 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# Get machine logon users API
@@ -24,7 +23,7 @@ ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
@@ -87,7 +86,9 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29
Here is an example of the response.
-```json
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
index 8117a68e72..08e0a0643f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
@@ -3,7 +3,7 @@ title: Get machine related alerts API
description: Learn how to use the Get machine related alerts API to retrieve all alerts related to a specific device in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, devices, related, alerts
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,16 +12,14 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# Get machine related alerts API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -30,7 +28,6 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
## API description
Retrieves all [Alerts](alerts.md) related to a specific device.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
index 1f10ff8352..d836586aa9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
@@ -3,7 +3,7 @@ title: Get MachineAction object API
description: Learn how to use the Get MachineAction API to retrieve a specific Machine Action by its ID in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, machineaction object
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,16 +12,14 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# Get machineAction API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -77,7 +75,7 @@ If successful, this method returns 200, Ok response code with a [Machine Action]
Here is an example of the request.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba
```
@@ -86,7 +84,9 @@ GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-42
Here is an example of the response.
-```json
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity",
"id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
index 5e58b291ac..33538ea489 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
@@ -3,7 +3,7 @@ title: List machineActions API
description: Learn how to use the List MachineActions API to retrieve a collection of Machine Actions in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, machineaction collection
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,9 +12,8 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# List MachineActions API
@@ -30,7 +29,6 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
## API description
Retrieves a collection of [Machine Actions](machineaction.md).
Supports [OData V4 queries](https://www.odata.org/documentation/).
@@ -82,7 +80,7 @@ If successful, this method returns 200, Ok response code with a collection of [m
Here is an example of the request on an organization that has three MachineActions.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/machineactions
```
@@ -91,7 +89,9 @@ GET https://api.securitycenter.microsoft.com/api/machineactions
Here is an example of the response.
-```json
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
index 9848b03416..863252fd1f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
@@ -3,7 +3,7 @@ title: List devices by software
description: Retrieve a list of devices that has this software installed.
keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,16 +12,14 @@ author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# List devices by software
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -30,7 +28,6 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieve a list of device references that has this software installed.
@@ -67,7 +64,7 @@ If successful, this method returns 200 OK and a list of devices with the softwar
Here is an example of the request.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machineReferences
```
@@ -76,6 +73,7 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machi
Here is an example of the response.
```json
+
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
index 9960369441..99a384d3b8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
@@ -3,7 +3,7 @@ title: List devices by vulnerability
description: Retrieves a list of devices affected by a vulnerability.
keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,9 +12,8 @@ author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# List devices by vulnerability
@@ -23,13 +22,12 @@ ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of devices affected by a vulnerability.
@@ -67,7 +65,7 @@ If successful, this method returns 200 OK with the vulnerability information in
Here is an example of the request.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/vulnerabilities/CVE-2019-0608/machineReferences
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
index f003837b6a..f2dd4772c8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
@@ -3,7 +3,7 @@ title: List machines API
description: Learn how to use the List machines API to retrieve a collection of machines that have communicated with Microsoft Defender ATP cloud.
keywords: apis, graph api, supported apis, get, devices
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,16 +12,14 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# List machines API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -30,15 +28,11 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
## API description
Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender for Endpoint cloud.
-
-Supports [OData V4 queries](https://www.odata.org/documentation/).
-
-The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
-
-See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md).
+ Supports [OData V4 queries](https://www.odata.org/documentation/).
+ The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
+ See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md)
## Limitations
@@ -58,8 +52,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>[!Note]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information).
->- Response will include only devices, that the user have access to, based on device group settings. For more info, see [Create and manage device groups](machine-groups.md).
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+>- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
@@ -95,44 +89,32 @@ GET https://api.securitycenter.microsoft.com/api/machines
Here is an example of the response.
-```json
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",
"value": [
{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2021-01-25T07:27:36.052313Z",
+ "lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
+ "version": "1709",
"osProcessor": "x64",
- "version": "1901",
- "lastIpAddress": "10.166.113.46",
- "lastExternalIpAddress": "167.220.203.175",
- "osBuild": 19042,
+ "lastIpAddress": "172.17.230.209",
+ "lastExternalIpAddress": "167.220.196.71",
+ "osBuild": 18209,
"healthStatus": "Active",
- "deviceValue": "Normal",
+ "rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
- "exposureLevel": "Low",
- "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
- "machineTags": [
- "Tag1",
- "Tag2"
- ],
- "ipAddresses": [
- {
- "ipAddress": "10.166.113.47",
- "macAddress": "8CEC4B897E73",
- "operationalStatus": "Up"
- },
- {
- "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
- "macAddress": "8CEC4B897E73",
- "operationalStatus": "Up"
- }
- ]
- },
+ "exposureLevel": "Medium",
+ "isAadJoined": true,
+ "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+ "machineTags": [ "test tag 1", "test tag 2" ]
+ }
...
]
}
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
index 55e5926931..e681c4545a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
@@ -4,7 +4,7 @@ description: Retrieve a collection of device security states using Microsoft Def
keywords: apis, graph api, supported apis, get, device, security, state
search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -13,9 +13,8 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Get Machines security states collection API
@@ -60,8 +59,9 @@ If successful - 200 OK.
Here is an example of the request.
-```http
+```
GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates
+Content-type: application/json
```
**Response**
@@ -69,7 +69,9 @@ GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates
Here is an example of the response.
Field *id* contains device id and equal to the field *id** in devices info.
-```json
+```
+HTTP/1.1 200 OK
+Content-type: application/json
{
"@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates",
"@odata.count":444,
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
index 6ea30bfe12..87a51d2dc8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
@@ -3,7 +3,7 @@ title: Get missing KBs by device ID
description: Retrieves missing security updates by device ID
keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,16 +12,14 @@ author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# Get missing KBs by device ID
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -30,11 +28,7 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-## API description
-Retrieves missing KBs (security updates) by device ID.
-
-## Limitations
-1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour.
+Retrieves missing KBs (security updates) by device ID
## HTTP request
@@ -62,7 +56,7 @@ If successful, this method returns 200 OK, with the specified device missing kb
Here is an example of the request.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
index 1dc5c674fc..0b757eed84 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
@@ -3,7 +3,7 @@ title: Get missing KBs by software ID
description: Retrieves missing security updates by software ID
keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,16 +12,14 @@ author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# Get missing KBs by software ID
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -30,7 +28,6 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
Retrieves missing KBs (security updates) by software ID
## Permissions
@@ -68,7 +65,7 @@ If successful, this method returns 200 OK, with the specified software missing k
Here is an example of the request.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/getmissingkbs
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
index 4f1ac453b5..aabc11d20d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
@@ -3,7 +3,7 @@ title: Get package SAS URI API
description: Use this API to get a URI that allows downloading an investigation package.
keywords: apis, graph api, supported apis, get package, sas, uri
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,16 +12,14 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# Get package SAS URI API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -30,7 +28,6 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
## API description
Get a URI that allows downloading of an [Investigation package](collect-investigation-package.md).
@@ -73,15 +70,19 @@ If successful, this method returns 200, Ok response code with object that holds
Here is an example of the request.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri
+
```
**Response**
Here is an example of the response.
-```json
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String",
"value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
index f387acb401..8a6f9bd314 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
@@ -1,9 +1,9 @@
---
title: Get recommendation by Id
description: Retrieves a security recommendation by its ID.
-keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
+keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,9 +12,8 @@ author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# Get recommendation by ID
@@ -67,7 +66,7 @@ If successful, this method returns 200 OK with the security recommendations in t
Here is an example of the request.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
index 51e132bc98..a4088c53db 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
@@ -1,9 +1,9 @@
---
title: List devices by recommendation
-description: Retrieves a list of devices associated with the security recommendation.
-keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
+description: Retrieves a list of devices associated with the security recommendation.
+keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,9 +12,8 @@ author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# List devices by recommendation
@@ -23,13 +22,12 @@ ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of devices associated with the security recommendation.
@@ -67,7 +65,7 @@ If successful, this method returns 200 OK with the list of devices associated wi
Here is an example of the request.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/machineReferences
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
index 4bd6667873..08e690c094 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
@@ -1,9 +1,9 @@
---
title: Get recommendation by software
description: Retrieves a security recommendation related to a specific software.
-keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
+keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,9 +12,8 @@ author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# Get recommendation by software
@@ -23,7 +22,7 @@ ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
@@ -67,7 +66,7 @@ If successful, this method returns 200 OK with the software associated with the
Here is an example of the request.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/software
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
index 9369763a13..5db01dafa2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
@@ -1,9 +1,9 @@
---
title: List vulnerabilities by recommendation
description: Retrieves a list of vulnerabilities associated with the security recommendation.
-keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
+keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,9 +12,8 @@ author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# List vulnerabilities by recommendation
@@ -23,13 +22,12 @@ ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of vulnerabilities associated with the security recommendation.
@@ -67,7 +65,7 @@ If successful, this method returns 200 OK, with the list of vulnerabilities asso
Here is an example of the request.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
index ad4bf78d93..ba78b38a52 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
@@ -3,7 +3,7 @@ title: Get security recommendations
description: Retrieves a collection of security recommendations related to a given device ID.
keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,9 +12,8 @@ author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# Get security recommendations
@@ -23,7 +22,7 @@ ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
@@ -31,12 +30,8 @@ ms.technology: mde
[!include[Prerelease information](../../includes/prerelease.md)]
-## API description
Retrieves a collection of security recommendations related to a given device ID.
-## Limitations
-1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour.
-
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
@@ -70,7 +65,7 @@ If successful, this method returns 200 OK with the security recommendations in t
Here is an example of the request.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
```
@@ -79,7 +74,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4
Here is an example of the response.
-```json
+```
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
index 02fc552fb6..f7b1637a35 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
@@ -1,9 +1,9 @@
---
title: Get software by Id
-description: Retrieves a list of sofware by ID.
+description: Retrieves a list of exposure scores by device group.
keywords: apis, graph api, supported apis, get, software, mdatp tvm api
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,16 +12,14 @@ author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# Get software by Id
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -30,7 +28,6 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves software details by ID.
@@ -67,7 +64,7 @@ If successful, this method returns 200 OK with the specified software data in th
Here is an example of the request.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge
```
@@ -76,6 +73,7 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge
Here is an example of the response.
```json
+
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software/$entity",
"id": "microsoft-_-edge",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
index 160a0a15ef..f2eb40ffa3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
@@ -1,9 +1,9 @@
---
-title: List software version distribution
-description: Retrieves a list of your organization's software version distribution
+title: List software version distribution
+description: Retrieves a list of your organization's software version distribution
keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,16 +12,14 @@ author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# List software version distribution
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -30,7 +28,6 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of your organization's software version distribution.
@@ -67,7 +64,7 @@ If successful, this method returns 200 OK with a list of software distributions
Here is an example of the request.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distributions
```
@@ -76,6 +73,7 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distr
Here is an example of the response.
```json
+
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Distributions",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
index efa72bf72c..301708d92d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
@@ -3,7 +3,7 @@ title: List software
description: Retrieves a list of software inventory
keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,16 +12,14 @@ author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# List software inventory API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -30,7 +28,6 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
Retrieves the organization software inventory.
## Permissions
@@ -66,7 +63,7 @@ If successful, this method returns 200 OK with the software inventory in the bod
Here is an example of the request.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/Software
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
index d001d2e89f..3582717501 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
@@ -5,7 +5,7 @@ description: Learn the steps and requirements to integrate your solution with Mi
keywords: partner, integration, solution validation, certification, requirements, member, misa, application portal
search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -14,18 +14,19 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
+ms.collection: M365-security-compliance
+ms.topic: conceptual
---
# Become a Microsoft Defender for Endpoint partner
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
+**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
To become a Defender for Endpoint solution partner, you'll need to follow and complete the following steps.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
index c2b55547ff..c58fc04d84 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
@@ -3,7 +3,7 @@ title: List Indicators API
description: Learn how to use the List Indicators API to retrieve a collection of all active Indicators in Microsoft Defender Advanced Threat Protection.
keywords: apis, public api, supported apis, Indicators collection
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,16 +12,14 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# List Indicators API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -78,7 +76,7 @@ If successful, this method returns 200, Ok response code with a collection of [I
Here is an example of a request that gets all Indicators
-```http
+```
GET https://api.securitycenter.microsoft.com/api/indicators
```
@@ -86,7 +84,9 @@ GET https://api.securitycenter.microsoft.com/api/indicators
Here is an example of the response.
-```json
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators",
"value": [
@@ -139,7 +139,7 @@ Here is an example of the response.
Here is an example of a request that gets all Indicators with 'AlertAndBlock' action
-```http
+```
GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'AlertAndBlock'
```
@@ -147,7 +147,9 @@ GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'A
Here is an example of the response.
-```json
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
index ecbc146a9e..7d9e81fca1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
@@ -3,7 +3,7 @@ title: Get user information API
description: Learn how to use the Get user information API to retrieve a User entity by key, or user name, in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, user, user information
search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -12,9 +12,8 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
---
# Get user information API
@@ -29,7 +28,7 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Retrieve a User entity by key (user name).
## Permissions
@@ -64,8 +63,9 @@ If successful and user exists - 200 OK with [user](user.md) entity in the body.
Here is an example of the request.
-```http
+```
GET https://api.securitycenter.microsoft.com/api/users/user1
+Content-type: application/json
```
**Response**
@@ -73,7 +73,9 @@ GET https://api.securitycenter.microsoft.com/api/users/user1
Here is an example of the response.
-```json
+```
+HTTP/1.1 200 OK
+Content-type: application/json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity",
"id": "user1",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
index 7dd1dd5614..92e59213ed 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
@@ -20,7 +20,7 @@ ms.collection:
- m365solution-scenario
ms.topic: article
ms.custom: migrationguides
-ms.date: 02/11/2021
+ms.date: 02/18/2021
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
---
@@ -115,7 +115,7 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d
Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
1. Open Registry Editor, and then navigate to
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
+ `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
index 7a8260a7b2..b0fe2b8a22 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -30,7 +30,7 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Deploying Defender for Endpoint is a three-phase process:
@@ -249,6 +249,5 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https:
> As a cloud-based solution, the IP address range can change. It's recommended you move to DNS resolving setting.
## Next step
-|||
-|:-------|:-----|
-| [Phase 3: Onboard](onboarding.md) | Onboard devices to the service so that the Microsoft Defender for Endpoint service can get sensor data from them.
+
+ [Phase 3: Onboard](onboarding.md): Onboard devices to the service so that the Microsoft Defender for Endpoint service can get sensor data from them.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
index 35a7268949..bed5597bce 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@@ -27,8 +27,8 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
index 08da2fb3c0..3b4e3677f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
@@ -27,7 +27,7 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Before you begin:
@@ -51,7 +51,7 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**:
- 
+ 
7. Choose the events you want to stream and click **Save**.
@@ -95,7 +95,7 @@ To get the data types for event properties do the following:
- Here is an example for Device Info event:
- 
+ 
## Related topics
- [Overview of Advanced Hunting](advanced-hunting-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
index 016fe59de6..0b8aaf517a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
@@ -24,10 +24,9 @@ ms.technology: mde
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Before you begin:
@@ -49,7 +48,7 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**:
- 
+ 
7. Choose the events you want to stream and click **Save**.
@@ -57,7 +56,7 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
- A blob container will be created for each event type:
- 
+ 
- The schema of each row in a blob is the following JSON:
@@ -94,7 +93,7 @@ In order to get the data types for our events properties do the following:
- Here is an example for Device Info event:
- 
+ 
## Related topics
- [Overview of Advanced Hunting](advanced-hunting-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
index 6ff321c4c2..98400242b3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
@@ -22,12 +22,10 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Stream Advanced Hunting events to Event Hubs and/or Azure storage account.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/rbac.md b/windows/security/threat-protection/microsoft-defender-atp/rbac.md
index 3b41b0af7b..b5bc0c196d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/rbac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/rbac.md
@@ -26,8 +26,10 @@ ms.technology: mde
- Azure Active Directory
- Office 365
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-rbac-abovefoldlink)
+
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-rbac-abovefoldlink)
Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained control over what users with access to the portal can see and do.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
index 8b43795c76..a79f5f4029 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 315047b17b..d3a21ba3a1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -24,7 +24,6 @@ ms.technology: mde
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
[!include[Prerelease information](../../includes/prerelease.md)]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
index 04e022b88d..45004c7b04 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
@@ -22,7 +22,6 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
index 0bbd14dfc5..fac76273f1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
@@ -21,6 +21,9 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
@@ -31,6 +34,7 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
+
## API description
Restrict execution of all applications on the device except a predefined set.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
index 7c65cd23e5..3c45e7a6ad 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
@@ -25,7 +25,6 @@ ms.technology: mde
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
index 3d998f112b..672ca68dd2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
@@ -24,12 +24,13 @@ ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
[!include[Improve request performance](../../includes/improve-request-performance.md)]
+
Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md).
In this section, we share PowerShell samples to retrieve a token and use it to run a query.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
index d48747a4ee..f8160dceca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
@@ -22,7 +22,6 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -31,6 +30,7 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
+
Run advanced queries using Python, see [Advanced Hunting API](run-advanced-query-api.md).
In this section, we share Python samples to retrieve a token and use it to run a query.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
index e57ab8cdb4..391ed99e1c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
@@ -21,7 +21,6 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -30,7 +29,6 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
## API description
Initiate Microsoft Defender Antivirus scan on a device.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
index 4972dbb989..e4acca12b4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
@@ -32,7 +32,9 @@ ms.technology: mde
- Windows Server, version 1803
- Windows Server, 2019
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Run the following PowerShell script on a newly onboarded device to verify that it is properly reporting to the Defender for Endpoint service.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md
index 53e562a73f..99c8566590 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/score.md
@@ -22,9 +22,11 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
index 897caae4d4..366f94269c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
@@ -21,6 +21,9 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md
index 57abac6d07..d158ad400f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/software.md
@@ -21,6 +21,9 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
index b014a28500..f39ff29d54 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
@@ -21,7 +21,6 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md
index a035ccb910..750fbb2666 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md
@@ -25,7 +25,15 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
# Switch to Microsoft Defender for Endpoint - Phase 3: Onboard
-|[](switch-to-microsoft-defender-prepare.md) [Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |[](switch-to-microsoft-defender-setup.md) [Phase 2: Set up](switch-to-microsoft-defender-setup.md) | Phase 3: Onboard |
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+|[](switch-to-microsoft-defender-prepare.md) [Phase 1: Prepare2](switch-to-microsoft-defender-prepare.md) |[](switch-to-microsoft-defender-setup.md) [Phase 2: Set up2](switch-to-microsoft-defender-setup.md) | Phase 3: Onboard |
+|[](switch-to-microsoft-defender-prepare.md) [Phase 1: Prepare4](switch-to-microsoft-defender-prepare.md) |[](switch-to-microsoft-defender-setup.md) [Phase 2: Set up](switch-to-microsoft-defender-setup.md) | Phase 3: Onboard |
+
|--|--|--|
|| |*You are here!* |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md
index f014d6735b..dcc7c80896 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md
@@ -25,7 +25,15 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
# Switch to Microsoft Defender for Endpoint - Phase 1: Prepare
-| Phase 1: Prepare |[](switch-to-microsoft-defender-setup.md) [Phase 2: Set up](switch-to-microsoft-defender-setup.md) |[](switch-to-microsoft-defender-onboard.md) [Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+| Phase 1: Prepare |[](switch-to-microsoft-defender-setup.md) [Phase 2: Set up2](switch-to-microsoft-defender-setup.md) |[](switch-to-microsoft-defender-onboard.md) [Phase 3: Onboard2](switch-to-microsoft-defender-onboard.md) |
+| Phase 1: Prepare |[](switch-to-microsoft-defender-setup.md) [Phase 2: Set up4](switch-to-microsoft-defender-setup.md) |[](switch-to-microsoft-defender-onboard.md) [Phase 3: Onboard4](switch-to-microsoft-defender-onboard.md) |
+
|--|--|--|
|*You are here!*| | |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
index 1c9d5914a9..8fdd6ac986 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
@@ -19,13 +19,20 @@ ms.collection:
- m365solution-migratetomdatp
ms.topic: article
ms.custom: migrationguides
-ms.date: 02/11/2021
+ms.date: 02/18/2021
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
---
# Switch to Microsoft Defender for Endpoint - Phase 2: Setup
-|[](switch-to-microsoft-defender-prepare.md) [Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) | Phase 2: Set up |[](switch-to-microsoft-defender-onboard.md) [Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+|[](switch-to-microsoft-defender-prepare.md) [Phase 1: Prepare2](switch-to-microsoft-defender-prepare.md) | Phase 2: Set up |[](switch-to-microsoft-defender-onboard.md) [Phase 3: Onboard2](switch-to-microsoft-defender-onboard.md) |
+|[](switch-to-microsoft-defender-prepare.md) [Phase 1: Prepare4](switch-to-microsoft-defender-prepare.md) | Phase 2: Set up |[](switch-to-microsoft-defender-onboard.md) [Phase 3: Onboard4](switch-to-microsoft-defender-onboard.md) |
|--|--|--|
||*You are here!* | |
@@ -93,7 +100,7 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d
Because your organization is still using your existing endpoint protection solution, you must set Microsoft Defender Antivirus to passive mode. That way, your existing solution and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
1. Open Registry Editor, and then navigate to
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
+ `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
- Set the DWORD's value to **1**.
- Under **Base**, select **Hexadecimal**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
index 9c5fa1bbb5..a3decded8f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
@@ -27,6 +27,12 @@ ms.reviewer: depicker, yongrhee, chriggs
# Migrate from Symantec to Microsoft Defender for Endpoint
If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide.
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
:::image type="content" source="images/symantec-mde-migration.png" alt-text="Overview of migrating from Symantec to Defender for Endpoint":::
When you make the switch from Symantec to Defender for Endpoint, you begin with your Symantec solution in active mode, configure Defender for Endpoint in passive mode, onboard to Defender for Endpoint, and then set Defender for Endpoint to active mode and remove Symantec.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
index 0a2b297d72..0b8c881393 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
@@ -25,6 +25,15 @@ ms.reviewer: depicker, yongrhee, chriggs
# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender for Endpoint
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
|[](symantec-to-microsoft-defender-atp-prepare.md) [Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |[](symantec-to-microsoft-defender-atp-setup.md) [Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) | Phase 3: Onboard |
|--|--|--|
|| |*You are here!* |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
index 2b72584931..4195304f83 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
@@ -25,6 +25,15 @@ ms.reviewer: depicker, yongrhee, chriggs
# Migrate from Symantec - Phase 1: Prepare for your migration
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
| Phase 1: Prepare |[](symantec-to-microsoft-defender-atp-setup.md) [Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |[](symantec-to-microsoft-defender-atp-onboard.md) [Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
|--|--|--|
|*You are here!*| | |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
index 9224748cb5..c9823a17ab 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
@@ -18,13 +18,22 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
-ms.date: 02/11/2021
+ms.date: 02/18/2021
ms.custom: migrationguides
ms.reviewer: depicker, yongrhee, chriggs
---
# Migrate from Symantec - Phase 2: Set up Microsoft Defender for Endpoint
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
|[](symantec-to-microsoft-defender-atp-prepare.md) [Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) | Phase 2: Set up |[](symantec-to-microsoft-defender-atp-onboard.md) [Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
|--|--|--|
||*You are here!* | |
@@ -80,7 +89,7 @@ Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll
Because your organization is still using Symantec, you must set Microsoft Defender Antivirus to passive mode. That way, Symantec and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
1. Open Registry Editor, and then navigate to
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
+ `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
- Set the DWORD's value to **1**.
- Under **Base**, select **Hexadecimal**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md
index d65629d1ca..ef1e4801c8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md
@@ -25,6 +25,10 @@ ms.technology: mde
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Each [threat analytics report](threat-analytics.md) includes dynamic sections and a comprehensive written section called the _analyst report_. To access this section, open the report about the tracked threat and select the **Analyst report** tab.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
index fb8f606070..1e5cfd7dc1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
@@ -27,6 +27,9 @@ ms.technology: mde
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
With more sophisticated adversaries and new threats emerging frequently and prevalently, it's critical to be able to quickly:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
index 5580c259e4..1e91ad143b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
@@ -26,6 +26,7 @@ ms.technology: mde
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
index 07cd63cd6f..b779e7d95a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
@@ -22,9 +22,9 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
index 008d62b7e0..291206bd32 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
@@ -24,8 +24,10 @@ ms.technology: mde
**Applies to:**
-
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## Integrate with other Microsoft solutions
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index 3bcba3890f..6b859eac3c 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -22,6 +22,14 @@ Microsoft is committed to optimizing the security of its products and services.
The product releases below are currently certified against the cited Protection Profile, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/). The Security Target describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The Administrative Guide provides guidance on configuring the product to match the evaluated configuration. The Certification Report or Validation Report documents the results of the evaluation by the validation team, with the Assurance Activity Report providing details on the evaluator's actions.
+### Microsoft Windows Server, Windows 10 version 1909 (November 2019 Update), Microsoft Windows Server 2019 (version 1809) Hyper-V
+Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization.
+
+- [Security Target](https://download.microsoft.com/download/5/f/6/5f6efbb4-88a0-4161-953d-de07450b7107/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Security%20Target.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/7/5/0/750db292-f3d3-48c9-9557-aa64237a0e22/Virtualization%201909%20Administrative%20Guide.pdf)
+- [Validation Report](https://download.microsoft.com/download/4/7/6/476ca991-631d-4943-aa89-b0cd4f448d14/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Validation%20Report.pdf)
+- [Assurance Activities Report](https://download.microsoft.com/download/3/b/4/3b4818d8-62a1-4b8d-8cb4-9b3256564355/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Assurance%20Activity%20Report.pdf)
+
### Microsoft Windows 10 and Windows Server (November 2019 Update, version 1909)
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients.